Explore topic-wise InterviewSolutions in .

I am running Windows XP and have completed the Malware Removal Guide protocol. I am using the up-to-date free versions of AVG, Malwarebytes, and SuperAntiSpyware.

Earlier when looking to reduce my start-up time I found the following under services: C:\WINDOWS\system32\RedGirl.exe–service (it had been stopped). Since it looked suspicious I went online and found this information:

Troj/Agent-GVO
When first run Troj/Agent-GVO copies itself to\RedGirl.exe and creates the file\RedGirl.dat. The file RedGirl.dat is detected as Mal/Behav-024. The file RedGirl.exe is registered as a new system driver service named "RedGirl", with a display name of "RedGirl" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\RedGirl

My Anti-virus and Spyware did not detect this. I have gone into services and set the start-up type to Disabled. I've looked in C:\Windows\System32 for RedGirl (.dat or .exe) and did not find anything (I also ran a search). Supposedly this Trojan loads a module (RedGirl.dat) into the address space of other processes such as C:\ProgramFiles\internet explore\iexplorer.exe address space:0xd00000 - 0xFE400 but I am too much of a NEWBIE to know how to track this down. I DID find the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl\Enum

I don't know how to proceed. If there are no program files listed for this am I still infected? Do I need to remove the registry keys? I've copied down the values for the registry keys if that helps at all. Like I said, I am very new at all of this.

Thanks!

[SAVING space - attachment deleted by admin]Other than your lack of a firewall, I don't see anything wrong with your logs. It's possible that you simply had this infection in the past and the computer still has logs of it in the registry. However, if you would like to try a deeper scan, follow these instructions...

Download ComboFix and save it to your DESKTOP. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.Thank you very much for the response!

I checked the website for ComboFix and I am a little nervous about INSTIGATING this scan. It seems more complicated than the other scans I have run. I have to install and run a recovery console? It also sounds as if I run the chance of royally screwing things up if I do it incorrectly. Eeeek. That being said, if I have a virus out there that is sending my personal information back up into the ether, well then, I'll give it a go.
But, it also sounds as if running the scan might be unnecessary since I cannot find any of the .exe files for RedGirl on my computer. Registry keys in and of themselves are harmless, yes? I think you might be right about this infection being in the past.

Some more tidbits of information:

According to the source I found on the web, in addition to the creation of new registry keys (see old post) the following registry values might have been modified:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
Mine is: (Default) 0x0000001d (29) I have no idea if that is changed or not

AND

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
Again mine is: (Default) 0x0000001d (29)

I have reinstated my windows firewall, so that should be okay.

My computer is running great. I have no complaints. The only reason I contacted you was that I found RedGirl in my startup services and panicked. I was able to track down some information but I am not computer-savvy enough to interpret it. A little knowledge is a dangerous thing.

Thank you so much for taking the time to go over this. My feeling is that things are okay now and that I don't need to work on this further. If, however, in your expert opinion, I should continue to track this down, well then, let's roll up our sleeves....

Confirmation of a yay or a nay would be appreciated, and again, thank you so very much!
ComboFix is typically safe to run under supervision of someone trained to use it as we are.

Here are some more detailed instructions to help take the confusion out of it's use.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.If you follow the steps posted by evilfantasy, it's a breeze. You spend most of your time just waiting for the log to pop up.

You're not obligated to go through with this whole process, but this program will help us determine whether or not the infection is active on your computer, so it would be a good idea to go through with it.Thanks everyone for all the help. The simple, detailed instructions for combofix helped ease my anxiety and so I did heed the recommendation - I ran the program and have attached my logs.

Do I now need to uninstall windows xp recovery console? Does it take up much space? (I am indeed a novice.)

Also, I am thinking of downloading Comodo firewall to take the place of my generic windows firewall. Would you recommend this? Are there any settings I need to change, or anything else I should be aware of before I download? I am running AVG antivirus, Malwarebytes, and Superantispyware, the free versions all.

Oh yeah, and how do I get rid of combofix?

Again, my extreme gratitude for all your help.

[Saving space - attachment deleted by admin]Sorry, this is in addition to my very last reply as of 10 minutes ago.

After running combofix I now have in my c drive window (along with the newly posted combofix log) a file named Qoobox and two strange icons labeled Boot.bak and cmldr respectively. These are brand spankin' new. What are they? What do I do with them?

Thank you for your patience and time!Qoobox is part of ComboFix. The other two files should be part of the Recovery Console, which you should keep (it takes up very little space). Once we're done with ComboFix, I'll tell you how to remove it.

For the most part, your log appears fairly normal, but I did indeed locate the RedGirl infection in your system. Looks like your suspicions were correct. I was hoping ComboFix would take care of it automatically, but I guess we'll have to do this manually. Follow these instructions very closely...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\windows\system32\RedGirl.exe
c:\windows\system32\RedGirl.dat
c:\windows\system32\RedGirl.bat

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeWow. Thanks.

Okay, so I followed your instructions and have attached the log.

I realize now that I never thought to disable my AVG or firewall this time around. I hope it was not a necessary step.

Also, now since running combofix the FIRST time - when I boot up my computer it flashes the following: Please select the operating system to start.... plus some more text that passes by too quickly to take note. This is new. Don't know if it means anything or if I should now do something to take care of this.

I place it all at your honorable feet.

Many thanks!

[Saving space - attachment deleted by admin]Hope I am not bogging down these posts with unnecessary information, but since I am such a novice, I don't know what is unnecessary.

Have now had a better chance to read the boot up message - Please select the operating system to start - and I believe it has something to do with microsoft windows recovery console. I believe the computer is automatically choosing this and booting up for me.

As to my earlier post about not turning off my AVG during the RedGirl deletion process... when I just now turned off my computer (for the first time after running the deletion program) the following error message was shown: avgrsx.exe application error the instruction could not be read.... and more that I did not catch before the machine turned off. Hmmmm. Should I uninstall and then reinstall AVG?

Sorry. Now it seems I have a bunch of niggling questions, but I don't know what is worrisome or ignorable.

Thanks! Oh... my log was posted with my previous reply.No worries, you're not bogging anything down. Most users don't give enough info...when it comes to malware, "too much" info can be a good thing. To answer your first question...the Windows Recovery Console was added by ComboFix. You'll have to get used to seeing a new bootup, but trust me, this is something you should have. If you ever have any major problems, this option could very well save your computer. And don't worry, your computer is still booting in the normal mode.

As for AVG, uninstalling and reinstalling is probably a good idea. If it doesn't work, then you can get more help on their forums. The latest version of AVG has all sorts of quirks and difficulties, and they know a lot more about making it work than I do.

By looking at your latest log, it looks like your infection should be gone now. At the very least, it's inactive. If you happen to come across any traces of it, just let me know and I can help you remove them.

You no longer need ComboFix, so let's go ahead and uninstall it. Click on the Start menu and go to Run. Type in combofix /u (note the space before "/u") and click OK. It will now be removed.

You should now clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.Whew. So far so good!

If AVG is having problems, is this the antivirus I should be using? Any recommends?

Also, should I keep SuperAntiSpyware on my computer as a second anti-spyware program (I am using Malwarebytes) or should I also uninstall this? I originally downloaded it as one of the steps for the spyware removal protocol.

I guess I am basically asking what combination of programs will help me the most in keeping my computer clean and also not be impossible to use, since I am still new at handling computer software. It really shows your prowess that you were able to guide me step by step through the virus removal process!

I have an external hard drive that I basically use to drag and drop my picture and music files and other documents into for backup. Do I need to worry about this somehow harboring something nasty?

And... if I were to be looking for RedGirl again would it just show up in the same places? I can't think of how else I would know that it is back since the anti-virus etc... didn't find it. Is checking under start-up and services enough?

I cannot thank you enough for your time and patience.1. Whether or not you keep AVG is up to you. Despite its flaws, it is still an effective program and it is what I use. However, if its occasional hiccups (I had problems at first, but not anymore with the latest updates) make you uneasy, there are other good programs such as Avast and Avira. Just make sure you only use one.

2. Anti-spyware isn't as strict and it's generally okay to have a couple. I would suggest keeping both MBAM and SAS; they're great programs that compliment each other nicely.

3. Your external hard drive could become infected if it's connected to your computer during a time of infection. I don't think RedGirl is the type to hop onto external devices (so it should be clean), but in the event that you want to scan your external drive, most anti-virus programs will let you. With AVG 8, simply double-click on the icon in the system tray (the colored square), click on Computer Scanner on the left panel, click on Scan specific files or folders, place a checkmark to your external drive, and then start the scan.

4. RedGirl doesn't have a whole lot of variety and it almost ALWAYS installs itself in the same place. I don't expect you to be reinfected with it, but if you ever want to check, just look in the same locations where you found it. A startup entry starts the infection when your computer boots and a service entry [depending on the setting] keeps it running...so if it doesn't exist in these two places, then it is most likely inactive.

I hope that answers everything to you and that you stay safe and clean. And if you have any further questions, don't hesitate to ask.So I have uninstalled and reinstalled AVG. Everything else I am keeping.

Wow. I have a clean machine! Chris, I cannot thank you enough for your generous patience and expert help. I feel empowered! With your detailed guidance I was able to tackle this problem and succeed. I am walking taller. Although believe me, I do realize you were the actual one who did the work.
Still. A clean machine!

One last question (or set of related questions). Should I uninstall HijackThis? I was thinking of keeping it since I might need it in the future. And why were we asked to rename it Sniper?

Many, many thanks. You have my sincere gratitude and admiration.You are very welcome indeed; I'm glad things are going well. Whether you keep or remove HijackThis is up to you. Just be aware that you shouldn't modify the results without being instructed by a specialist. I would hate for you to accidentally remove something important.

We instruct renaming it Sniper because some infections are able to hide themselves when they see HijackThis.exe running. By renaming it to sniper.exe, infections are less likely to detect HijackThis, which increases our chances of finding the malware.

this showed up in my RUNNING proceses, i CHECKED with previx and its under review,so i thought i WOULD check here. i use anvir task manager and it says its from microsoft but it could be fake. any help would be cool!!! also here is a screen shot!

[Saving space - attachment deleted by admin]Ring a bell?

Quote

Files with the NAME WIAUP.EXE have been seen to have the following Vendor, Product and Version Information in the FILE header:

* Soundsoft Corporation; AutoChecking New Versions; 8.1.1.1

i think my pc was invaded by a backdoor trojan. i followed the instructions from evilfantasy and am attaching the txt files. i really appreciate your help with this.

[Saving space - attachment deleted by admin]I don't see anything to indicate any malware. But we can fix one entry.

Open HijackThis and select Do a system scan only.

Place a CHECK mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer.

How is the computer running now?
seems to be running fine. thanks for all the help. i had ca internet security installed, but it kept telling me i didn't have administrative access, and then i couldn't get it un-installed. had to go to the website for that. do you have any suggestions for free internet security? again, thank you. this is a great site.All of these are good. I use Avast and Comodo.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you CHOOSE this one)
5) PC Tools AntiVirus Free Edition

Remember only install ONE firewall

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) ONLINE Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plusi installed avg and comodo, and ran a scan. this is what the AVG scan found and put in my virus vault:

infection Trojan horse backdoor.generic9.akwq c:\windows\downloadedprogram

is there any need for alarm?

thanks again for the help.<removed>

I don't want to SHOVE the rules into other people's faces, but we can't trust advice of strangerz. Please do not follow the advice of linuxpenguin13.

Copied and pasted. Delete when an admin can post something here in place of mine!

What's the point of blocking ports? It won't get rid of the trojan.Thanks Latagore.

My machine has been SLOW and sluggish lately and my CPU Usage had been running consistently at about 50% or higher all the time. After I ran through all your steps it's now running at 1-4% Usage. Here are the requested logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/05/2008 at 05:55 PM

Application Version : 4.21.1004

Core Rules Database Version : 3624
Trace Rules Database Version: 1608

Scan type : Complete Scan
Total Scan Time : 02:47:04

Memory items scanned : 496
Memory threats detected : 0
Registry items scanned : 6790
Registry threats detected : 0
File items scanned : 86137
File threats detected : 0

-----------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1370
Windows 5.1.2600 Service Pack 3

11/6/2008 8:56:55 AM
mbam-log-2008-11-06 (08-56-55).txt

Scan type: Quick Scan
Objects scanned: 52044
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:01 AM, on 11/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP SOFTWARE Update\HPWuSchd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {e80714f2-5cc2-3522-ceb7-5d0dc1d60bce} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195229563375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195244036921
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DTools LANSync v5 Server (DToolsFileMgrServer) - D-Tools, Inc. - C:\Program Files\D-Tools\SI 5\Server\DToolsFileMgrServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 8410 bytes

Maybe CCleaner did a good job because there was no malware.

We can do a few things though.

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Open HijackThis and SELECT Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {e80714f2-5cc2-3522-ceb7-5d0dc1d60bce} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and run CCleaner then restart the computer to register the changes made by HijackThis.

----------

I would also recommend that you Defrag the computer. There may be a lot of fragmented sections on the drive.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

----------

Suggestions...

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hey Everyone, thanks for your help in advance.

These forums have seemingly erased my problems but here are the logs...I'm hoping someone will overview to confirm that it's safe. Thanks

Also, how can I take care of my NAV quarantined malware?

[SAVING space - ATTACHMENT deleted by admin]I've been working on a new Computer HOPE process tool and GOING through HiJack logs to test it. I COPIED and pasted yours in although this is something I'm still developing I can't see anything wrong with it. I'm still not sure though what the v0410mon.exe startup process is but believe it's something to do with the Creative sound drivers. But seems suspicious being in the Windows directory.

As far as removing Norton AntiVirus quarantied items see this link.

