Explore topic-wise InterviewSolutions in .

Hi, RECENTLY my computer has been popping up these KIND of notifications each time Windows STARTS and each time I open any kind of program:

The application or DLL C:\WINDOWS\system32\merumebe.dll is not a valid Windows image. Please check this against your installation diskette.

Your help will be greatly appreciated!


[attachment DELETED by admin]

faryl classical 2009 (RARE track).snd;C:\Documents and Settings\harold mullan\My Documents\FrostWire\Saved;Trojan.WMALoader;Cured.;
faryl classical 2009 (rare cover).au;C:\Documents and Settings\harold mullan\My Documents\FrostWire\Saved;Trojan.WMALoader;Cured.;
faryl classical 2009 (rare track).WAV;C:\Documents and Settings\harold mullan\My Documents\FrostWire\Saved;Trojan.WMALoader;Cured.;



i know these came from and were in a frostwire file so frostwire has gone , but how did my security not PICK them up



will i remove dr WEB , harryHow is the computer running now?its running great no problems evil , thank you Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

I need help, my computer won't boot up. I can get into the BIOS screen but i don't KNOW what to change from there. I don't have the boot disk ether. Its a toshiba satellite.Any error message Mauro? Can you create a boot CD from another PC you MAY have?No MESSAGES... just stays on the loading windows screen... no other how do i create a boot disk from another computer?

Hi

so basically i've had the reader_s / win32 virut infect my system and after a week of trying to sort it i have accepted the fact that i'm going to have to give in and format my pc

I am aware that i can backup some of my FILES (images, videos, songs etc...) but no others (exe,zip,rar etc..)

My PC has two hard drives, one of which is partioned in two, one bieng my c drive... and i have another hard drive

In regards to the virus: if i was to back my files onto the other hard drive in there would that be fine? i dont think there are any exe's on there


and in regards to the formatting: would it delete the partition on the hard drive - or would i have to partion it again


thanks for any help,
LiamIf you can delete the partition and format the entire drive that would be best. Backing up any file is risky with this new variation of Virut.

Here are a few things to take into consideration.

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly SUGGESTED! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace!

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.

-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

I strongly suggest you do the following immediately!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
Quote from: evilfantasy on April 21, 2009, 04:59:17 PM

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

%System%\reader_s.exe
%UserProfile%\reader_s.exe

what about RAR and so forth? will it infect files if I haven't opened the zip/rar what have you?

Hmm, well she was having problems with McAfee for a while before the other stuff started happening. However, she completely LOST use of McAfee around the same time that she lost internet connection. (Which is why I immediately suspected that something was messing with her comp.) But more or less, I suppose it was around the same time that McAfee died. Then I uninstalled it. Or at least attempted to.

And skype has been on there for a while. Probably at least a couple months before the problems started.I downloaded and ran the McAfee removal program then rebooted, but it still doesn't work. Yet, for some reason, windows security center says that the McAfee FIREWALL is still on. I also uninstalled Skype just incase, but again it didn't help anything. Windows Security Center is likely referring to Windows Firewall, which isn't related to McAfee Personal Firewall.

At this point, I'm not really sure what else to suggest. I was hoping McAfee might be the culprit, but that doesn't appear to be the case. And I no longer see evidence of an infection. Perhaps you should try taking your problem over to the Networking section. I have very little personal experience with routers, so they might be able to provide you with suggestions that I cannot.Well the reason I mentioned it is that it didn't just say that a firewall was active, it expressly said that Mcafee firewall was active. But I suppose it could still mean windows firewall. I suppose I will take it to the networking section, as I'm assuming that perhaps one of the things that had infected the computer did something which is causing the error. And thus, we removed the infections but now i'll have to discover what damage it caused so that it can be fixed. That seems to be the most logical explanation anyway. Well thanks a lot for your help; you've gotten her computer running again, now I just have to DEAL with the internet. Which, I must say, involves a great deal less stress.I'm glad I could help...to an extent. I just wish I knew exactly what changes were made to disable the internet. And that's odd about Security Center. You might want to try running through CCLEANER a couple of times (especially the Issues feature) and see if that helps out at all.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a NEW Topic with information about your computer and your problem.

As a computer 'newbie', I'm now totally confused as to what security measures I actually need.

Currently, I have Windows XP Home which has its' own firewall. Is this any good and is this the only one I need.

I am on BT Broadband Option 1, with Yahoo Browser which has Norton SpyScan included and I have AVG Free Anti-Virus and Anti-Spy.

I am considering upgrading to Broadband Option 2, which apparently offers Email AV, SpamGuard Plus, Anti-Spy, Pop Up Blocker, Anti-Virus and Firewall and they assure me that that will cover all my needs (which they would, of course).

I've also been advised to turn off my Windows Automatic Updates. Is this wise?

So, what do I really need and, is it correct that running two of such programs together will cause more problems?

What about CCleaner? Is that a necessity?

Sorry to have so many questions, but, as I said, I'm a newbie and now totally confused.!!Hey, great questions * this is just my 2 cents*

1. have and keep AVG free anti virus ALWAYS running
2. get SPYBOT search & destroy
3 find at filehippo.com COMODO firewall << free !! it is awesome ~!!
download & install then, turn off your windows firewall....

4. a must* get CCleanner it is a real nice free utility .... I use it everytime I get off line... cleans up my old temp files/ browsing & has a very basic regisitry fixer....

good luck ~

ps.... get rid of and uninstall "correctly" anything Norton or MCafee they are good programs but, once installed.....THEY NEVER want to leave your puter ^I wouldn't bother with the upgrade, unless it's free or DARN close to being free. Both AVG programs are very good to have; make sure your anti-virus stays active.