Thanks again admin. It looks like everything is running great. My virus scans and startup even runs smoother and fasterGlad to hear, thanks for the followup.

To keep it as clean as possible? Firewall, anti virus, spyware. Which ones? Please
err....All of them!! Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal

----------

Remember only install ONE firewall

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you CHOOSE this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

----------

Check out Keeping Yourself Safe On The Web for more tips and free tools to HELP keep you safe.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Hi everyone

I also have a new laptop and want to make it safe to GO online. How do I get my antivirus software loaded without getting infected! I still have my desktop at the moment, so can I use a disc or flash DRIVE to transfer what I need to the new MACHINE?

I use AVG and Superantispy at the moment on my desk top, along with the windows firewall

Thanks in advance for any advice

Pam

followed the post and attached the logs. added the registry scan .

i just updated from trend micro 2007 to trend micro pro 2008 that didnt work with windows XP.
so i deleted it and installed trend micro 2009.

had to fix 4 or 5 registry errors that caused errors in my device manager .
2 dvd drives and sound had to be fixed then uninstalled and reinstalled.
updated all drivers . every thing is working now .(i THINK its all ok)


[Saving space - attachment deleted by ADMIN]Sorry for the long wait. Things are very busy right now and we're a bit short-staffed, which is causing us to get more behind than usual. Some recent server issues also contributed to this somewhat. But we are doing our BEST to pick up the slack and help everyone out.

Do you still need help? If so, please post your logs again. The logs you posted are all jumbled and I can't make any sense of them. Try opening one of your attached logs to see what I mean. You may need to TURN off Word Wrap.

Ill get logs my computer just started freaking out.

Nevermind


[Saving space - attachment deleted by ADMIN]Thanks for telling US.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:35 AM, on 11/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\SERVICES.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DIGITAL Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7254 bytesSorry for the long wait. Things are very busy right now and we're a bit short-staffed, which is causing us to get more behind than usual.

Are you still having this problem? What exactly do you mean by "freaking out"? What does "freaking out" entail? What's the problem with your computer?

If you're still having TROUBLE, please post a new HijackThis log so we can have the most current information.

Attn: Broni:
Just wanted a quick check to see if anything looks fishy on my hijack this log. Also, I DOWNLOADED a few things like my HP printer, and now start time is takin longer. What can I remove from this to speed it up? Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:53 PM, on 11/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\DIGITAL Imaging\bin\hpqtra08.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [00TCrdMain] "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI" Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External EVENT Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7651 bytes
Sorry for the long wait. Things are very busy right now and we're a bit short-staffed, which is causing us to get more behind than usual. Some recent server issues also contributed to this somewhat. But we are doing our best to pick up the slack and help everyone out.

Nothing in your log really stands out. It looks pretty clean to me. If you would like to remove some startup PROGRAMS, go to Start > Run, type in msconfig, and click OK. Click on the Startup tab and look through the list of various files/programs. If you see anything on that list that you don't want or need, simply uncheck it. You will likely need to restart once you are done. This process is usually based on personal preferences, so we can only help you to an extent. But if you don't know what something is, let us know and we can try to explain it to you.

Hi,

I recently rebuilt PC, wiped HDD fresh XP Pro install ect. Things were fine until i decided like a moron to download a matrix style screensaver which would work on my dual monitor display. Within an hour of installing and usign the screensaver McAfee virus scan detected a trojan and deleted it. Becuase it was deleted i assumed it was cleaned and quickly uninstalled the screensaver.

Since this attack McAfee virus scan has promted me 3-4 times of a trojan, all with identical locations but with slightly different file names (the numbers change in teh file name)

See screenshot of the latest warning from McAfee Virus scan

http://design2rent.co.uk/virus/image.jpg

since this is repeating and McAfee only seems to be deleting the threat rather than completely cleaning it i downloaded the below apps.

Spybot S/D
HiJackThis
Malwarebytes

Spybot scan results screenshot http://design2rent.co.uk/virus/sd.jpg

all removed now

Hijackthis log http://design2rent.co.uk/virus/hijackthis.log

never used this program before so not sure what to do with the log.

Malwarebytes results screenshot http://design2rent.co.uk/virus/mwb.jpg

nothing found



From the mcafee screenshot has anyone got any ideas why this trojan keeps returning and getting flagged as deleted but is not completely cleaned?

Any input would be great.

Cheers
I'm going to move this to the Virus and Spyware section...
MEANWHILE check the GUIDE at the top of the page...there may be more info needed.

patio.still happening, another screenshot from this morning.

www.design2rent.co.uk/virus/virus2.jpg

the 2 highlight lines are the questionable issues the other 2 are false POSITIVES as far as i can find.

Any ideas or any more info needed to help try and clean this?

Cheers

Don't worry, your computer LOOKS clean to me. This is something that confuses and misleads a lot of users. If you take a look at those infections, you'll see that they are in the System Volume Information folder. That folder stores all of your backups used by System Restore. Basically, what that means is that you had infections that were cleaned and now their backups are being stored in the SVI folder. They currently aren't a threat to your computer. However, if you use System Restore to roll the system BACK, you may get reinfected. What you should do is clear out all of your restore points and then start a fresh new clean one...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.

Pretty sure my computer is infected. Have had odd behavior for a week or so &AMP; I just noticed a different log in on a newsgroup account that I use. This pretty much started after I let someone use my computer while I was away. If one of you kind EXPERTS could check out my logs (hopefully I did them OK) it would be GREATLY appreciated.
Thanks in advance.

[Saving space - attachment deleted by admin]I ran your HIJACKTHIS log through a new utility I'm writing to inspect logs while also trying to examine it myself and didn't see any security ISSUES myself. If anyone happens to spot something I missed definately post it.Thank You...I feel better already.Looks okay to me. What kind of odd behavior are you experiencing?

I can't bring up task manager, I get a message saying that it was disabled by the administrator. I'm the ADMIN on the computer and the only one that uses it. How can I turn it back on? I was told in ANOTHER thread that it was MALWARE but when I scanned for my computer it was CLEAN. BTW I'm using Windows XP.Have a LOOK here:
http://windowsxp.mvps.org/Taskmanager_error.htmQuote from: Carbon Dudeoxide on November 17, 2008, 06:50:49 AM

Have a look here:
http://windowsxp.mvps.org/Taskmanager_error.htm

Ok thanks. Did the others not work?

Ok, started a new post and here are my log files.

[Saving space - attachment deleted by admin]Hello johnrickert.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O8 - Extra context menu item: &Search - ?p=ZCfox000
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer to register the changes made by HijackThis.

----------

Is the dialing problem STILL present?

I see a lot of Toshiba Software Auto-Updater entries in the log. Do you think this is related to the dialing? You are on dialup right?Ok, I will do as you say.

Yes I have dial-up only except when in town near a wifi site. I then switch on the wifi pickup and have fast access.

I will sign off now and do what you say and then make another post when it is finished. Many thanks for all your help and staying with me on this.

JjohnOk, the items were there and I checked them and ran the fix part. I will watch and see if the dialing still happens.

By the way, I'm not sure but this may all have started after AVG version 8 was installed. It could very well be that is it trying to update all the time. I have told it not to update but wonder if it is listening. Is anyone else having this problem with version 8?

I will post after a couple of days to let you know if I still am getting the random dial-ups.

Again, thanks for all your efforts. JohnJust as a sidenote, I had this same problem once because of AVG 8. My computer would randomly start dialing and I couldn't connect to the internet. If this happened while I was connected, I would lose connection. Same thing would happen if I tried updating AVG. My problem resulted in a reformat (due to other factors involved), so I never found the solution.

However, you may want to try reinstalling AVG. Or better yet, perhaps you should head over to the AVG forums and ask for their advice. They may have an idea of what's going on and how to fix it.Thanks, Chris. I suspected this half way into all of the solutions that were given to me. I never could go into AVG and have it accept the fact that I never wanted an update. With dialup, I always wanted to update whenever I had the time or decided to do so. I will delete the entire program and reinstall. I also will join the forum they have.

Again, thanks for the advice.

I do have another question but don't know if you are into Linux but I have it installed on another computer. The only think I haven't got working is my dial up modem. Any thoughts?

JohnQuote from: johnrickert on November 19, 2008, 08:58:29 AM

I do have another question but don't know if you are into Linux but I have it installed on another computer. The only think I haven't got working is my dial up modem. Any thoughts?

i have a virus which my avg cannot deal with along with my anti spyware. my os is xp and any help much appreciated. i have attached my logs.

[Saving space - attachment deleted by admin]Well, it looks like MBAM found the rootkit but no action was taken. Try scanning again, but this time, tell it to quarantine the infection. Once you have done so, POST a new MBAM log and a new HJT log.

And while you're at it, DOWNLOAD ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really PAY attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this MAY cause stalls.here are the logs for mbam, hjt and combofix. also when i open up internet explorer and on the net in general there are no pictures how can this be recified?

[Saving space - attachment deleted by admin]I'm not entirely sure yet why your pictures might not be showing up. We'll just have to see what we can do.

NOTE: You have Spyware Terminator, which was previously considered to be a rogue program. It is now marked as legitimate, but I personally don't trust it. I would advise removing it, but if you'd rather not, then that's your choice.

ComboFix took care of your rootkit and you appear to pretty much be clean. I am curious about a certain entry, however:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.80.2.20:80

Did you set up this proxy? If not, you should remove it. You can do so by scanning with HIJACKTHIS, placing a check next to the entry, closing all other windows, and clicking on Fix Checked.

Now, as for the pictures online...is this a new problem? Does it happen with other browsers such as Firefox? Test it out and let me know what happens. You should also download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.

I am USING Windows Vista on a Compaq Presario C700 Laptop.

I must have a wicked virus...when I start my computer up it will log into windows and bring up the desktop but I can not click into any programs. The mouse pointer will move so it is not totally locked up but will not open anything. I tried to start up in safe mode to get some pic files of the computer and it does the same thing in safe mode. Please help. All I want is my pics of the computer.
What can I do?one of the trojan horse virus', an email attachment or even just a url link... Our office got hit woth this, I had to go to another computer, get online and download a trojan horse killer and other virus software onto a thumb drive (jump drive). Then with the infected comuters off of the network, no cables to connect to the world, I ran the virus stuff from the thumb drive with the computer started up in safe mode. This sounds like it will be a bit tricky, but we will do what we can. First of all, are you able to open the Task Manager by pressing Ctrl+Alt+Del? If so, can you open any programs? Click on File > New Task, type in C:\WINDOWS\system32\calc.exe and click OK. Does the calculator open?

If you can run files this way, we may have a better chance of combatting your infection.kelsco11

I could download the virus software but it does the same thing to me in safe mode. Somtimes it takes me past the desktop in safe mode but once I get to where I need to be in a program it locks up.

CBMatt

I have tried CTR+ALT+DEL but nothing happens. I can not do anything once I get to the desktop.


I have had some suggest to run a Linux Live CD. But I know the basics of computers and that is it. I don't even know if that is credible info and I would not know where to begin.

Unfortunately, it looks like your options are quite limited. Right now, these are the four main options I can think of...

1. Use the Windows Vista CD to perform a repair install of Windows. After it has completed, you should be able to access your files. However, there is no guarantee that it will work.

2. Reformat. This works 95% of the time, but you would lose all of your personal data. It's possible to recover it afterwards, but it's a long and difficult process with no guarantees.

3. Take it into a computer shop. If you can find a trustworthy shop (this is hard to do, by the way), they should be able to recover your system for you. However, this is the most expensive route to take. I would do it, but some things simply can't be done over the internet.

4. Find a computer-savvy friend who could pull out your hard drive and set it up as a slave in another computer and then use a good anti-virus scanner. This is what the computer shop would most likely do. If you have another computer lying around the house, you could perhaps try doing it yourself, but it would require an external harddrive encasement (about $15) or a SPECIAL CABLE (about $10), DEPENDING on the schematics of your laptop. Please note, however, that if you do this, you run the risk of infecting the other computer.


Of course, before trying out one of these options, there are a couple of things you can try. You say when trying to use your computer, the programs will lock up. Well, then let's try something that's not an actual program...

Go HERE to download the latest VERSION of Silent Runners. It's a VBScript that performs a very deep scan of your computer. For a test, we'll just try the minimal scan to see if we have any luck. Download the file to your desktop and run it in Safe Mode. At the prompt, click No and just sit back for a minute or two. It runs in the background, so it may look like nothing is happening. After a couple of minutes a Notepad file called Startup Programs should appear. If so, attach that to your next post. If you've waited more than 5 minutes without anything appearing, then it most likely didn't work, as it's fairly quick and should not take that long.

Another thing to try...copy all of the text in the quote box below and paste it into Notepad...
Quote

dir C:\WINDOWS /a h > win.txt
dir C:\WINDOWS\system32 /a h > sys32.txt
dir "C:\Program Files" /a h > pf.txt

Maybe this is not the right place to post this, but I think it does matter. Do you?
In addition to protecting ourselves from all KIND of malware, there is a possibility that a hacker can infect you local server or the DNS they use. Here is a headline:
MASSIVE DNS security problem ENDANGERS the internet
Here is the link to it:
http://www.asteriskvoipnews.com/voip_security/massive_dns_security_problem_endangers_the_internet.html
Yeah, it was back in July. But are you SURE your local ISP did the patch?
As faor me, I set my router to use the DNS recommend by Open-DNS for this location.

Check out this: http://open-dns.org
So, am I paranoid or what?
You MIGHT be a little paranoid, but that's not always a bad thing.

Hello, This is my first time posting on this site.

The short story, I caught a nasty browser hihacking virus and possibly a few other things. I have taken all of the recomended eradication steps, and want to know if the virus or some remanents of it are still on my system.

The long story. Last night I was browsing the internet, and shortly after entering a website the windows notifies me that "your firewall has been disabled". A second or two later My antivirus displays a long string of infection detected messages... I instantly close the brower and have my antivirus and anti spyware run a scan. This seemed like a serious attack on my computer, so I try to look up some of the infection information only to discover my browser has been hijacked. It won't let me visit antivirus sites and It is redirecting my searches. Upon DISCOVERING this I imediately use windows system restore. The symptoms vanish after the system restore and I run a whole slew of ANITVIRUS and malware tools including the ones recomended on this site.

I think I got rid of it but, then again, I really don't know to much about this.

Logs below

-=SupraAntivirus=-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/22/2008 at 12:12 PM

Application Version : 4.22.1014

Core Rules Database Version : 3648
Trace Rules Database Version: 1631

Scan type : Complete Scan
Total Scan Time : 03:00:32

Memory items scanned : 686
Memory threats detected : 0
REGISTRY items scanned : 6161
Registry threats detected : 0
File items scanned : 206482
File threats detected : 136

Adware.Tracking Cookie
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Academia\Cookies\[emailprotected][1].txt

Rootkit.TDSServ/Fake
C:\WINDOWS\TEMP\TDSS69E0.TMP

-=2 MalBytes=-

Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 3

11/22/2008 1:27:26 PM
mbam-log-2008-11-22 (13-27-26).txt

Scan type: Quick Scan
Objects scanned: 82354
Time elapsed: 53 minute(s), 29 second(s)

Memory PROCESSES Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSnvuo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Academia\Local Settings\Temp\TDSS5f12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Academia\Local Settings\Temp\TDSS683a.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS67ec.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdblj.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Origional post continued


-= Hijack This=-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:24 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\DOCUME~1\Academia\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CASIO\Photo LOADER\Plauto.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufl.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13834 bytes

I have mcafee on my laptop which is running vista. Is just having mcafee enough or do i need more stuff ?listen MCAFFE is a realy bad antivirus to start out with. it collides with windows witch is slowes it down and ALSO the quarentiner SUCKS i gave windows live onecare its good but not as good as avg

id prefer avg and live one care over mcaffe. but you should get avg free edithon it still updates and it is powerfull as *censored*.
to download avg(you dont have to) click this linkhttp://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentBody;mostPopTwoColWrap&cdlPid=10891365
but if gowing to you need to take off mcafee so you computer DOSENT crash cause antiviruses like to COLLIDE with each other.

Ok so I've been fighting this BV:Malware-gen thing since Thursday evening and so far it keeps coming up when I do an avast! scan. I just went through all of the Malware Removal Steps that are posted on this site and the viruses are still coming up on the scan! please help me! ATTACHED are the logs for the SuperAntispyware, Malwarebytes' Anti-Malware, and HijackThis SCANS that I just did.




[Saving space - attachment deleted by admin]Please try and run these virus and malware programs in safe mode for better results.Quote

Please try and run these virus and malware programs in safe mode for better results.

My computer has started to slow down and Avira anti-virus has detected several scripts and trojans in the past few days. I have downloaded and run the programs promoted on this site and then I removed anything they came up with. I just wanted to post logs and have you guys CHECK if I missed anything.



[Saving SPACE - attachment deleted by admin]All I see on your computer now is a downloader...

Open HijackThis and scan without saving a log. Place a checkmark next to these entries...
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

Close all non-HijackThis windows (including this one) and click on Fix Checked. Then reboot into Safe Mode and delete this file: C:\WINDOWS\system32\prunnet.exe

Once you've done that, post another HijackThis log so I can verify that it's gone.I ran Hijack this again and the ITEM wasn't on the list. Here is the log from the scan.

[Saving space - attachment deleted by admin]Did you run another MBAM scan after posting your HJT log? It had detected the infection before, but no action was taken. Did you by any chance re-scan and quarantine the FILES the second time around? If not, you should try scanning again and then verify that the file is gone.I ran the anti-spyware tool after posting my HJT log and it found & removed the prunnet downloader.Okay. Well, in that case, it looks like you're clean now. The scanners have thankfully done their job.

I had been having a problem with Windows Explorer. I would be browsing through files, and about 5-6 seconds into it, it would tell me that it had an error and needed to be closed...I followed the steps you GUYS provided, and I think everything is working now...anyway here's the logs that I got out of SuperAntiSpyware and Anti-Malware and HijackThis...let me know if you see anything else - THANKS!



[Saving space - attachment deleted by admin]Looks like we've got yet another Vundo infection here at our forums...

Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you REALLY PAY attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here, along with a new HijackThis log. Note: Don't click on the window while it's running; this may cause stalls.Ok, here is the ComboFix log and the new HijackThis log....thanks for your help again!!!!

[Saving space - attachment deleted by admin]You should be relatively clean by now. Has your situation improved at all? Just a few more steps to follow...

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

C:\WINDOWS\blank.html or C:\WINDOWS\system32\blank.html

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.Hey...it seems like things are going very well. The crash issue seems to have been fixed, everything else is running fast and smooth, even the internet! Anyway, followed your directions, didn't find the blank.html in the windows or system 32 directories after going into safe mode, but I think that's ok

Here's the latest HijackThis log....THANKS AGAIN!!!

[Saving space - attachment deleted by admin]Great, I'm glad to hear that. Unfortunately, some files aren't always where we expect them to be. I'd feel more comfortable knowing for sure that the file is gone, but as long as it's not running anymore, it's currently not a threat.

Now that that's taken care of, you should uninstall ComboFix by going to Start > Run, typing in combofix /u (note the space), and clicking OK.

Also, you are in need of anti-virus protection. I suggest using AVG Free, but Avast and AntiVir are good programs as well. You also need a firewall. You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and INSTALL your new firewall.



One more thing...I should note that you are using a program called SpyHunter 3. Although it has been taken off the list, this was once considered to be a rogue program. It has been decided that they have changed their ways, but I personally don't trust them. I would advise uninstalling this product, but that is up to you.Didn't know that about SpyHunter....I've been using them for a while now and it seems like it does a pretty good job...but I will keep that in mind

Downloaded ZoneAlarm and got that going along with some anti-virus. Thanks very much for your help!If you feel that it's a worthy program, then feel free to keep using it. As a malware remover, I am simply obligated to point out rogue programs, even if they are no longer considered to be ROGUES. But as long as things are running smoothly and you're happy, then it's all good.

Hi my gateway laptop is infected I did all of the scans needed also I RAN ccleaner here's my logs


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:38 PM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.dospop.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu ITEM: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8731 bytes
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/9/2008 11:09:00 PM
mbam-log-2008-12-09 (23-09-00).txt

Scan type: Quick Scan
Objects scanned: 53306
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\tbsb09293.ietoolbar (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb09293.ietoolbar.1 (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bfb5f154-9212-46f3-b547-ac6106030a54} (Adware.DosPopToolbar) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2008 at 10:45 PM

Application Version : 4.23.1006

Core Rules Database Version : 3668
Trace Rules Database Version: 1647

Scan type : Complete Scan
Total Scan Time : 01:15:04

Memory items scanned : 574
Memory threats detected : 0
Registry items scanned : 5879
Registry threats detected : 75
File items scanned : 75570
File threats detected : 2

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32#ThreadingModel
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib
HKCR\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID
HKCR\Toolbar3.TBSB09293.1
HKCR\Toolbar3.TBSB09293.1\CLSID
HKCR\Toolbar3.TBSB09293
HKCR\Toolbar3.TBSB09293\CLSID
HKCR\Toolbar3.TBSB09293\CurVer
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR
C:\PROGRAM FILES\DOSPOP TOOLBAR\TBU1\DOSPOP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}
HKU\S-1-5-21-402191466-23066337-1482622100-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}
HKCR\Interface\{5F5CF7AE-6AB0-49C3-BA06-BA59085B4313}
HKCR\Interface\{5F5CF7AE-6AB0-49C3-BA06-BA59085B4313}\ProxyStubClsid
HKCR\Interface\{5F5CF7AE-6AB0-49C3-BA06-BA59085B4313}\ProxyStubClsid32
HKCR\Interface\{5F5CF7AE-6AB0-49C3-BA06-BA59085B4313}\TypeLib
HKCR\Interface\{5F5CF7AE-6AB0-49C3-BA06-BA59085B4313}\TypeLib#Version
HKCR\Interface\{A4BBC19A-9A7B-4A5B-8212-1522B8F7E9AE}
HKCR\Interface\{A4BBC19A-9A7B-4A5B-8212-1522B8F7E9AE}\ProxyStubClsid
HKCR\Interface\{A4BBC19A-9A7B-4A5B-8212-1522B8F7E9AE}\ProxyStubClsid32
HKCR\Interface\{A4BBC19A-9A7B-4A5B-8212-1522B8F7E9AE}\TypeLib
HKCR\Interface\{A4BBC19A-9A7B-4A5B-8212-1522B8F7E9AE}\TypeLib#Version

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
HKCR\TBSB09293.TBSB09293.3
HKCR\TBSB09293.TBSB09293.3\CLSID
HKCR\TBSB09293.TBSB09293
HKCR\TBSB09293.TBSB09293\CLSID
HKCR\TBSB09293.TBSB09293\CurVer
HKU\S-1-5-21-402191466-23066337-1482622100-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKU\S-1-5-21-402191466-23066337-1482622100-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
HKCR\URLSearchHook.ToolbarURLSearchHook.1
HKCR\URLSearchHook.ToolbarURLSearchHook.1\CLSID
HKCR\URLSearchHook.ToolbarURLSearchHook
HKCR\URLSearchHook.ToolbarURLSearchHook\CLSID
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR
C:\PROGRA~1\DOSPOP~1\TBUE\TBHELPER.DLL

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version
sorry about the order that these are in but I did the superantispyware first then malware then hijack this thanks

oh I forgot I'm running xp media center edition sp3 and I did this CAUSE it was running really slow it would take forever to boot up and when I first bought it it was pretty fast. I have 512 megs of ram and a amd 3400 processor 1.8 gigahertz

Piece of crap still won't work. Can't do anything in safe mode. The minute I try to type something in that line after I hit run the piece of crap freezes up. Now what? Sorry, I've just been at this about 12-16 hours a day for the last 2 weeks, and I'm ready to give up. This things been a total pile of junk since I got it, I should have sued the idiot that sold it to me.
Does any of this have to do with the huge "system 32" file that now magically opens up when I boot up? That never happened before, and none of the crap that's in that file is mine. I'm sure it's taking up 90% of what little memory or whatever that I have. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Here are the logs you asked for. The first is part of ComboFix, I had to post it in two different posts because it is so long. HIJACK This follows. Thanks!!