As suggested above, Spybot is a good program to get. So is SUPERAntiSpyware. It's okay to have multiple anti-spyware programs (just don't scan with them at the same time), but it's better to only have one or two anti-virus programs. If you have two, make sure only one is active, and use the other one for backup scans (best performed in Safe Mode).

Windows Firewall is better than nothing, but there's much better out there. You should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

CCleaner is INDEED something you want to have on your computer. It doesn't help much when it comes to protection, but it does help a lot when it comes to cleaning up clutter on your computer.

If you have any other questions, feel free to ask.

I have a weird behavior on my computer, I can't run anything for more than a few SECONDS before the computer start hanging. I used Norton and i saw something weird: "*censored*.exe". I did a search and I tried a fix for this worm but it was not FOUND. I don't know where to start and I can't run anything without the computer hanging. Please help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:28:14 PM, on 21/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JAVA\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142141247138
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7688 bytes
Well, I don't really see anything too bad in your log. Let's try a couple of things.

Although no symptoms of it show up in your log, you APPEAR to have the W32.Zotob worm. Download AVG Anti-Spyware, update it, and run a full scan in Safe Mode. If you have to, you can download AVG and its updates on another computer and transfer them via CD.

Also, you may want to check out the following page...
http://www.symantec.com/security_response/writeup.jsp?docid=2005-082317-0232-99&tabid=3

Close all windows (except for HijackThis) and mark the following entry...
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe

Click on Fix Checked and then delete C:\WINDOWS\system32\Ir32_b.exe in Safe Mode.


I would also like for you to download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.Thank you for your help. If you have other suggestions, remember I can't use normal mode for more than a few seconds.

- AVG won't start on that computer. I tried in Safe mode too. I tried to uninstall it but I get an error message.

- I did a full scan with Norton in safe mode. Nothing found.

- I looked for *censored*.exe, it's not there.

- O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe is not there anymore. Maybe because I did a system restore?


Combofix:

"Administrator" - 2007-06-24 11:49:17 - ComboFix 07-06-23.5 - Service Pack 2 NTFS [SAFE MODE]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\msxml3a.dll


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 11:4949,152--a------C:\WINDOWS\nircmd.exe
2007-06-24 11:37524,288--ah-----C:\DOCUME~1\ADMINI~1.PAT\NTUSER.DAT
2007-06-24 11:25d--------C:\Program Files\Norton Internet Security
2007-06-24 11:00624,784--a------C:\WINDOWS\system32\SymNeti.dll
2007-06-24 08:46d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft(2)
2007-06-21 18:25786,432--a------C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-21 18:164,075,520--a------C:\DOCUME~1\Patrick\ntuser.dat
2007-06-21 18:16233,472--a------C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-06-18 17:23d--------C:\WINDOWS\system32\SoftwareDistribution
2007-06-16 16:25dr-h-----C:\DOCUME~1\Patrick\APPLIC~1\CrystalSpace
2007-06-16 15:55d--------C:\Program Files\The Adventure Company
2007-06-10 10:44d--------C:\WINDOWS\SxsCaPendDel
2007-06-03 19:45143,360--a------C:\WINDOWS\system32\unzip32.dll
2007-06-03 19:45d--------C:\Program Files\IceChat7
2007-06-03 19:45d--------C:\DOCUME~1\Patrick\APPLIC~1\IceChat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 15:27:10--------d-----wC:\Program Files\Common Files\Symantec Shared
2007-06-24 15:25:30--------d-----wC:\Program Files\Symantec
2007-05-24 11:20:54--------d-----wC:\Program Files\3DO
2007-05-16 15:12:02683,520----a-wC:\WINDOWS\system32\inetcomm.dll
2007-05-14 00:09:23--------d-----wC:\Program Files\QuickTime
2007-05-14 00:08:28--------d-----wC:\Program Files\Apple Software Update
2007-05-12 17:35:43--------d--h--wC:\Program Files\InstallShield Installation Information
2007-05-12 13:26:41--------d-----wC:\Program Files\Ubisoft
2007-05-08 11:16:43--------d-----wC:\Program Files\SlySoft
2007-04-25 14:21:15144,896----a-wC:\WINDOWS\system32\schannel.dll
2007-04-24 10:50:02--------d-----wC:\Program Files\Website Downloader
2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll
2007-04-17 02:47:3633,624----a-wC:\WINDOWS\system32\wups.dll
2007-04-17 02:45:541,710,936----a-wC:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48549,720----a-wC:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42325,976----a-wC:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36203,096----a-wC:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:2892,504----a-wC:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:2053,080----a-wC:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:2043,352----a-wC:\WINDOWS\system32\wups2.dll
2007-04-07 16:26:4348,776----a-wC:\WINDOWS\system32\S32EVNT1.DLL
2007-03-30 10:10:5537,540----a-wC:\WINDOWS\system32\Ir32_a.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll [2007-01-11 19:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-12 20:29]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 C:\WINDOWS\soundman.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 19:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gameutil.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gameutil.exe.lnk
backup=C:\WINDOWS\pss\gameutil.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
C:\Program Files\Classic PhoneTools\CapFax.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RedLine Taskbar]
C:\Program Files\RedLine\Taskbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-13 10:33:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 11:51:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7Core]
"ImagePath"="\SystemRoot\System32\Drivers\avg7core.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"

Completion time: 2007-06-24 11:51:49
C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:51

--- E O F ---


Hi, wolfi. Sorry, I should have told you to enable hidden files and folders. Open a random folder (doesn't matter which one) and go to Tools > Folder Options. Click on the View tab and then check "Show hidden files and folders" and click OK.