ComboFix 08-12-07.04 - Christopher Apostle 2008-12-10 0:00:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.351 [GMT -7:00]
Running from: c:\documents and settings\Christopher Apostle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\uninstall information
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\settings.dat
c:\program files\Need2Find\bar\Settings\settings.htm
c:\windows\system32\cache329
c:\windows\system32\cache329\B_134000.htm
c:\windows\system32\cache329\B_329_0_0_105300.htm
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_0_0_446700.htm
c:\windows\system32\cache329\B_329_0_0_446800.htm
c:\windows\system32\cache329\B_329_0_0_446900.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_2_0_446700.htm
c:\windows\system32\cache329\B_329_2_0_446800.htm
c:\windows\system32\cache329\B_329_2_0_446900.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_446700.htm
c:\windows\system32\cache329\B_329_3_0_446800.htm
c:\windows\system32\cache329\B_329_3_0_446900.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\B_329_4_0_448200.htm
c:\windows\system32\cache329\B_329_4_0_448300.htm
c:\windows\system32\cache329\B_329_4_0_453400.htm
c:\windows\system32\cache329\t_B_134000.htm
c:\windows\system32\cache329\t_B_329_0_0_105300.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_0_0_446700.htm
c:\windows\system32\cache329\t_B_329_0_0_446800.htm
c:\windows\system32\cache329\t_B_329_0_0_446900.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_2_0_446700.htm
c:\windows\system32\cache329\t_B_329_2_0_446800.htm
c:\windows\system32\cache329\t_B_329_2_0_446900.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_446700.htm
c:\windows\system32\cache329\t_B_329_3_0_446800.htm
c:\windows\system32\cache329\t_B_329_3_0_446900.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_4_0_448200.htm
c:\windows\system32\cache329\t_B_329_4_0_448300.htm
c:\windows\system32\cache329\t_B_329_4_0_453400.htm
c:\windows\system32\elikabut.ini
c:\windows\system32\ezimelet.ini
c:\windows\system32\irezasos.ini
c:\windows\system32\iyimogov.ini
c:\windows\system32\mudagisi.dll
c:\windows\system32\upiyedef.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-07 21:49 . 2008-11-06 02:03d--------C:\SDFix
2008-12-04 19:29 . 2008-04-13 18:12116,224--a------c:\windows\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-12-04 19:29 . 2001-08-17 22:3727,648--a------c:\windows\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-12-04 19:29 . 2001-08-17 22:3623,040--a------c:\windows\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-12-04 19:29 . 2008-04-13 18:1218,944--a------c:\windows\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-12-04 19:29 . 2001-08-17 22:374,608--a------c:\windows\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-12-04 19:28 . 2001-08-17 13:28771,581--a------c:\windows\SYSTEM32\DLLCACHE\winacisa.sys
2008-12-04 19:28 . 2002-08-28 20:59154,624--a------c:\windows\SYSTEM32\DLLCACHE\wlluc48.sys
2008-12-04 19:28 . 2001-08-17 22:3799,865--a------c:\windows\SYSTEM32\DLLCACHE\xlog.exe
2008-12-04 19:28 . 2001-08-17 22:3687,040--a------c:\windows\SYSTEM32\DLLCACHE\wiafbdrv.dll
2008-12-04 19:28 . 2001-08-17 22:3653,760--a------c:\windows\SYSTEM32\DLLCACHE\wiamsmud.dll
2008-12-04 19:28 . 2002-08-29 03:0041,600--a------c:\windows\SYSTEM32\DLLCACHE\weitekp9.dll
2008-12-04 19:28 . 2001-08-17 12:1234,890--a------c:\windows\SYSTEM32\DLLCACHE\wlandrv2.sys
2008-12-04 19:28 . 2002-08-29 03:0031,232--a------c:\windows\SYSTEM32\DLLCACHE\weitekp9.sys
2008-12-04 19:28 . 2001-08-17 12:1116,970--a------c:\windows\SYSTEM32\DLLCACHE\xem336n5.sys
2008-12-04 19:28 . 2008-04-13 12:368,832--a------c:\windows\SYSTEM32\DLLCACHE\wmiacpi.sys
2008-12-04 19:28 . 2008-04-13 18:128,192--a------c:\windows\SYSTEM32\DLLCACHE\wshirda.dll
2008-12-04 19:26 . 2001-08-17 12:18285,760--a------c:\windows\SYSTEM32\DLLCACHE\stlnata.sys
2008-12-04 19:25 . 2001-08-17 22:36495,616--a------c:\windows\SYSTEM32\DLLCACHE\sblfx.dll
2008-12-04 19:24 . 2001-08-17 13:28899,146--a------c:\windows\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-12-04 19:23 . 2008-08-14 02:332,023,936--a------c:\windows\SYSTEM32\DLLCACHE\OLD3DE.tmp
2008-12-04 19:22 . 2002-08-28 20:59132,695--a------c:\windows\SYSTEM32\DLLCACHE\netwlan5.sys
2008-12-04 19:21 . 2001-08-17 13:28802,683--a------c:\windows\SYSTEM32\DLLCACHE\ltsm.sys
2008-12-04 19:20 . 2008-04-13 18:11253,952--a------c:\windows\SYSTEM32\DLLCACHE\kdsusd.dll
2008-12-04 19:19 . 2001-08-17 13:28542,879--a------c:\windows\SYSTEM32\DLLCACHE\hsf_msft.sys
2008-12-04 19:18 . 2001-08-17 14:561,733,120--a------c:\windows\SYSTEM32\DLLCACHE\g400d.dll
2008-12-04 19:17 . 2001-08-17 12:14952,007--a------c:\windows\SYSTEM32\DLLCACHE\diwan.sys
2008-12-04 19:16 . 2001-08-17 22:36614,429--a------c:\windows\SYSTEM32\DLLCACHE\digiview.exe
2008-12-04 19:15 . 2001-08-17 12:13980,034--a------c:\windows\SYSTEM32\DLLCACHE\cicap.sys
2008-12-04 19:14 . 2001-08-17 13:28871,388--a------c:\windows\SYSTEM32\DLLCACHE\bcmdm.sys
2008-12-04 19:13 . 2001-08-17 12:19747,392--a------c:\windows\SYSTEM32\DLLCACHE\adm8830.sys
2008-12-04 19:12 . 2008-08-14 03:092,145,280--a------c:\windows\SYSTEM32\DLLCACHE\OLD2B.tmp
2008-12-04 19:12 . 2001-08-17 13:28762,780--a------c:\windows\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-12-04 19:12 . 2001-08-17 14:55689,216--a------c:\windows\SYSTEM32\DLLCACHE\3dfxvs.dll
2008-12-04 19:12 . 2001-08-17 12:48148,352--a------c:\windows\SYSTEM32\DLLCACHE\3dfxvsm.sys
2008-12-04 19:12 . 2001-08-17 14:5666,048--a------c:\windows\SYSTEM32\DLLCACHE\s3legacy.dll
2008-12-04 19:12 . 2008-04-13 12:4653,376--a------c:\windows\SYSTEM32\DLLCACHE\1394bus.sys
2008-12-04 19:12 . 2008-04-13 12:4012,288--a------c:\windows\SYSTEM32\DLLCACHE\4mmdat.sys
2008-12-04 19:12 . 2001-08-17 14:0611,264--a------c:\windows\SYSTEM32\DLLCACHE\1394vdbg.sys
2008-12-04 19:12 . 2002-08-29 03:007,168--a------c:\windows\SYSTEM32\DLLCACHE\wamregps.dll
2008-12-04 19:11 . 2002-08-29 03:00169,984--a------c:\windows\SYSTEM32\DLLCACHE\iisui.dll
2008-12-04 19:11 . 2002-08-29 03:0094,720--a------c:\windows\SYSTEM32\DLLCACHE\certmap.ocx
2008-12-04 19:11 . 2002-08-29 03:0019,968--a------c:\windows\SYSTEM32\DLLCACHE\inetsloc.dll
2008-12-04 19:11 . 2002-08-29 03:0014,336--a------c:\windows\SYSTEM32\DLLCACHE\iisreset.exe
2008-12-04 19:11 . 2002-08-29 03:007,680--a------c:\windows\SYSTEM32\DLLCACHE\inetmgr.exe
2008-12-04 19:11 . 2002-08-29 03:006,144--a------c:\windows\SYSTEM32\DLLCACHE\ftpsapi2.dll
2008-12-04 19:11 . 2002-08-29 03:005,632--a------c:\windows\SYSTEM32\DLLCACHE\iisrstap.dll
2008-12-03 19:13 . 2008-12-03 19:30d--------c:\documents and settings\Christopher Apostle\Incomplete
2008-12-02 16:53 . 2008-12-02 16:53d--------c:\program files\AMT
2008-12-02 15:39 . 2008-12-09 10:22d--------c:\program files\SUPERAntiSpyware
2008-12-02 15:39 . 2008-12-02 15:39d--------c:\documents and settings\Christopher Apostle\Application Data\SUPERAntiSpyware.com
2008-12-02 15:39 . 2008-12-02 15:39d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 15:38 . 2008-12-02 15:38d--------c:\program files\Common Files\Wise INSTALLATION Wizard
2008-12-02 15:26 . 2008-12-07 21:39d--------c:\program files\CCleaner
2008-12-02 14:46 . 2008-12-02 14:46d--------c:\program files\TechTracker
2008-12-02 14:46 . 2008-12-02 14:54d--------c:\documents and settings\Christopher Apostle\Application Data\VersionTracker Pro
2008-12-02 14:40 . 2008-12-02 14:40d--------c:\program files\Trend Micro
2008-12-01 23:02 . 2008-12-01 23:02d--------c:\program files\CAT
2008-11-29 17:06 . 2008-11-29 17:06d--------c:\program files\Alwil Software
2008-11-26 13:54 . 2008-12-08 17:51d--------c:\program files\Malwarebytes' Anti-Malware
2008-11-26 13:54 . 2008-11-26 13:54d--------c:\documents and settings\Christopher Apostle\Application Data\Malwarebytes
2008-11-26 13:54 . 2008-11-26 13:54d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 13:54 . 2008-12-03 19:5238,496--a------c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-26 13:54 . 2008-12-03 19:5215,504--a------c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-18 17:31 . 2008-02-05 16:051,009,664--a------c:\windows\SYSTEM32\Ltwvc13n.dll
2008-11-18 17:31 . 2008-02-05 16:05453,120--a------c:\windows\SYSTEM32\ltkrn13n.dll
2008-11-18 17:31 . 2008-02-05 16:05445,440--a------c:\windows\SYSTEM32\ltimg13n.dll
2008-11-18 17:31 . 2008-02-05 16:05388,608--a------c:\windows\SYSTEM32\LFCMP13n.DLL
2008-11-18 17:31 . 2008-02-05 16:05265,216--a------c:\windows\SYSTEM32\LTDIS13n.dll
2008-11-18 17:31 . 2008-02-05 16:05246,272--a------c:\windows\SYSTEM32\LFJ2K13n.dll
2008-11-18 17:31 . 2008-02-05 16:05206,848--a------c:\windows\SYSTEM32\ltefx13n.dll
2008-11-18 17:31 . 2008-02-05 16:05182,784--a------c:\windows\SYSTEM32\Lfpng13n.dll
2008-11-18 17:31 . 2008-02-05 16:05154,112--a------c:\windows\SYSTEM32\ltfil13n.DLL
2008-11-18 17:31 . 2008-02-05 16:05142,848--a------c:\windows\SYSTEM32\lftif13n.dll
2008-11-18 17:31 . 2008-02-05 16:0573,728--a------c:\windows\SYSTEM32\lffax13n.dll
2008-11-18 17:31 . 2008-02-05 16:0530,208--a------c:\windows\SYSTEM32\lfbmp13n.dll
2008-11-18 17:30 . 2008-11-18 17:31d--------c:\program files\RingCentral
2008-11-18 17:30 . 2008-11-18 18:21d--------c:\documents and settings\All Users\Application Data\RingCentral
2008-11-18 11:14 . 2008-11-18 11:15d--------c:\documents and settings\Christopher Apostle\tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 02:13---------d-----wc:\documents and settings\Christopher Apostle\Application Data\LimeWire
2008-12-02 22:31---------d-----wc:\program files\Java
2008-12-02 17:43---------d-----wc:\program files\Web Publish
2008-12-02 17:43---------d-----wc:\program files\Spybot - Search & Destroy
2008-12-02 17:43---------d-----wc:\program files\Motherboard Monitor 5
2008-12-02 17:43---------d-----wc:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 02:58---------d-----wc:\program files\Viewpoint
2008-12-02 02:58---------d-----wc:\documents and settings\All Users\Application Data\Viewpoint
2008-11-10 12:43410,984----a-wc:\windows\SYSTEM32\deploytk.dll
2008-11-03 05:40---------d-----wc:\documents and settings\Christopher Apostle\Application Data\Image Zone Express
2008-11-03 02:52---------d-----wc:\program files\MSECache
2008-11-02 11:31---------d-----wc:\documents and settings\Christopher Apostle\Application Data\InstallShield
2008-11-02 11:29---------d--h--wc:\program files\InstallShield Installation Information
2008-10-31 05:56---------d-----wc:\documents and settings\Christopher Apostle\Application Data\eBookPro6
2008-10-28 20:07---------d-----wc:\documents and settings\All Users\Application Data\PureEdge
2008-10-28 20:06---------d-----wc:\documents and settings\All Users\Application Data\Amazon
2008-10-24 15:10---------d-----wc:\documents and settings\Christopher Apostle\Application Data\AdobeUM
2008-10-24 11:21455,296----a-wc:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21455,296----a-wc:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 21:13202,776----a-wc:\windows\SYSTEM32\wuweb.dll
2008-10-16 21:13202,776----a-wc:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 21:131,809,944----a-wc:\windows\SYSTEM32\wuaueng.dll
2008-10-16 21:131,809,944----a-wc:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 21:12561,688----a-wc:\windows\SYSTEM32\wuapi.dll
2008-10-16 21:12561,688----a-wc:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 21:12323,608----a-wc:\windows\SYSTEM32\wucltui.dll
2008-10-16 21:12323,608----a-wc:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 21:0992,696----a-wc:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 21:0992,696----a-wc:\windows\SYSTEM32\cdm.dll
2008-10-16 21:0951,224----a-wc:\windows\SYSTEM32\wuauclt.exe
2008-10-16 21:0951,224----a-wc:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 21:0943,544----a-wc:\windows\SYSTEM32\wups2.dll
2008-10-16 21:0834,328----a-wc:\windows\SYSTEM32\wups.dll
2008-10-16 21:0834,328----a-wc:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 21:06268,648----a-wc:\windows\SYSTEM32\mucltui.dll
2008-10-16 21:06208,744----a-wc:\windows\SYSTEM32\muweb.dll
2008-10-15 16:34337,408----a-wc:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:416,066,176------wc:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 23:431,286,152----a-wc:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:121,846,400----a-wc:\windows\SYSTEM32\win32k.sys
2008-09-15 12:121,846,400----a-wc:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:141,307,648----a-wc:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-10 01:141,307,648------wc:\windows\SYSTEM32\msxml6.dll
2005-11-29 21:39236,216----a-wc:\documents and settings\Christopher Apostle\Application Data\GDIPFONTCACHEV1.DAT
2008-04-14 00:1250,688--sh--wc:\windows\twain_32.dll
2005-05-05 04:14475--sh--wc:\windows\SYSTEM32\gglizu.dll
2008-04-14 00:1211,776--sh--wc:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown





2nd half of ComboFix log:


REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2008-11-12 479232]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-11-12 32768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-19 98304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-03-07 21:42 176128 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-08-19 20:31 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashMaiSv.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-29 78416]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-29 20560]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\DRIVERS\LSIPNDS.sys [2004-07-01 95232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{600c93a2-c0cc-11dd-97a4-000bdbb5764c}]
\Shell\AutoRun\command - E:\start.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\ErrorKiller\ErrorKiller.exe []

2008-12-09 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\ErrorKiller []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-cat - (no file)
MSConfigStartUp-EPSON Stylus C82 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-Nsv - c:\windows\system32\nsvsvc\nsvsvc.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-Tsa - c:\progra~1\COMMON~1\tsa\tsm.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\SYSTEM32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {38AB0814-B09B-4378-9940-14A19638C3C2}
hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
FireFox -: Profile - c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 00:03:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-10 0:04:58
ComboFix-quarantined-files.txt 2008-12-10 07:04:23

Pre-Run: 24,265,408,512 bytes free
Post-Run: 24,297,021,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)PARTITION(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

337--- E O F ---2008-11-12 10:28:04Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:13 AM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV HELPER - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RCUI] "C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe"
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader55.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6714 bytes
Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

What is the best way to block ads from the internet? I have Internet Explorer and I WANT to block any type of ads

Thanks
Collegecase

PS I have Windows VISTA Home PremiumWhat browser do you have and what type of ads do you want to block?I have Internet Explorer and I want to block any type of adhttp://www.ie7pro.com/ad-blocker.html

Have you ever considered USING Firefox? There is an ad-on called Ad Block PLUS which is the absolute best!