Try looking for *censored*.exe (perform a system-wide search if necessary) and C:\WINDOWS\system32\Ir32_b.exe. While you're at it, you should also look for C:\WINDOWS\system32\Ir32_a.exe. If you find any other files with similar names, please let me know.

Go to Start > Accessories > System Tools > Disk Cleanup. Run the Disk Cleanup utility that comes up after putting a check next to these:

Temporary Files
Temporary Internet Files
Recycle Bin


Exactly what kind of error message do you get from AVG? Give SUPERAntiSpyware a try and see if that gives you any better results."Show hidden files and folders" was already selected. I did a search for *censored*.exe and it's not there but I can find Ir32_b.exe. and ir32_32.dll. What should I do with it?

I can't find the uninstall tool for AVG anymore, but when I try to install again I get this message: "Some installation files are corrupt. Please download a fresh copy and retry installation."

I tried SuperAntiSpyware... It won't run in normal mode (it's hanging) and it won't install in safe mode. (Message: "The system administrator has set policies to prevent this installation.") I really need something that can run in safe mode.
Go ahead and delete those two files.

Does your account have administrator privelages? You may want to take a look at the following page from the mothership...
http://support.microsoft.com/kb/322963

Your Norton could possibly be related. However, because it's your only protection right now, I think we we should wait on the included workaround. Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.


If you are using XP Home, then go to Start > Run, type in regedit and click OK. Navigate to HKEY_CLASSES_ROOT\Installer\Products. Look for the program(s) you are trying to install and delete its folder. I believe the folder for SUPERAntiSpyware is 1FBBCDDC3072CB6439B8CB8CA1E1AEAA. Not sure about AVG...just check the ProductName of each one.

NOTE: Before making changes to your registry, you should back it up with ERUNT!


See if you can install the programs now. Also, give AVG's Anti-Spyware a try.


Let me know how things go. Post an update along with a new HijackThis log.Ir32_b was not there anymore but Ir32_a was there. I deleted the files.

I did what you said but I can't find 1FBBCDDC3072CB6439B8CB8CA1E1AEAA and I don't know how to find the right one. (I looked in the folders but I don't see any product name) I'm using XP Pro. I tried the program for Norton but I never had Norton in 2003 (I got this computer last year). I can't uninstall norton in safe mode and it won't uninstall in normal mode (it's telling me that another program is installing, right) So much fun.

Thank you for your help, but I think it will be easier and FASTER to reinstall Windows completely.






If you have XP Pro, then you should be able to use Group Policy Editor...
Quote from: CBMatt on June 30, 2007, 08:59:59 PM

Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.

As this issue APPEARS to be resolved, I am closing this topic. If you are the original poster and you WOULD like this topic to be re-opened for any reason, PM me or ANOTHER moderator and it can be arranged.

If you are not the original poster and you REQUIRE help, please start a NEW Topic with information about your computer and your problem.

acording to me this is due to SOFTWARE not properly installed....Quote from: sukhija on July 13, 2007, 12:33:18 PM

acording to me this is due to software not properly installed....

My internet connects but my internet explorer won't open. I can't open my musicmatch jukebox or my control panel. Everything is very sluggish. My computer won't even shut itself down properly. I RAN AVG, Ad Aware and Spybot, I also defragmented that all seems to have helped it alot but I wanted to see if there may be something else I'm missing.

I have a Compaq PRESARIO. I cannot remember the speed but it's 3 years old. It has 256 MG of RaM and I think an 8 gig harddrive.

Here's my hijack this file

C:\WINDOWS\system32\WINLOGON.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\LocalNet\LocalNet EasyDialer\fts.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%LocalNet fts.exe] "C:\Program Files\LocalNet\LocalNet EasyDialer\fts.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166385398125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166386230984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks!aces67,
You're running HijackThis from a temporary location. If left there, it will eventually be deleted. To ENSURE the safety of the program and its backups, please move it to C:\Program Files\HJT.

Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.

After doing that, go ahead and post a new HijackThis log. And this time, make sure you include the entire thing. Every part of the log is important.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

Earlier Tuesday, security researcher THOR Larholm, who discovered the IE flaw, and security research giant Symantec put much of the blame on IE, while Secunia's Thomas Kristensen, chief technology officer, attributed the problem to Firefox versions 2.0 or later. "It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

http://news.com.com/8301-10784_3-9741435-7.htmlThat's not good . . . but then again, I wouldn't RUN into it as I don't use IE at all (except for Windows Update, but I doubt that site would have this problem).
Besides, if you have IE and Firefox installed, why use IE? Except for the reason above, of course.Thanks for the info, Scott. I'm definitely going to have to look into this more. I'd hate to have to get rid of my Firefox, but if this is true, it may come down to that.Quote from: CBMatt on JULY 13, 2007, 11:48:32 AM

Thanks for the info, Scott. I'm definitely going to have to look into this more. I'd hate to have to get rid of my Firefox, but if this is true, it may come down to that.

Quote from: CBMatt on July 13, 2007, 11:48:32 AM

Thanks for the info, Scott. I'm definitely going to have to look into this more. I'd hate to have to get rid of my Firefox, but if this is true, it may come down to that.

Getting rid of Firefox would be the wrong move. Just do what Calum said and use IE for windows updates only.

HI...

My Computer is a HP pavillion 513n with Windows XP SERVICE pack 3. well my computer just recently started to run slow like the computer useage bounces back and fourth from 75%-100% constently. and my commit charge will range from 350M-450M out of 1246M. it started doing this when i got a protection thing from my isp Time Warner. it is called CA internet protection. i got this because i accidently fell for spyware and downloaded WinSpywareProtect. now my computer is completly free of viruses but now it runs slow. it takes a long time to open a program and then a long time toanything in that program. and it takes 5-10 min to restart the computer. what can i do to fix this problem? if you need to know more about my computer or other pics just ask but also tell me how to find out that info for u, i am not very good with computers.

these are my prosesses and performance, when it is being fast it is worse that that right now. \/





ThanksTry going to to Start --> Run --> msconfig and press Enter
Head over to the Startup tab and untick anything you don't need on startup.
(note: anything you untick and STILL be used without having to tick it again.)

Run the Disk Defragmenter a few.
(Star --> All Programs --> Accessories --> System Tools --> Defragmenter.)

I suggest downloading CCleaner.
You can tick whatever you want but make sure that System --> Temporary Files is ticked and then run the cleaner.

Also with CCleaner, scan the registry and remove the keys it finds a few times.

Post back with the results.Difficult to tell but it looks like you have Windows Defender running. Perhaps it is conflicting with the program that you received from your ISP. Try DISABLING Windows Defender and post back.Quote from: Sean0514 on July 06, 2008, 01:57:14 PM

HI...
My Computer is a HP pavill.......
Thanks

Quote from: Sean0514 on July 06, 2008, 01:57:14 PM

HI...
My Computer is a HP pavill.......
Thanks

Guitar pro nice choice

Difficult to tell but it looks like you have Windows Defender running. Perhaps it is conflicting with the program that you received from your ISP. Try disabling Windows Defender and post back.

Can you uninstall it and see what happens?

i have some problem with my old laptop and hope that someone can help me. the problem is my laptop infected by virus and malware. after clean it with Avira antivir personal and Malwarebytes' Anti-Malware. reboot and it freeze on WINDOW start up. ( wellcome screen ). after a few days i become fed up and i tried to install a fresh copy of Windows XP. the problems begin.After insert the window xp cd, 1)copy FILES, 2) Welcome to Setup, 3)f8 agree and format, 4) Setup COPIES various files and reboot. after reboot it freeze on the screen(setup will complete in 39 minutes).i tried to install again now it freezes on "Setup is starting Windows"and won't go any further.and have no error message( BSOD ) i already tried the (Memtest+86.170 , change ram to 512mb,reformat my harddisk , used the F5 trick) I am so frustrated. this problem has been the last two MONTH. please help. note that now my hard disk already format ( no system )and my laptop freeze on setup is starting windows. how can i scan for virus or Malware.

My old laptop:Mercury Green320 ( no floopy )
VIA C3 1A Ghz. 512mb ram
win XP SP2Your re-format took care of any viruses or malware that was on your computer. You're starting out fresh. I suggest that you start a new thread in the software section for additional help.

Dell Inspiron 1501 running XP
shut the computer down normally and the next morning the icons are blown up
three times their normal size and the screen is jumping up and down and the
pic is distorted...........any ideas or thoughts and what may have caused this
thanks for any and all helpDefinately not a virus imo, I have had to DEAL with this issue several times, and an update of the vga card driver fixed the issue.Hardist if you dont mind shoot me a private message
gotta a question or two thanks for your reply Hard,

let me review so that you can understand what I have going on

shut the computer (laptop) down one evening no problem
the next morning the screen is jumping around and the icons are like
three times there normal size.......it is terribly difficult to be able to
get it to stop in order to click anything

in safemode the screen does not JUMP and the picture is not distorted
just have the icons slightly enlarged

I have run Malware-anti malware scans three times and nothing has
been found......I TYPED msconfig in safe Mode and disable windows
as I was instructed to..........I also uninstalled AMD Driver and need to
reinstall at dell.com


another issue is that in safe mode the computer will only STAY on for
ten minutes or so.........this is not true in normal modeOk, I am all but certain it is a virus of somekind

I would like to reinstall XP going through F12 and Reboot
is it possible to do this and still ssave my pictures and
documents??? Currently I have XP but also have a VISTA
disk....should I use Vista or XP..........can anyone help me
through this process???Please go to this link and follow the directions and post the required logs.

I want to buy anti virus,But I don't know between NOD32 or kaspersky.Which one should i buy?Quote from: kukkaikawaii on January 22, 2010, 01:57:50 AM

I want to buy anti virus,But I don't know between Nod32 or kaspersky.Which one should i buy?

Go with nod32. It never slow down your SYSTEM

I just reinstalled windows xp on my parent's computer and it still looks like there is a virus on it. My guess is it's a rootkit, which I have no idea how to GET rid of (besides installing LINUX and just having them use that.) I've seen the virus before from my work development computer. Luckily Symantec has been doing a good job of cleaning up my FLASH drive before the virus can do anything there.
You can see which file it is below (herss.exe). I DELETED the herss.exe file, but there are still two files in the root directory (9fo3ar0j.exe & sywyrl0q.exe), which I can only see from the command line. The virus seems to be blocking the option to see system files and hidden files from explorer.
I've run Avira A/V, but it doesn't seem to notice anything wrong.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:38 PM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Dad\LOCALS~1\Temp\herss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263869748936
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

--
End of file - 2491 bytes
If you think it is a rootkit, you can download rootkit revealer and run that on the PC. It is a free download. Just google rootkit revealer and you'll find it.