And here is my most recent hijackthis log and I ran it while the Roxio Media Manager was trying to install in hopes hijackthis would give you something to work with....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:33 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\RUN: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [realtray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [intelwireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dvdlauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dell quickset] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [act! preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [pcmservice] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [picasa media detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227318588125
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee PROXY Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10333 bytes


Please let me know what you come up with.....And lastly here is the ComboFix.txt..........

ComboFix 08-11-22.02 - Kris Maurer 2008-11-23 10:44:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.73 [GMT -5:00]
Running from: c:\documents and settings\Kris Maurer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kris Maurer\Desktop\CFScript.txt

FILE ::
c:\windows\system32\bszip.dll
c:\windows\system32\fnts~1\wucrtupd.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.

2008-11-22 16:51 . c:\windows\LastGood.Tmp
2008-11-21 21:35 . 2008-11-21 21:35d--------c:\windows\system32\scripting
2008-11-21 21:35 . 2008-11-21 21:35d--------c:\windows\system32\en
2008-11-21 21:35 . 2008-11-21 21:35d--------c:\windows\system32\bits
2008-11-21 21:35 . 2008-11-21 21:35d--------c:\windows\l2schemas
2008-11-21 21:33 . 2008-11-21 21:36d--------c:\windows\ServicePackFiles
2008-11-21 21:25 . 2008-11-21 21:25d--------c:\windows\EHome
2008-11-21 21:22 . 2008-08-14 05:04138,496-----c---c:\windows\system32\dllcache\afd.sys
2008-11-21 21:20 . 2008-04-13 19:12712,704---------c:\windows\system32\windowscodecs.dll
2008-11-21 21:20 . 2008-04-13 19:12346,112---------c:\windows\system32\windowscodecsext.dll
2008-11-21 21:20 . 2008-04-13 19:12276,992---------c:\windows\system32\wmphoto.dll
2008-11-21 21:20 . 2008-04-13 19:1269,120---------c:\windows\system32\wlanapi.dll
2008-11-21 21:18 . 2008-04-13 19:111,888,992---------c:\windows\system32\ati3duag.dll
2008-11-21 21:17 . 2008-06-13 06:05272,128-----c---c:\windows\system32\dllcache\bthport.sys
2008-11-21 21:08 . 2008-09-15 07:121,846,400-----c---c:\windows\system32\dllcache\win32k.sys
2008-11-21 21:08 . 2008-09-08 05:41333,824-----c---c:\windows\system32\dllcache\srv.sys
2008-11-21 20:57 . 2008-08-14 05:112,189,184-----c---c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-21 20:57 . 2008-08-14 05:092,145,280-----c---c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-21 20:57 . 2008-08-14 04:332,066,048-----c---c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-21 20:57 . 2008-08-14 04:332,023,936-----c---c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-21 20:56 . 2008-10-24 06:21455,296-----c---c:\windows\system32\dllcache\mrxsmb.sys
2008-11-21 20:54 . 2008-09-04 12:151,106,944-----c---c:\windows\system32\dllcache\msxml3.dll
2008-11-21 20:54 . 2008-04-11 14:04691,712-----c---c:\windows\system32\dllcache\inetcomm.dll
2008-11-21 20:54 . 2008-10-15 11:34337,408-----c---c:\windows\system32\dllcache\netapi32.dll
2008-11-21 20:54 . 2008-05-01 09:33331,776-----c---c:\windows\system32\dllcache\msadce.dll
2008-11-21 18:32 . 2008-11-21 18:32d--------C:\VundoFix Backups
2008-11-20 22:36 . 2008-11-20 22:36d--------c:\program files\Malwarebytes' Anti-Malware
2008-11-20 22:36 . 2008-10-22 16:1038,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 22:36 . 2008-10-22 16:1015,504--a------c:\windows\system32\drivers\mbam.sys
2008-11-20 22:31 . 2008-11-20 22:31d--------c:\program files\Trend Micro
2008-11-20 21:29 . 2008-11-20 21:29d--------c:\documents and settings\Kris Maurer\Application Data\Malwarebytes
2008-11-20 21:29 . 2008-11-20 21:29d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 16:58 . 2008-11-20 16:58d--------c:\documents and settings\Kris Maurer\DoctorWeb
2008-11-20 16:51 . 2005-02-15 15:02163,840--a------c:\windows\system32\igfxres.dll
2008-11-20 16:43 . 2008-04-13 19:11156,672--a--c---c:\windows\system32\dllcache\winzm.ime
2008-11-20 16:43 . 2008-04-13 19:11156,672--a--c---c:\windows\system32\dllcache\winsp.ime
2008-11-20 16:43 . 2008-04-13 19:11156,672--a--c---c:\windows\system32\dllcache\winpy.ime
2008-11-20 16:43 . 2008-04-13 19:1165,536--a--c---c:\windows\system32\dllcache\winime.ime
2008-11-20 16:43 . 2004-08-12 09:1028,288--a--c---c:\windows\system32\dllcache\xjis.nls
2008-11-20 16:41 . 2004-08-12 08:581,875,968--a--c---c:\windows\system32\dllcache\msir3jp.lex
2008-11-20 16:40 . 2008-04-13 19:0913,463,552--a--c---c:\windows\system32\dllcache\hwxjpn.dll
2008-11-20 16:39 . 2004-08-12 08:56195,618--a--c---c:\windows\system32\dllcache\c_10002.nls
2008-11-20 16:36 . 2008-11-20 16:36749-rah-----c:\windows\WindowsShell.Manifest
2008-11-20 16:36 . 2008-11-20 16:36749-rah-----c:\windows\system32\wuaucpl.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36749-rah-----c:\windows\system32\sapi.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36749-rah-----c:\windows\system32\ncpa.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36488-rah-----c:\windows\system32\logonui.exe.manifest
2008-11-20 16:35 . 2004-08-12 08:5816,384--a--c---c:\windows\system32\dllcache\isignup.exe
2008-11-20 16:22 . 2004-08-12 09:0624,661--a------c:\windows\system32\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 09:0624,661--a--c---c:\windows\system32\dllcache\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 08:5813,312--a------c:\windows\system32\irclass.dll
2008-11-20 16:22 . 2004-08-12 08:5813,312--a--c---c:\windows\system32\dllcache\irclass.dll
2008-11-20 16:21 . 2004-08-12 09:061,042,903--a--c---c:\windows\system32\dllcache\SP2.CAT
2008-11-20 16:21 . 2004-08-12 09:02797,189--a--c---c:\windows\system32\dllcache\NT5IIS.CAT
2008-11-20 16:21 . 2004-08-12 08:59399,645--a--c---c:\windows\system32\dllcache\MAPIMIG.CAT
2008-11-20 16:21 . 2004-08-12 09:0137,484--a--c---c:\windows\system32\dllcache\MW770.CAT
2008-11-20 16:21 . 2004-08-12 08:5713,472--a--c---c:\windows\system32\dllcache\HPCRDP.CAT
2008-11-20 16:21 . 2004-08-12 08:578,574--a--c---c:\windows\system32\dllcache\IASNT4.CAT
2008-11-20 16:21 . 2004-08-12 09:117,710--a--c---c:\windows\system32\dllcache\OEMBIOS.CAT
2008-11-20 16:21 . 2004-08-12 09:097,334--a--c---c:\windows\system32\dllcache\wmerrenu.cat
2008-11-20 11:08 . 2008-11-20 11:08d--------c:\windows\dell
2008-11-20 11:08 . 2008-11-20 21:18527,921,152--a------c:\windows\MEMORY.DMP
2008-11-20 10:15 . 2008-11-20 12:15d--------c:\program files\CleanUp!
2008-11-19 15:53 . 2008-11-19 15:53d--------c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-14 16:56 . 2008-11-20 22:49d--------c:\program files\Common Files\Wise Installation Wizard
2008-11-14 16:53 . 2008-11-20 16:254,128--a------C:\INFCACHE.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 23:28---------d-----wc:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 03:55---------d-----wc:\program files\Common Files\Scanner
2008-11-15 02:38---------d-----wc:\program files\Windows Media Connect 2
2008-10-24 11:21455,296----a-wc:\windows\system32\drivers\mrxsmb.sys
2008-05-04 00:0456--sh--rc:\windows\system32\42F52BF3EA.sys
.

((((((((((((((((((((((((((((( [emailprotected]_11.09.34.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-22 16:21:4932,768----a-rc:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2007-07-31 00:19:46203,096-c--a-wc:\windows\system32\dllcache\wuweb.dll
+ 2008-07-19 03:09:44205,000-c--a-wc:\windows\system32\dllcache\wuweb.dll
- 2008-11-22 15:50:441,786--sha-wc:\windows\system32\KGyGaAvL.sys
+ 2008-11-23 15:49:331,786--sha-wc:\windows\system32\KGyGaAvL.sys
- 2007-05-08 19:03:041,275,392----a-wc:\windows\system32\msxml4.dll
+ 2008-09-30 21:43:341,286,152----a-wc:\windows\system32\msxml4.dll
- 2007-07-31 00:19:46203,096----a-wc:\windows\system32\wuweb.dll
+ 2008-07-19 03:09:44205,000----a-wc:\windows\system32\wuweb.dll
+ 2008-11-23 15:48:3516,384----atwc:\windows\temp\Perflib_Perfdata_584.dat
+ 2008-09-30 21:42:081,286,152----a-wc:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:1291,656----a-wc:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"isuspm"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"sunjavaupdatesched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-10-07 26112]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"intelwireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"dell quickset"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"act! preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-05 1015808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-07 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Yahoo! Autosync.lnk
backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcmservice]
--a------ 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picasa media detector]
--a------ 2008-02-25 20:23 443968 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 Maxtor Sync Service;Maxtor Service;"c:\program files\Maxtor\Sync\SyncServices.exe" [2007-07-13 156976]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-02 24652]
S1 8a0dfb28;8a0dfb28;c:\windows\system32\drivers\8a0dfb28.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 []
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []

2007-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 10:48:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\progra~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
.
**************************************************************************
.
Completion time: 2008-11-23 10:57:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-23 15:57:05
ComboFix2.txt 2008-11-22 16:10:45

Pre-Run: 17,798,598,656 bytes free
Post-Run: 17,781,473,280 bytes free

226--- E O F ---2008-11-22 16:21:50
Well, everything appears to check out. You will, of course, want to run regular virus scans, but there are no longer any obvious signs of infection. As for this Roxio installer...it's a bit hard to say exactly what is going on. Your logs show traces of Roxio existing in some form and it looks like you either had Roxio installed at one point or you stopped it in the middle of installation (probably the latter). I could be wrong, but it's possible that your registry is confusing the computer and making it want to install Roxio. For starters, let's try disabling the InstallShield updater from running at startup, as well as the Roxio entries in your log. Scan with HijackThis (without a log) and place checkmarks next to these entries:

O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)

Close all other windows and click Fix Checked. While you're at it, check C:\Program Files and C:\Program Files\Common Files for any Roxio folders. If you find them, delete them. You should then download CCleaner (without the Yahoo! toolbar) and use it to clean out files and broken registry entries.

You may even want to open up the Windows search function and perform a search (you may need to view hidden files and folders) for "roxio" and delete everything related to the program. If you're uncertain, leave it alone. Keep in mind that I'm assuming you are not using any Roxio products, which is why I'm having you delete everything related.

Once you've done everything, restart and cross your fingers. If the problem persists, you may want to CONTACT Roxio. There are viruses that will try to run the installer, but I've never seen one that acts quite like this, so I suspect that it isn't malicious.CBMatt,

All looks good and computer is back to normal operation. Your help has been AWSOME and I will be in touch soon, I have a friends computer to work on around Christmas and I sounds like it is in similar shape

Thanks again,

C-TrainGreat, I'm glad to hear that things are running SMOOTHLY again. And I'll be happy to help you out with the other computer if you need me. Take care.

I have had problems with my computer since buying it from a friend. I do have System Suite 8 (Avanquest) security software and it has (I thought!) removed alot of spyware, adware, and a couple of Trojans that were apparently already on it! But within the past month I started recieving notification of Port Scan attempts from my firewall; they were all blocked. A couple of weeks ago my husband was on the computer and when I logged on the next day their was this Spyware threat balloon that kept popping up on my task bar, the desktop background had been changed (saying spyware threat had been detected on my computer and to click link for full system scan, which I DID NOT do!) Also kept getting these windows popping up on my desktop saying WinSec Alert: Trojan Found or Spyware found and would give various names of these Viruses. Also anytime I would go online a pop up would re-route me to a (bogus) WinSec Update site, trying to get me 2 download and/or buy their product. I of course did NONE of the REQUESTS, but I could NOT get rid of this crap on my computer; ran full virus & spyware scans with System Suite, and even downloaded Windows Live one care and ran full scan with it several times (it picked up a couple of things and supposedly quarentined them). No luck until today that is, I found your site and did all of the steps recommended by "Evil". My computer background is back to normal, no more annoying balloons, pop-ups etc. I just want to make sure that everything really is "Clean". Here are the logs as requested, if there is anything else I need to do to ensure that my computer is FINALLY clean and clear please let me know. You have already been so much help, all I can say is THANK YOU , THANK YOU, THANK YOU!!

[Saving space - attachment deleted by admin]Sorry for the delayed response; we're usually very busy here. If you would still like help, TRY the following...

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before STARTING ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed CORRECTLY click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

It is a little small, but I've seen smaller. It's not NECESSARILY the size I was worried about...GMER LOGS are just a bit of a PAIN to read in most cases. Thankfully, yours appears to be pretty ordinary.