Are you doing a format of XP or just a repair? If you are doing a format, is all the software loaded on after XP purchased from the vendor or has it been downloaded? Often times, downloaded software will contain trojans which will reinfect the computer. Hope this helps.I figured out the problem. It's not a rootkit. I was using a flash drive to copy drivers from my parent's computer to my laptop, which was also infected and am restoring. Silly me, I should have known better.
I fixed both computers now and am in the process of reinstalling all of the software.Edited.Quote from: michaewlewis on January 20, 2010, 02:06:40 PM

I figured out the problem. It's not a rootkit. I was using a flash drive to copy drivers from my parent's computer to my laptop, which was also infected and am restoring. Silly me, I should have known better.
I fixed both computers now and am in the process of reinstalling all of the software.

Hi, could you tell me how exactly you fixed it ? I have this sywyrl0q.exe too on my drive and my anti virus software doesn't seem to detect it..

Thank you!

Tom

Hi, could you tell me how exactly you fixed it ? I have this sywyrl0q.exe too on my drive and my anti virus software doesn't seem to detect it..

Thank you!

Tom

Hi

I was just wondering if viruses can bring your computer ONTO undesireable webpages (PORN) without me typing in anything? I get alot of pop ups and was looking at my history and it has afew porn pages in it and i was just wondering if a virus can bring your browser to these pages in a new window say while i'm in something else?

ThanksIf you didn't visit those pages and noone had access to the computer it would be malware. I would recommend downloading Avast home editionIf you want your computer cleaned you will be best SERVED to not listen to anyone else than the malware specialists on this forum. Don't make any changes to your computer except what the instructions say here.
Please go to this link and follow the DIRECTIONS and post the required logs.

If you have recently ran ComboFix and it deleted everything from your desktop post a link here to your topic so I can help you GET your computer back to normal. Or start a new topic and post the contents of the C:\QooBox\ComboFix-quarantined-files.txt file. Please attach it as it will be huge.

If you have an active topic then ALSO add the C:\QooBox\ComboFix-quarantined-files.txt to it as well as posting a link to the topic here.

Please only post in this topic if your computer was effected by this ComboFix bug. Thanks.



EF. I think we only had two that had files removed. I've pm'd all my OP's that had to run CF or script not to do ANYTHING until they get the all clear.If they were not effected by running CF then just carry on. But be sure to have them delete CF if they have downloaded it.Combofix is back online. A good subscription for the feed reader. http://twitter.com/BleepinComputer/statuses/8180648442...and here: http://www.facebook.com/pages/BleepingComputer/121623401752I hate Facebook...and Twitter for that matter.

Thanks!I can't stand either one...LOLThe latest fix, if anyone got in TROUBLE: http://www.bleepingcomputer.com/forums/topic290138.html http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/455388-combofix-issue-resolution.htmlSame source, I believe...sUBs

From the Desktop go to -> My Computer -> Local Disk (C:) -> Documents and Settings -> All Users -> Start Menu -> Programs -> and find a folder called Startup. Inside this folder is a 1 KB icon called desktop with a Note pad and a gear next to it. Right clicked it, to go to its properties and choose "Hidden."Are ththose the only programs I need? I currently have: AVG 9.0,SUPERAntispyware, MalwareBytes, Advanced Systen Care, CCleaner, Startup Optimizer and Smart Defrag. Also, Should I, and how do I, delete ComboFix, HijackThis and all the crap left behind like the dequarantine log and such that saved themselves in more than ONE place?Delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt

You can uninstall HijackThis in add/remove programs.

Everything else is okay to keep.Ok, Thank you.

Is there any thing else that I need to post, or am I done?
That's it as long as the computer is running good. Thank you so very much. I will be recommending this site to everyone I know. You have helped and taught me so much in the last few days. I am very happy I stumbled upon this site. You have made me feel like I was the TOP PRIORITY, even though I know that you just do what you do. That's cool.
Anyone who would have anything negative to say about this site either has to be deranged or SPOILED little BRATS

A THOUSAND THOUSAND THANKS TO EVERY ONE OF YOU! Your WELCOME.

LET us know if anything else comes up.

Safe surfing...

Fresh HJT log attached.

Thanks for all you do.

John

[Saving space, attachment deleted by admin]Hello John. I'm sorry I never got back to you sooner. Very busy. If there are no other issues, it's time for some cleanup. You can uninstall HJT, ESET but you can keep SAS and MBAM. Update them and run them about once a week depending on your on-line browsing.
--------------------------------------------------------------------------------
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
---------------------------------------------------------------------------------------------
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------------------------------------------------------------------------------------------
USE the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled RESTRICTIVE Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Highlight the entry you want to remove. JAVA(TM) 6 Update 7
  
• Click Delete this entry

I didn't pay much attention to the issue of false positives in the past. I just assumed AV publishers had their signature lists and that they just worked. A random match of data bits that match seemed too small a chance to worry about. But I've been following the CNET reviews of security software recently, and I noticed for the first time that the percentage of false positives is a rating factor. Also, upon installing Avira last month, I was surprised at their candor concerning the chances of false positives with respect to the sensitivity settings chosen. In fact, it is the first program I have ever seen with sensitivity settings.