Are you continuing to experience problems? Are you still finding evidence of TDSSERVE? If so, the best instruction I can give you right now is to keep running scans with SAS, MBAM, and SDFix. You will have the best results in Safe Mode. You may also want to scan with Sophos Anti-Rootkit. Sometimes, these infections simply need a bit of determination.

If you're no longer EXPERIENCING issues, I would still advise scanning with these on a regular basis.My computer seems to be running very smoothly..for now..i guess

Yes i will take your advice and scan my computer regularly.

Anyway thank you very much for your assistance. Much appreciated it!!I'm glad things are running a bit better. If your symptoms return or you encounter any other problems, FEEL free to come back.

Yeah I can check around for a disk. Thanks for all your help.

Dr. Web

SR.vbs;C:\WINDOWS\Desktop;Probably BATCH.Virus;;
SBWebCtl.dll;C:\WINDOWS\SYSTEM\SBUtils;Adware.WebHancer;;
0032[1].EXE;C:\WINDOWS\Temporary Internet Files\Content.IE5\C12LA72R;Win32.Virut.5;Cured.
C.bat;C:\Program Files\%systemdrive%\32788R22FWJFW;Probably BATCH.Virus;;
hidec.exe;C:\Program Files\%systemdrive%\32788R22FWJFW;Win32.Virut.5;Cured.;
hidec.exe;C:\Program Files\%systemdrive%\32788R22FWJFW;Win32.Virut.5;Cured.;
psexec.cfexe;C:\Program Files\%systemdrive%\32788R22FWJFW;Program.PsExec.171;;
Process.exe;C:\Program Files\%systemdrive%\SDFix\apps;Tool.Prockill;;
A0230481.CPY;C:\_RESTORE\TEMP;Win32.Virut.5;;

with about 20K+ more of those restore temps. I couldn't attach the log and it was taking too long to copy delete and paste them into new foldersAlthough they're not always cooperative, you can try asking Dell to ship a CD out to you. Once you can get a copy, it should be easy as pie to take care of the REST of your issues.

There's another thing I just thought of. This isn't advised, but you could try using System Restore to go back as far as you can. SEARCH for the rundll32.exe file (should be in C:\WINDOWS on an ME computer) and copy it to a flashdrive. Then undo the System Restore and place the file where it goes. Keep in mind that this is a longshot, and like I said, I don't ADVISE it. With the file currently missing, there is a chance that it would not work properly.

Hello i have the vundo virus on my computer and i cannot do anything my antivirus is SAYING everything is malicious activity on any program i click on and that it is the vundo.gen virus . Please help... i can do scans in safemode and that is all. Regular mode is unusable. Vundofix finds nothing. Spybot finds something and trys to remove but is unsuccessful. Malware bytes finds a couple of things says successful but rescan and infections are back. i tried deleting the registries that i found from another site and ending the process in winlogin and deleting file in safe mode to no success. This was a couple of days ago that i tried all this.

Windows Xp SERVICE pack 3
4 Gigabytes of Ram
8300 GS Nivida Graphic card
Intel Duel Processor 3.00ghz
Antivir Antivirus
Comodo Firewall.
Superantispyware, malware bytes, spybot Here is Hijack LOG and malware log... everytime i try to remove files with malware it says successful but then i do another scan and the same things pop up

[Saving space - attachment deleted by admin]I had a problem with Vundo before...almost had to flush my XP...Vundo embeds itself in system restore. The first step is to turn that off. After that, do a virus scan. Delete the files that are found. After that, restart your computer and do another Hijack.Ok i did another scan after disabling System restore. IT seems that my computer isnt acting up anymore but i want to be on safe side.

[Saving space - attachment deleted by admin]hmmmmmmmmmmmmmmmm Any help pleaseDon't think you have gotten rid of it YET, it likes to hide, and, once removed will just copy its self of the registry keys,
so you will most probably need a registry cleaner,
try Eusing, its free, and easy.

http://www.eusing.com/free_registry_cleaner/registry_cleaner.htm <<< INFO

http://www.snapfiles.com/download/dleusingregistry.html <<< DOWNLOAD

even after running this, you best post THREE logs for the cool people to have a little look at.

Please can someone look at my logs, not sure if I got rid of all virus. I've run through the malware removal steps and here are my logs for superanti spyware/malwarebytes anti-malware/HJT


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 07:04 PM

Application Version : 4.21.1004

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 00:39:02

Memory items scanned : 313
Memory threats detected : 0
Registry items scanned : 5797
Registry threats detected : 7
File items scanned : 22934
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][1].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][1].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][2].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][2].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][2].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][2].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][1].txt
C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[emailprotected][2].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\E04E9B0C
HKLM\Software\Microsoft\E04E9B0C#e04e9b0c
HKLM\Software\Microsoft\E04E9B0C#red_srv
HKLM\Software\Microsoft\E04E9B0C#red_srv_bckp
HKLM\Software\Microsoft\E04E9B0C#Version
HKLM\Software\Microsoft\E04E9B0C#e04e368c
HKLM\Software\Microsoft\E04E9B0C#e04e5f69

Rootkit.TDSServ/Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DEA029A3-FE2B-47C9-96FA-BE9DB23741C5}\RP1359\A0203487.SYS

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DEA029A3-FE2B-47C9-96FA-BE9DB23741C5}\RP1414\A0213359.DLL

Adware.Vundo/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DEA029A3-FE2B-47C9-96FA-BE9DB23741C5}\RP1415\A0215395.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DEA029A3-FE2B-47C9-96FA-BE9DB23741C5}\RP1418\A0217412.DLL




Malwarebytes' Anti-Malware 1.31
Database version: 1469
Windows 5.1.2600 Service Pack 2

12/7/2008 5:49:47 PM
mbam-log-2008-12-07 (17-49-47).txt

Scan type: Quick Scan
Objects scanned: 71051
Time elapsed: 25 minute(s), 11 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 3
Registry Keys Infected: 18
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 34

Memory Processes Infected:
C:\Documents and Settings\Matt & Ariana\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Unloaded PROCESS successfully.
C:\Program Files\Extra Antivir\Extra Antivir.exe (Rogue.Extraantivir) -> Unloaded process successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ddcDspPj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUmLcCv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vgjvvb.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c45c649-d662-40ff-8f3b-cb9c1e13ae58} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c45c649-d662-40ff-8f3b-cb9c1e13ae58} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtumlccv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3632e35-300c-487e-b96f-22428439bb1d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e3632e35-300c-487e-b96f-22428439bb1d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f34dd418-b748-46eb-8305-baaeb7353cac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f34dd418-b748-46eb-8305-baaeb7353cac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7cab59b4-55a3-4737-9fd5-b93c6430bf78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7cab59b4-55a3-4737-9fd5-b93c6430bf78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f34dd418-b748-46eb-8305-baaeb7353cac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3c45c649-d662-40ff-8f3b-cb9c1e13ae58} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\extra antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddcdsppj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcdsppj -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Extra Antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\START Menu\Programs\Extra Antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Application Data\Extra Antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nnnnNDuU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UuDNnnnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UuDNnnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmLcCv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcDspPj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jPpsDcdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jPpsDcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vgjvvb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gjeosdmu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifmtmlir.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Local Settings\Temporary Internet Files\Content.IE5\2KG3E0C7\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Local Settings\Temporary Internet Files\Content.IE5\M6NM0N4O\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Local Settings\Temporary Internet Files\Content.IE5\M6NM0N4O\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\Buy.url (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\Extra Antivir.exe (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\Help.url (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\HowToBuy.txt (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\ID.dat (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\License.txt (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Program Files\Extra Antivir\Uninstall.exe (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Extra Antivir\Purchase License.lnk (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Extra Antivir\Start Extra Antivir.lnk (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Extra Antivir\Support Page.lnk (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Extra Antivir\Uninstall.lnk (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Application Data\Extra Antivir\Extra Antivir.ini (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Application Data\Extra Antivir\spl.ini (Rogue.Extraantivir) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Best BDSM P0rn.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Gay Fetish Sex.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv481228549733.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt & Ariana\Start Menu\Programs\Startup\Extra Antivir.lnk (Rogue.Extraantivir) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:14 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Zzoechk] C:\WINDOWS\W?nSxS\w?wexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Matt & Ariana\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base MODULE) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163132585593
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.cashcall.com/LoanStatus/x86/capicom.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - AppInit_DLLs: eofgmvmn.dll rseuuw.dll bnlevj.dll vgjvvb.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 6968 bytes

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before PERFORMING a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems INSTALL the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

When I run spybot it picks up something called right click media or something then I get rid of it but when I run it again its still there.Quote

called right click media or something

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• UPDATE Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, SELECT Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

hi there folks
there are .exe's on my Pc that are RUNNING that have WEIRD names (possibly malware?)
plz id the list of Unidentified .


1. HOMERunner.exe
2. KHALMNPR.EXE (NAME ALL IN CAPS)
3. WkuFind.exe
4.E_S10IC2.EXE (VIRUS?)

I know most of the files on a PC (i am PROGRAMMER as a HOBBY )
but the files listed i cannot id/get info about them! Use Google

I've been dealing with this crappy virus since Friday. :'(Kept my McAfee from updating but I couldn't download any other security packs or even get to any ANY security sites or any link remotely involved in security! I googled the virus traits and the SEARCH lead me here. I read the posts and followed the instructions for all the malware and security downloads. I put them on a flashdrive (from another computer since I couldn't even use any links you folks posted here), LOADED them, and followed all the instruction for scanning. After turning off the TSS.... whatever.... thing, and re-starting my computer, IMMEDIATELY my AVG picked up a Trojan (TDSSXNAQ. ???DLL) and a second scan with the Malware picked up 4 more, including the BACKDOOR!

I am posting my logs for 'someone' to examine and tell me if everything is good to go now.

I REALLY appreciate this SITE and EVERYONE who gives their time and incredible KNOWLEDGE to the betterment of those of us at the mercy of the internet gods.
You are life savers!

[Saving space - ATTACHMENT deleted by ADMIN]some guy, "specialist" will review your situation asap.

Scan with Panda ActiveScan

• Once you are on the Panda site click the Scan your PC now button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
  
• If it wants to install an ActiveX component allow it
• It will start downloading the FILES it requires for the scan (Note: It may take a couple of minutes)
  
• When DOWNLOAD is complete, click on My COMPUTER to start the scan
  
• When the scan COMPLETES, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Hey everyone.

I didn't know where to post my problem, because it may be due to several reasons.

My problem:

My computer has 1gig RAM in it. The problem is, sometimes when i start up my computer, my computer only detects 502 MB RAM. To fix it, i would have to restart my computer multiple times before it detects 1gig RAM. I need help...idk what the problem could be. Its weird because if it happens, and i restart my computer without touching anything..it works. that means, it isnt the actual RAM cards that are giving the problems. Or maybe it is them..im not sure.

My other problem:

Recently, whenever I moved my laptop, the BSOD screen would come up.

It said 3 different things...it was like..sys_management_blah blah blah
and 2 other things...

I have not installed anything new in the past month, yet this BSOD problem randomly started. It just comes up sometimes..when I MOVE my laptop or something. It isnt a virus because I scanned my computer with Avira, and nothing was detected.

My last problem:

My computer doesn't last more than 5minutes without the adapter. To test it, i left my adapter plugged into my laptop for the whole day, and when i unplugged it for usage , it only lasted for 5minutes before it shut down , due to lack of battery. Does this mean I need a new battery? Or what? :s

Thanks in advance for helping me with any of my 3 problems.

- Zain

How old is this laptop and is it under warranty?How does it run without the battery (only plugged in; battery removed)the laptop is about 3 years old.

the laptop runs with the adapter, as long as its plugged in.

if the batteries not in, and its just plugged in...it will turn off if it was unplugged.Quote from: Zain on December 06, 2008, 11:03:31 PM

the laptop is about 3 years old.

the laptop runs with the adapter, as long as its plugged in.

if the batteries not in, and its just plugged in...it will turn off if it was unplugged.

Ha, i got a laugh reading this crap in a chain email sent to me.

----- Original Message -----
From: Brent
To: [emailprotected]*********
Sent: Wednesday, November 26, 2008 4:22 PM
Subject: FW: HUGE virus coming!

This has been checked with Norton Anti-Virus, and they are gearing up for this virus!
and it is for real!!
Get this E-mail message sent around to your contacts ASAP.
PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!
You should be alert during the next few days. Do not open any message
with an attachment ENTITLED 'POSTCARD FROM HALLMARK,' regardless of who sent
it to you. It is a virus which opens A POSTCARD IMAGE, which 'burns' the
whole hard disc C of your computer. This virus will be received from someone
who has your e-mail address in his/her contact list. This is the reason
why you need to send this e-mail to all your contacts It is better to receive
this message 25 times than to receive the virus and open it.
If you receive a mail called' POSTCARD,' EVEN though sent to you by a
friend, do not open it! Shut down your computer immediately.
This is the worst virus announced by CNN. It has been classified by
Microsoft as the most destructive virus ever. This virus was discovered by
McAfee yesterday, and there is no repair yet for this KIND of virus.

This virus simply destroys the Zero SECTOR of the Hard Disc, where the vital
information is kept.

I have recieved a message from a former work collegue REGARDING a so called "Hallmark card" virus.

Is this a genuine alert about a real threat does anyone KNOW?Well I found this, if it's what you're asking:
http://antivirus.about.com/od/emailhoaxes/p/postcard.htmThanks for that let's hope it isn't a genuine virus. It's just junk mail. It tends to float AROUND during every holiday. No need to worry.basic rule of thumb- anything that asks you to forward it to a certain number of friends or contacts is ALWAYS spam.Actually it is a virus, the card comes as an attachment and includes a trojan.

It comes in many forms. See here. snopes.com: 'Hallmark Postcard from a Family Member' virus http://www.snopes.com/computer/virus/postcard.aspevil is RIGHT my sister warned me about this virus earlier this week or last week her husband is in the computer field and he's the one that told her. Quote from: evilfantasy on December 12, 2008, 04:44:30 PM

Actually it is a virus, the card comes as an attachment and includes a trojan.

It comes in many forms. See here. snopes.com: 'Hallmark Postcard from a Family Member' virus http://www.snopes.com/computer/virus/postcard.asp

whats the BEST anti-virus please post the LINK to download

plase no mcafe iv had that and it sucks... bigtimeplease post what you think is the best.Just so you know, this question GETS asked here almost EVERY day. Just do a quick search (located near the top of the page) and you'll find SEVERAL opinions. Personally, I don't think you can find the answer until you actually try them out for yourself.

Hi,

I recently was infected with a virus. Initially, when I got the virus, all the icons were removed from my desktop, including my window bar at the bottom of the screen. As a result, the only thing I could do was to restart my computer. Once i RESTARTED my computer, my desktop icons returned, and I quickly clicked on My Computer and accessed my SUPERantiSpyware (my icons and window bar disappeared almost right after). I did a scan, found almost 100 detections, removed them and restarted my computer. After that, my desktop icons no longer disappeared.

However, I found that my computer was still infected and the virus would frequently open browsers to other websites.
I scanned my computer with Spybot and SUPERantispyware and have found multiple trojans and other viruses. However, both of the antivirus programs could not completely eliminate all of the detected viruses, and after a while, I have found that the virus count increases with time (after I've removed the possible ones).

I've followed all the steps requested by evilfantasy's post. Help would be much appreciated!
Below are the logs I obtained:

SUPERantiSpyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2008 at 06:12 AM

Application Version : 4.22.1014

Core Rules Database Version : 3669
Trace Rules Database Version: 1648

Scan type : Complete Scan
Total Scan Time : 01:36:25

Memory items scanned : 498
Memory threats detected : 0
Registry items scanned : 8375
Registry threats detected : 32
File items scanned : 159736
File threats detected : 2

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\YUFIWERU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.SpeedRunner
HKU\S-1-5-21-391896044-817447962-879211611-1008\Software\Microsoft\Windows\CurrentVersion\Run#SfKg6wIP [ C:\Documents and Settings\David\Application Data\Microsoft\Windows\uvxedm.exe ]

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-391896044-817447962-879211611-1008\SOFTWARE\Microsoft\fias4013

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\EKISIDOH.INI

MAlwarebyte
Malwarebytes' Anti-Malware 1.31
Database version: 1492
Windows 5.1.2600 Service Pack 3

12/12/2008 6:25:49 AM
mbam-log-2008-12-12 (06-25-49).txt

Scan type: Quick Scan
Objects scanned: 60523
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zolatode.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cd86fe62-023f-4c78-a59f-e714e81b99aa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cd86fe62-023f-4c78-a59f-e714e81b99aa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cd86fe62-023f-4c78-a59f-e714e81b99aa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jelidegubi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpma7355b4a (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a40668d6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zolatode.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zolatode.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zolatode.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fukurago.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zolatode.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yufiweru.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.

Hijack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:51 AM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Linksys\WMP110\WMP110.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free DOWNLOAD Manager\fdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - (no file)
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WMP110] C:\Program Files\Linksys\WMP110\WMP110.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [jelidegubi] Rundll32.exe "C:\WINDOWS\system32\zadohilo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jelidegubi] Rundll32.exe "C:\WINDOWS\system32\zadohilo.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft EXCEL - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D76C7B9-7EF1-4783-88BA-89D892E4DF00}: NameServer = 192.168.1.254
O20 - AppInit_DLLs: c:\windows\system32\yufiweru.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GTWPSSRV (GTWPSService) - Unknown owner - C:\Program Files\Linksys\WMP110\gtwpssrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi PROTECTED Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Linksys\WMP110\jswpsapi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Qvod Terminal - Shenzhen QVOD Technology Co.,Ltd - C:\Program Files\QvodPlayer\QvodTerminal.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WLSng Service - TODO: - C:\Program Files\Linksys\WMP110\WLSngS.exe

--
End of file - 15054 bytes
Run another scan with HijackThis (without a log) and place a checkmark next to the following entries...
O4 - HKUS\S-1-5-19\..\Run: [jelidegubi] Rundll32.exe "C:\WINDOWS\system32\zadohilo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jelidegubi] Rundll32.exe "C:\WINDOWS\system32\zadohilo.dll",s (User 'NETWORK SERVICE')

O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O15 - ESC Trusted Zone: http://*.update.microsoft.com

O20 - AppInit_DLLs: c:\windows\system32\yufiweru.dll

Close all other windows (including this one) and click on Fix Checked. Then come back to this post and do the following...

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.



There are a couple of files that we need to delete. In an effort to make things easier, we're going to let ComboFix take care of it. If it doesn't find the files, however, I will show you what you need to do to get rid of them.Thanks for the quick reply, really appreciate it!

Just a few things I ran into while doing your steps:
During the scan of Combofix, my computer restarted. Is that supposed to happen?
Also, I'm not sure if I have Recovery Console installed (i'm running XP), but Combofix didnt ask me to install it.

Below are the logs I got:

Combofix (for some reason, it ran in Chinese)
ComboFix 08-12-12.02 - David 2008-12-12 19:29:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.852.1033.18.2046.1598 [GMT -8:00]
執行位置: c:\documents and settings\David\Desktop\ComboFix.exe
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\IA
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\DivXWMPExtType.dll
c:\windows\system32\op4
c:\windows\system32\vos
c:\windows\Tasks\nzgncxgp.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv


((((((((((((((((((((((((( 2008-11-13 至 2008-12-13 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-12-12 06:47 . 2008-12-12 06:47d--------c:\program files\Trend Micro
2008-12-12 06:45 . 2008-12-12 06:44410,984--a------c:\windows\system32\deploytk.dll
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\documents and settings\David\Application Data\Malwarebytes
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 06:20 . 2008-12-03 19:5938,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 06:20 . 2008-12-03 19:5915,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-12 04:30 . 2008-12-12 04:30d--------c:\program files\CCleaner
2008-12-08 19:35 . 2008-12-08 19:3597,164--a------c:\temp\St8REV2.exe
2008-12-07 21:03 . 2008-12-07 21:03d--------c:\documents and settings\David\Application Data\DivX
2008-11-26 22:27 . 2008-11-26 22:27d--------c:\documents and settings\David\dwhelper
2008-11-26 17:42 . 2008-11-26 17:42108,524--ah-----c:\windows\system32\mlfcache.dat
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\program files\iTunes
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\program files\iPod
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 14:25 . 2008-11-26 14:25d--------c:\program files\QuickTime
2008-11-26 14:08 . 2008-11-26 14:08d--------c:\program files\Bonjour
2008-11-21 13:47 . 2008-11-21 13:473,596,288--a------c:\windows\system32\qt-dx331.dll
2008-11-21 13:47 . 2008-11-21 13:47524,288--a------c:\windows\system32\DivXsm.exe
2008-11-21 13:47 . 2008-11-21 13:474,816--a------c:\windows\system32\divxsm.tlb
2008-11-21 13:46 . 2008-11-21 13:461,044,480--a------c:\windows\system32\libdivx.dll
2008-11-21 13:46 . 2008-11-21 13:46200,704--a------c:\windows\system32\ssldivx.dll
2008-11-21 13:44 . 2008-11-21 13:44161,096--a------c:\windows\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 16:33---------d-----wc:\documents and settings\David\Application Data\Free Download Manager
2008-12-12 14:44---------d-----wc:\program files\Java
2008-12-12 12:29---------d-----wc:\program files\Spybot - Search & Destroy
2008-12-12 12:29---------d-----wc:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 23:48---------d-----wc:\program files\SUPERAntiSpyware
2008-12-08 05:01---------d-----wc:\program files\DivX
2008-11-30 22:4431----a-wc:\documents and settings\David\jagex_runescape_preferences.dat
2008-11-27 01:42---------d-----wc:\documents and settings\David\Application Data\Apple Computer
2008-11-26 22:26---------d-----wc:\program files\Common Files\Apple
2008-11-26 22:10---------d-----wc:\program files\Safari
2008-11-25 05:59---------d-----wc:\documents and settings\David\Application Data\LimeWire
2008-11-07 08:16137,480----a-wc:\windows\system32\drivers\PnkBstrK.sys
2008-10-24 11:21455,296------wc:\windows\system32\drivers\mrxsmb.sys
2008-10-21 04:56---------d-----wc:\documents and settings\David\Application Data\Winamp
2008-09-10 02:502,763----a-wc:\documents and settings\David\info.dat
2007-11-11 02:0522,328----a-wc:\documents and settings\David\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2006-08-20 2068527]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-24 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Motive SmartBridge"="c:\progra~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-01-21 393216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-09 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"WMP110"="c:\program files\Linksys\WMP110\WMP110.exe" [2008-03-28 962560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-25 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TELUS eCare.lnk - c:\program files\TELUS eCare\bin\matcli.exe [2007-01-21 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Data\\4.Games\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Ocean Technologies & Media\\GG E-Sports Platform\\GGclient.exe"=
"c:\\Program Files\\Ocean Technologies & Media\\GG E-Sports Platform\\Garena.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Data\\4.Games\\Warcraft III\\war3.exe"=
"c:\\Program Files\\eREAD6.0\\eREAD6.0\\eREAD_Cookcase.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Data\\4.Games\\Age of Empires II\\empires2.exe"=
"c:\\Data\\4.Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12476:TCP"= 12476:TCP:BitComet 12476 TCP
"12476:UDP"= 12476:UDP:BitComet 12476 UDP

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-19 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024]
R2 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [2008-08-20 34816]
R2 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [2008-08-20 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-08-20 57344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [2008-08-20 352338]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 Qvod Terminal;Qvod Terminal;c:\program files\QvodPlayer\QvodTerminal.exe [2008-09-10 495616]
S3 Wmnscts_1.ua;Wmnscts_1.ua; []
S3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\DRIVERS\WMP110.sys [2008-08-20 1299520]
S3 XDva005;XDva005;\??\c:\windows\system32\XDva005.sys []
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a321709-a9e4-11db-9639-cc5a49db3793}]
\Shell\AutoRun\command - J:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a6a0e25-1c95-11dd-98b2-000c415885e2}]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade4adcf-2c7e-11dc-9730-000c415885e2}]
\Shell\AutoRun\command - J:\kjibu.com
\Shell\explore\Command - J:\kjibu.com
\Shell\open\Command - J:\kjibu.com
.
‘計劃任務’ 文件夾 裡的內容

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.114la.com/index.htm
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Winamp Search
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9D76C7B9-7EF1-4783-88BA-89D892E4DF00} = 192.168.1.254

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\whfvxu8n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=chrff-brandt_off&type=000111X001US&p=
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 19:34:30
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\conime.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\TELUS eCare\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
完成時間: 2008-12-12 19:38:37 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2008-12-13 03:38:34

Pre-Run: 87,478,714,368 bytes free
Post-Run: 87,457,087,488 bytes free

261--- E O F ---2008-12-13 03:27:46HiJackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:09 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Linksys\WMP110\WMP110.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - (no file)
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WMP110] C:\Program Files\Linksys\WMP110\WMP110.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D76C7B9-7EF1-4783-88BA-89D892E4DF00}: NameServer = 192.168.1.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GTWPSSRV (GTWPSService) - Unknown owner - C:\Program Files\Linksys\WMP110\gtwpssrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Linksys\WMP110\jswpsapi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Qvod Terminal - Shenzhen QVOD Technology Co.,Ltd - C:\Program Files\QvodPlayer\QvodTerminal.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WLSng Service - TODO: - C:\Program Files\Linksys\WMP110\WLSngS.exe

--
End of file - 14048 bytes
I wouldn't worry about the Recovery Console. You may already have it installed. I'll look into it and if I find any additional information, I'll let you know.

I'm not exactly sure what caused the Asian text (appears to actually be Japanese to me, but I may be wrong). Could be virus-related. You have a drive that is labeled as J...what is this drive? An external hard drive, a partition, a flashdrive? If it's a flashdrive, you may need to plug in the drive and run Flash Disinfector. Leave it plugged in while running these steps...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
C:\WINDOWS\system32\zadohilo.dll
c:\windows\system32\yufiweru.dll
J:\kjibu.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade4adcf-2c7e-11dc-9730-000c415885e2}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze


When you have completed all steps, let me know how things are running. With any luck, we get started on beefing up your security for future attacks.Hi,

I'm not quite sure if the virus is still here, as when i had it, it only opened browsers occasionally. So far, it hasnt (good news!), but I'll let you know ASAP if it happens again. Is there any way for me to test whether the virus is still here?