Quote from: mcummings36 on January 24, 2010, 10:12:46 AM

Look, I'm not trying to make anyone MAD or sound like an ungrateful [emailprotected]!s. But I think anyone in my position would be a little frustrated and irritated. I realize that my computer is infected, but I also didn't have all the other problems, other than the Facebook and google issues, until I did what that first POST said. Now I keep losing my printer driver along with a whole NEW set of issues. If you don't want to help me, fine, but don't post a snide remark either, it just MAKES the whole thing worse.

Hay my computer froze last night while I was doing the disk cleaning, cause my computer was being really slow, and I turned my computer off cause it wouldn't let me do anything. well now when I start up my computer it goes into the windows BOOT manager. this is exactly what it says... from top to bottom.

Windows FAILED to start. A recent hardware or software change might be the cause. to fix the problem:

1. Insert your installation disc and restart your computer.
2. choose your language settings, and then click "next."
3. Click "repair your computer."

If you do not have this Disc, contact your System Administrator or Computer Manufacturer for assistance.

File: ntoskrnl.exe

Status: 0xc0000098

Info: Windows failed to load because a REQUIRED file is missing, or corrupt.

I don't have the windows installation disc and I don't really have the MONEY to GET one so can you help me please.

What makes you think it's a malware problem?Microsoft fix:

http://support.microsoft.com/kb/927392/en-us

For the 0xc0000098 error, you definately need to copy some files from an original installation disc back to your Windows/System32 folder. Can't you lend a disc from someone?

I have two problems, both potentially from the same virus. First of all, every time I try to click on a google link, I get redirected to a RANDOM site. I have to click the link several times before it goes to the correct site WITHOUT redirecting.
Secondly, a box keeps popping up that SAYS "Google installer has stopped working" ... I don't know what this is, but it pops up every few minutes.

Any help is much appreciated!Please go to this link and follow the directions and post the required logs.I have the same problem with google, the links in the search results go pretty much anywhere but to the actual site listed. And I went to the link above to try and fix some of my issues, and the first thing that happened after I RAN hijackthis was I lost my printer, so I now have to try and get that straightened out. Getting a bit FRUSTRATED. mcummings36


could you please open your own topic , you cannot hi jack an other topic I did post this, more than once, actually. I just thought this person might like to know they aren't the only one experiencing this issue.

Quote

Where do I go to find the Trend Micro folder? If I search, I get over 500 results with C:\Program Files, Trend Micro...

The error is 0x80240030 error. And it gives you 2 solutions to TRY, which I didn't have luck on EITHER of them. Is this a PROBLEM with my computer or microsoft and can I fix it? Any SUGGESTIONS would be great!!!
Thanks!!

Adobe Reader 8.x update gets an error about half way through the install (Error 1402,

Hey Guys, I need help cleaning out my gf's infected system. I believe I have another case of uacd.sys, but possibly more now. I had the traditional music playing in the background, but couldn't find the source, as no windows were open. As well as the "google installer failed to start" and "windows defender is not working properly" Vista errors. They were popping up on the dot twice an hour on the 12 minute mark as well as the 58 minute mark.

I had planned to clean it out today and post if I had any problems to you guys, however last night, it looks like my gf tried installing some tools to fix it herself, and might have caused more problems.

Now, I'm getting popups saying my computer is infected etc. every 10 minutes or so now with many different flavors. As well as it looks like Internet Security 2010 is running (a malware fake anti-virus program that only infects the machine more) "Spooler subsystem app has stopped working" is a new vista error I'm getting.

I've read through a few posts to see if anything jumps out at me at what could have happened, and it really looks like it's another case of uacd.sys.

I found your "get started" post and got to step 3, before I hit a wall.
Please see below and advise.

Computer:
MS Windows Vista Home Premium SP2
Intel Core2 Duo CPU T8300 @ 2.40 GHz, 4.0GB RAM, NVIDIA GeForce 8600M GT

Completed Step 1, wasn't able to find anything from the list that matched anything in "add/remove" programs of vista.

Completed Step 2, it took 111 seconds and only removed 2,009.2 MB.
Mostly internet explorer history, cookies, firefox history, cookies.
Temporary internet files.
Memory dump logs.
And a handful of application logs.

Step 3: I can't complete this step, as the malware has blocked most anti-spyware links from being able to be accessed. I tried using cached mode on Google's searches to get the download, but the farthest I can get cached, is the "your download is about to begin, or click here" screen.
Clicking there, pulls up page cannot be displayed, waiting, nothing happens. So, it doesn't look like I can download superantispyware. If this step is absolutely necessary, I guess I could download it on another machine and transfer it over here to install.step 2 try to complete will not matter

step 4 re-name mbam.exe to mbam2.exe run and post log

step 5 try to complete will not matter

step 6 re-name hjt to snipper.exe run and post the log Update/Continuation:

Step 3:
I was able to download superantispyware from my other computer and brought it over via USB.
I tried installing it, and it just pops up saying SuperAntiSpyware.exe has stopped working. ( vista error )

Step 4:
I downloaded this from another machine as well.
Had some difficulty getting it to run (had to rename, then right click and run as administrator).
Then the shortcut wouldn't run, so I changed the name of the file that shortcut was point to at:
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" and it ran the program. The log is here:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

1/23/2010 2:20:41 PM
mbam-log-2010-01-23 (14-20-41).txt

Scan type: Quick Scan
Objects scanned: 104920
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 25
Registry Values Infected: 5
Registry Data Items Infected: 10
Folders Infected: 5
Files Infected: 10

Memory Processes Infected:
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Unloaded process successfully.
C:\Windows\System32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Windows\System32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\[emailprotected] (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Users\Stephanie\AppData\Roaming\Zango (Adware.Zango) -> Delete on reboot.
C:\ProgramData\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAEULA.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Windows\System32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Windows\System32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Stephanie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Users\Stephanie\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

*****(After rebooting after step 4 as Malware bytes told me to, it's ALOT more stable now... just wanted to throw a small *****thanks out there, but I know I'm not done, it's just nice to have somewhat some control again)

Step 5: Downloaded the latest JRE, and am now on Java 6 Update 18. So, that worked great.
JavaRa (cool little tool btw!!) removed a few old java versions without problems.

Step 6:
I renamed the hjt.exe to sniper.exe and ran the scan + save a log file. My log file is listed here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:22 PM, on 1/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Stephanie\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\program files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vdi.coa.gatech.edu/portlets/thinapp/vdmclient/installclient.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam2.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Stephanie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send IMAGE to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://vdi.coa.gatech.edu/downloads/VMware-viewclient.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee VALIDATION Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware View Client Service (WSNM) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 14615 bytes


Thanks for the help! I look forward to hearing from you!did you re-boot the pc

theres not to much wrong in the hjt log

please what for a malware expert to clear out the rest and finish your help

is the pc any better , harryYes sir, I've rebooted since the malware bytes (it SAID I had to to complete removal of one of the found detections).

I was thinking the same, the HJT didn't look too bad, and the comptuer IS running alot better.

I figured I'd post anyways to make sure there's nothing hidden that I just don't know about from the expert.

Thanks Harry!ok , do this while your waiting , you may not get him for a time


You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:
ViewMgr.exe - Useless

Viewpoint to Plunge Into Adware
It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
Viewpoint

Viewpoint Manager

Viewpoint Media Player

Viewpoint Toolbar

Viewpoint Experience Technology
.


post a new hjt log pleaseHey Bud,

I was able to find viewpoint media player and removed that. But, there were no other viewpoint variations in the list.
I noticed there was still a viewpoint key in the HJT, but I'll leave that for you or the expert to tell me what to do.

Here's the new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:32 PM, on 1/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Stephanie\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\program files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vdi.coa.gatech.edu/portlets/thinapp/vdmclient/installclient.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam2.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Stephanie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://vdi.coa.gatech.edu/downloads/VMware-viewclient.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 14473 bytesok , its a matter of holding on , thats me finished goos luck , harry

Before you go we need to do some clean-up. You can uninstall HJT and keep SAS and MBAM. Update them and run them about once a week.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning PROCESS.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run UNINTERRUPTED until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all CRITICAL updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it HARDER for ActiveX programs to run on your computer. Also STOP certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!Done.
Thank you somuch for you time and help

Hello,

A couple of months ago I asked for a free, good, anti virus program. Avast was the program suggested.

I downloaded it, but now see that it is only temporarily free.

Is there a truly free anti virus program that is very good at what it does?I would suggest AVG 9.0 free. They have both a free edition with only a few missing FEATURES and a full version. It works great and their virus database is updated almost daily. Here is a link to the site. http://free.avg.com/us-en/download?prd=afgQuote

I would suggest AVG 9.0 free.

Unexpected renewal costs

Some commercial antivirus software end-user license agreements include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires users to unsubscribe at least 60 days before the expiration of the present subscription[16] while BitDefender sends notifications to unsubscribe 30 days before the renewal.[17] Norton Antivirus also renews subscriptions automatically by default.[18]

Open source and free software APPLICATIONS, such as Clam AV, provide both the scanner application and UPDATES free of charge and so there is no subscription to renew.[19]

http://en.wikipedia.org/wiki/Antivirus_software

My friend obtained a powerful gaming desktop a few months ago, but just recently upon start-up it WOULD go to a black screen with text on it. The screen said that one of the drives is missing and to insert the WINDOWS installation disk. Sadly, he does not KNOW the location of this disk. Is there any way to reinstall the DRIVER without that disk? Below is the file it says is missing:
\windows\System32\Drivers\hcpgqdb.sys
That file looks suspicious. It would be best to run some scans on your computer. But first we have to get it started. Let's try this: You will have to do this on another computer. You may have to change the boot order in the BIOS of the disfunctional computer.

Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for WHICHEVER method you choose.

i desperately need help in solving this issue. it appears my desktop PC has been infected by malware or spyware. I am getting a message that says 'application cannot be executed. The file csc.exe is infected. do you want to activate your antivirus software now?'

the problem is the infection will not even allow me to get on the internet. it will not even allow me to get in the BLACK box to locate the ip address with the command prompt.

i am using my laptop to write this.

the desktop pc is running WINXP and explorer. i also have norton antivirus. i will be online waitng for help.

if more info is needed please let me know.

thanksHello,
Do you have the Norton cd? I believe there is an option to boot from the Norton cd and run a scan that way. If not, can you boot into safe mode and run a virus scan from within Norton?thanks for the reply. no, i do not have the norton cd. the norton is expired and i cannot get online to update it.Go to this link http://evilfantasy.wordpress.com/2009/05/06/rescue-cds/ to create a Rescue CD or to this site http://evilfantasy.wordpress.com/bitdefender-rescue-usb/ to create a Rescue USB. Carefully follow all the instructions for whichever method you choosethank you for the info. i will report on the result.harry... the drweb is a zip file... should i unzip it before i burn it to the cd. i know it may be a stupid question but i dont want to do anything to further mess up the pc or cause the process not to work.http://www.freedrweb.com/livecd?lng=en

i don't know but it says above just d/load the cd , i don't think you can do any harmIt is a ISO. file and will need an iso BURNER to burn it to a CD.