Below is the log I got from Combofix

Combofix
ComboFix 08-12-12.02 - David 2008-12-13 0:47:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.852.1033.18.2046.1525 [GMT -8:00]
執行位置: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
* 成功創造新還原點

FILE ::
c:\windows\system32\yufiweru.dll
c:\windows\system32\zadohilo.dll
J:\kjibu.com
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

L:\Autorun.inf

.
((((((((((((((((((((((((( 2008-11-13 至 2008-12-13 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-12-12 06:47 . 2008-12-12 06:47d--------c:\program files\Trend Micro
2008-12-12 06:45 . 2008-12-12 06:44410,984--a------c:\windows\system32\deploytk.dll
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\documents and settings\David\Application Data\Malwarebytes
2008-12-12 06:20 . 2008-12-12 06:20d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 06:20 . 2008-12-03 19:5938,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 06:20 . 2008-12-03 19:5915,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-12 04:30 . 2008-12-12 04:30d--------c:\program files\CCleaner
2008-12-08 19:35 . 2008-12-08 19:3597,164--a------c:\temp\St8REV2.exe
2008-12-07 21:03 . 2008-12-07 21:03d--------c:\documents and settings\David\Application Data\DivX
2008-11-26 22:27 . 2008-11-26 22:27d--------c:\documents and settings\David\dwhelper
2008-11-26 17:42 . 2008-11-26 17:42108,524--ah-----c:\windows\system32\mlfcache.dat
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\program files\iTunes
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\program files\iPod
2008-11-26 14:26 . 2008-11-26 14:26d--------c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 14:25 . 2008-11-26 14:25d--------c:\program files\QuickTime
2008-11-26 14:08 . 2008-11-26 14:08d--------c:\program files\Bonjour
2008-11-21 13:47 . 2008-11-21 13:473,596,288--a------c:\windows\system32\qt-dx331.dll
2008-11-21 13:47 . 2008-11-21 13:47524,288--a------c:\windows\system32\DivXsm.exe
2008-11-21 13:47 . 2008-11-21 13:474,816--a------c:\windows\system32\divxsm.tlb
2008-11-21 13:46 . 2008-11-21 13:461,044,480--a------c:\windows\system32\libdivx.dll
2008-11-21 13:46 . 2008-11-21 13:46200,704--a------c:\windows\system32\ssldivx.dll
2008-11-21 13:44 . 2008-11-21 13:44161,096--a------c:\windows\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 08:45---------d-----wc:\documents and settings\David\Application Data\Free Download Manager
2008-12-12 14:44---------d-----wc:\program files\Java
2008-12-12 12:29---------d-----wc:\program files\Spybot - Search & Destroy
2008-12-12 12:29---------d-----wc:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 23:48---------d-----wc:\program files\SUPERAntiSpyware
2008-12-08 05:01---------d-----wc:\program files\DivX
2008-11-30 22:4431----a-wc:\documents and settings\David\jagex_runescape_preferences.dat
2008-11-27 01:42---------d-----wc:\documents and settings\David\Application Data\Apple Computer
2008-11-26 22:26---------d-----wc:\program files\Common Files\Apple
2008-11-26 22:10---------d-----wc:\program files\Safari
2008-11-25 05:59---------d-----wc:\documents and settings\David\Application Data\LimeWire
2008-11-07 08:16137,480----a-wc:\windows\system32\drivers\PnkBstrK.sys
2008-10-24 11:21455,296------wc:\windows\system32\drivers\mrxsmb.sys
2008-10-21 04:56---------d-----wc:\documents and settings\David\Application Data\Winamp
2008-09-10 02:502,763----a-wc:\documents and settings\David\info.dat
2007-11-11 02:0522,328----a-wc:\documents and settings\David\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( [emailprotected]_19.38.07.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-13 08:50:3916,384----atwc:\windows\temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2006-08-20 2068527]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-24 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Motive SmartBridge"="c:\progra~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-01-21 393216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-09 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"WMP110"="c:\program files\Linksys\WMP110\WMP110.exe" [2008-03-28 962560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-25 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TELUS eCare.lnk - c:\program files\TELUS eCare\bin\matcli.exe [2007-01-21 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Data\\4.Games\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Ocean Technologies & Media\\GG E-Sports Platform\\GGclient.exe"=
"c:\\Program Files\\Ocean Technologies & Media\\GG E-Sports Platform\\Garena.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Data\\4.Games\\Warcraft III\\war3.exe"=
"c:\\Program Files\\eREAD6.0\\eREAD6.0\\eREAD_Cookcase.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Data\\4.Games\\Age of Empires II\\empires2.exe"=
"c:\\Data\\4.Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12476:TCP"= 12476:TCP:BitComet 12476 TCP
"12476:UDP"= 12476:UDP:BitComet 12476 UDP

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-19 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024]
R2 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [2008-08-20 34816]
R2 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [2008-08-20 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-08-20 57344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [2008-08-20 352338]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 Qvod Terminal;Qvod Terminal;c:\program files\QvodPlayer\QvodTerminal.exe [2008-09-10 495616]
S3 Wmnscts_1.ua;Wmnscts_1.ua; []
S3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\DRIVERS\WMP110.sys [2008-08-20 1299520]
S3 XDva005;XDva005;\??\c:\windows\system32\XDva005.sys []
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a321709-a9e4-11db-9639-cc5a49db3793}]
\Shell\AutoRun\command - J:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade4adcf-2c7e-11dc-9730-000c415885e2}]
\Shell\AutoRun\command - J:\kjibu.com
\Shell\explore\Command - J:\kjibu.com
\Shell\open\Command - J:\kjibu.com
.
‘計劃任務’ 文件夾 裡的內容

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.114la.com/index.htm
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Winamp Search
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9D76C7B9-7EF1-4783-88BA-89D892E4DF00} = 192.168.1.254

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\whfvxu8n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=chrff-brandt_off&type=000111X001US&p=
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 00:50:49
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。


c:\docume~1\David\LOCALS~1\Temp\Perflib_Perfdata_eac.dat 16384 bytes

掃描完成
被隱藏的檔案: 1

**************************************************************************
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\conime.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\hp\KBD\kbd.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
完成時間: 2008-12-13 0:55:30 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2008-12-13 08:55:27
ComboFix2.txt 2008-12-13 03:38:37

Pre-Run: 87,492,538,368 bytes free
Post-Run: 87,473,946,624 bytes free

252--- E O F ---2008-12-13 03:27:46
Actually, there is one other scan I would like to have you do. I'm a bit absent-minded today, so I'm not sure why I didn't have you do this earlier. The majority of your infection should be gone (and you can help keep it this way by getting a reliable anti-virus and firewall); however, I would like you to do this scan to make sure a specific infection has been cleared out properly. Once we've done this, I don't think you'll have to worry about it anymore...

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

I have a virus that reroutes every link I click to different websites. I've tried the malware mailcious websites information the administrators posted. Something is blocking my computer from downloading and/or using MBAM and SuperAntiSpyware AVG (AVG won't update) but I've completed everything else.

Here's the hijackthis.exe analysis... Any Help?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:15 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.villanova.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&AMP;xport to Microsoft EXCEL - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.microsoft.edu
O15 - Trusted Zone: *.villanova.edu
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213222395671
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave FLASH Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - UNKNOWN owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7718 bytesI'VE FOUND A PROGRAM THAT DETECTS AND DELETES THE REROUTE TROJAN...

It's Avast! Anti-Virus and can be downloaded here:

http://www.download.com/Avast-Home-Edition/3000-2239_4-10019223.html?tag=mncol

I had a bunch of the computer majors at campus try and help me with all the tech jargon and programming language I don't understand and they had trouble but this program cleaned it right up! I can use google again. Hopefully this helps some people!!

thank you so much for this resource--

following the malware removal guide, it seems to have cleared MANY of my computer's trojan-related issues except one nagging 'trojan.vundo registry key' that keeps reappearing when i run MBAM.

here is the most recent MBAM log. i can repost logs for SuperAntiSpyware and Hijackthis if necessary as well. thank you so much for any help you might be able to offer.

[Saving space - attachment deleted by admin]neda here, apologies for not including this in the first place: here is a hijackthis log which will likely be of help. thank you again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:27 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running PROCESSES:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\NETWORK Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java QUICK Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5627 bytes
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. CLICK this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

I have run into a bit of a snag trying to revive my computer that keeps getting a BSOD ~20 seconds after windows startup.

I am running XP SP3

"STOP: 0X0000008E (0xC0000005 0xA12AFB75 0x9F0F47E8 0x00000000)"
I get different STOP errors each time I crash

Here is what happened:

I was browsing the internet lastnight when my start bar and start menu changed from XP default to the 'classic windows' style. I restarted my computer and a few seconds after windows put me at my desktop I got the BSOD as DESCRIBED above. I booted up in Safemode then I attempted to open "Malwarebytes' Anti-Malware" however it would not open. I then opened 'SUPERAntiSpyware' using its alternate start (normal start would not open EITHER) and scanned my computer. It came up with:

Trojan.Dropper/SVCHost-Fake
Rootkit.TDSServ
(with 57 entrys for the rootkit)

I removed them all (+ some tracking cookies) and then restarted. booting back into safemode
and was then able to open Malwarebytes Anti-Malware which came up with the following:

1 infected registry KEY:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (trojan.Agent)

2 infected registry data items:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: C:\windows\system32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: system32\

1 infected file:
C:\windows\system32 (Trojan.Agent)

all of which were 'Quarantined and deleted successfully'

I then rebooted and ran windows and got the same BSOD.

after some reading online I was told to use the minidump feature of XP to find what was left (I was told most likely a rootkit that I can't find). I was however unable to open the .DMP files. I searched and found I had to download a viewer (Horrible idea Microsoft) which I am unable to do due to the computer BSODing when im not in safe mode.

I am posting this from a different computer. I am in the process of typing out the logs. They will be posted in reply to this message asap.When I first had this problem I stoped the scan and removed the files as they came up, as a result I have several logs for super antispyware.

Here are my logs:

[Saving space - attachment deleted by admin]Here are my Mbam and HJT logs:

[Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply.

Hello,

I am so glad I found you guys/gals...
I thought I was going to have to reinstall my machine.
I am following the directions on how to clean in the "Read this before requesting malware removal help" post.
I have installed Avast and run it. cleaned up some.
Ran CCCleaner - cleaned up some
Ran superAntiSpyware - log is attached..
Ran MalwareBytes - log is attached
I've tried to install the latest JRE twice, it errored.
I'm going to tryt it one more time now.

If you can help me please post a reply.

Thanks in advance for your assistance
Philip Patrick

I have attached the log files created when I tried to install JRE....
There are two more logs, if you need them, let me know. I've reached the attachment limit.

I finally got JRE installed. So I removed the logs for that.

I ran hijacjthis - log is attached.

[SAVING space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Hi all,

I had a problem a while back and it was apparently fixed. But since I have noticed that my computer seems to run slower than when I first bought it (under a year ago). I especially have trouble with Flash...games that my family and I enjoy playing just don't seem to run well/fast enough.

I followed the instructions in the 'read this' post and here are the logs requested:

SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2008 at 07:25 PM

Application Version : 4.21.1004

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 02:11:34

Memory items scanned : 534
Memory threats detected : 0
Registry items scanned : 6051
Registry threats detected : 0
File items scanned : 70069
File threats detected : 0




MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3

12/13/2008 8:01:56 PM
mbam-log-2008-12-13 (20-01-56).txt

Scan type: Quick Scan
Objects scanned: 70881
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.





HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:51 PM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.ca/nwshp?hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CallControl 4.7] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE iCam 320
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime TASK] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-21-725345543-412668190-2147175445-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Annabelle')
O4 - HKUS\S-1-5-21-725345543-412668190-2147175445-1005\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Annabelle')
O4 - HKUS\S-1-5-21-725345543-412668190-2147175445-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Annabelle')
O4 - S-1-5-21-725345543-412668190-2147175445-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Annabelle')
O4 - S-1-5-21-725345543-412668190-2147175445-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Annabelle')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watchtower Library 2007 - English.lnk = C:\Program Files\Watchtower\Watchtower Library 2007\E\WTLibrary.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204231333281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 12047 bytes







I appreciate all your HELP!


I don't see anything to be concerned about. I may help your speed somewhat if you download CCleaner (install without YAHOO! toolbar) and configure it according to this guide.Thank you very much for checking it out. I'm glad you didn't find anything of importance.
I followed your instructions and used CCleaner as outlined in the guide (I followed every instruction). But Flash is still running slow. It's really strange too, because on occasion it will start by running really fast (which is really fun) but then slows a 1/4 to 1/2 way through the game.
If you have any further advice it would be appreciated, but either way I thank you tremendously for your time.

One other thing I can SUGGEST is updating your Adobe Flash Player. A good way to find the proper version for you is to use the FileHippo Update Checker...
http://www.filehippo.com/updatechecker/

updated... but IE will not open now...I'm running out of ideas here. Do you have a freind that has the same OS as you to borrow their install disk from? Windows XP Home Edition

Transfer this over and run it please. Use Firefox to download it with.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files CURRENTLY running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic ANALYSIS and click OK
  
• Back at the main WINDOW, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the RIGHT and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and PASTE that log in the next reply

I have uninstalled Acentive's Internet Optimizer(Active Speed) recently and ran Malwarebytes anti-malware, the scan came up with some pretty interesting results
this is from the log:

Quote

Malwarebytes' Anti-Malware 1.30
Database VERSION: 1316
Windows 5.0.2195 Service Pack 4

12/16/2008 6:54:36 PM
12 - 16 - 2008

Scan type: Quick Scan
Objects scanned: 57943
Time elapsed: 9 minute(s), 11 SECOND(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data ITEMS Infected: 0
Folders Infected: 2
FILES Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINNT\system32\ConTest.dll (Rogue.AscentivePerformance) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Ascentive (Rogue.Multiple) -> No action taken.
C:\Program Files\Ascentive\ActiveSpeed (Rogue.Multiple) -> No action taken.

Files Infected:
C:\WINNT\system32\ConTest.dll (Rogue.AscentivePerformance) -> No action taken.
C:\Program Files\Ascentive\ActiveSpeed\AS.exe (Rogue.Multiple) -> No action taken.
C:\Program Files\Ascentive\ActiveSpeed\ASRes.dll (Rogue.Multiple) -> No action taken.

Well-respected security researchers have analyzed the software available from this site and found that it offers little or no security protection and may use deceptive sales tactics. http://www.spywarewarrior.com/rogue_anti-spyware.htm