Hi everyone,

My LAPTOP is INFECTED with RECYCLER virus/trojan. here is my problem


1. when i point on the file folders, it shows me that the file is EMPTY and.

2. my drives C:\ , D:\ and all other drives are not openinig directely when i click on them.

how can i REMOVE and FIX this problem


THANK YOU

TamnetPlease go to this link and follow the directions and post the required LOGS.

Hi SD,

Thanks. Here is the LOG;

ComboFix 10-01-21.08 - Abc 01/22/2010 22:45:58.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1361 [GMT -5:00]
Running from: c:\users\Abc\Desktop\ComboFix.exe
Command switches used :: c:\users\Abc\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\temp\{4213ADD7-ABE3-4AE1-AB12-3102A09729C7}"
"c:\temp\{6849D4E4-78BF-4E9F-98AF-E9126F0190BA}"
"c:\temp\{7C7C93CA-3F2B-4004-B77A-15072EE1F841}"
"c:\temp\{B4670909-4FB9-407F-BE12-6AC53C71DF25}"
"c:\temp\{C7B22553-9619-40C3-9073-9251BD241830}"
"c:\temp\{F4A7B35F-3603-468D-B696-F77D3C42D24F}"
"c:\temp\7zSC763.tmp"
"c:\temp\mbr.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\__SkypeDialog_Cache
c:\temp\{4213ADD7-ABE3-4AE1-AB12-3102A09729C7}
c:\temp\{6849D4E4-78BF-4E9F-98AF-E9126F0190BA}
c:\temp\{7C7C93CA-3F2B-4004-B77A-15072EE1F841}
c:\temp\{B4670909-4FB9-407F-BE12-6AC53C71DF25}
c:\temp\{C7B22553-9619-40C3-9073-9251BD241830}
c:\temp\{F4A7B35F-3603-468D-B696-F77D3C42D24F}
c:\temp\~DEST
c:\temp\hsperfdata_Abc
c:\temp\Low
c:\temp\Word8.0
c:\temp\WPDNSE

.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 04:01 . 2010-01-23 04:01--------d-----w-c:\temp\WPDNSE
2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Xyz\AppData\Local\temp
2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Public\AppData\Local\temp
2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Default\AppData\Local\temp
2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Abc\AppData\Local\temp
2010-01-23 03:41 . 2010-01-23 03:42--------d-----w-C:\32788R22FWJFW
2010-01-18 18:50 . 2010-01-18 18:50--------d-----w-c:\temp\7zSC763.tmp
2010-01-18 18:43 . 2010-01-18 18:43--------d-----w-c:\programdata\SUPERAntiSpyware.com
2010-01-18 18:42 . 2010-01-18 18:42--------d-----w-c:\program files\SUPERAntiSpyware
2010-01-18 18:42 . 2010-01-18 18:42--------d-----w-c:\users\Abc\AppData\Roaming\SUPERAntiSpyware.com
2010-01-18 17:33 . 2010-01-18 17:33--------d-----w-c:\program files\Trend Micro
2010-01-18 16:46 . 2010-01-18 16:46--------d-----w-c:\program files\CCleaner
2010-01-18 05:30 . 2010-01-18 20:18--------d-----w-c:\users\Abc\AppData\Local\ykvesl
2010-01-18 02:05 . 2010-01-18 02:05--------d-----w-c:\temp\Adobe
2010-01-15 04:43 . 2010-01-15 04:44--------d-----w-c:\temp\AllServicesInfoFiles
2010-01-15 04:30 . 2010-01-15 04:30--------d-----w-c:\users\Abc\AppData\Roaming\Sony Corporation
2010-01-15 04:18 . 2010-01-15 04:18--------d-----w-c:\program files\Sony
2010-01-15 04:16 . 2010-01-15 04:16--------d-----w-c:\programdata\Sony Corporation
2010-01-13 14:30 . 2009-10-19 14:27156672----a-w-c:\windows\system32\t2embed.dll
2010-01-13 14:30 . 2009-10-19 14:2472704----a-w-c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 03:56 . 2006-12-18 04:0512----a-w-c:\windows\bthservsdp.dat
2010-01-23 03:38 . 2009-03-14 21:31--------d-----w-c:\users\Abc\AppData\Roaming\EditPlus 3
2010-01-18 20:34 . 2009-07-11 13:26--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-01-18 17:23 . 2008-08-13 23:12--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-01-18 14:55 . 2007-06-04 23:095568----a-w-c:\users\Abc\AppData\Local\d3d9caps.dat
2010-01-15 04:29 . 2006-12-18 04:26--------d--h--w-c:\program files\InstallShield Installation Information
2010-01-15 04:19 . 2008-10-23 22:45--------d-----w-c:\program files\Common Files\PX STORAGE Engine
2010-01-14 16:12 . 2009-10-03 13:48181120------w-c:\windows\system32\MpSigStub.exe
2010-01-14 04:28 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-01-07 21:07 . 2009-07-11 13:2638224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-11 13:2619160----a-w-c:\windows\system32\drivers\mbam.sys
2009-12-22 03:26 . 2008-07-28 11:42--------d-----w-c:\users\Abc\AppData\Roaming\Image Zone Express
2009-11-09 13:22 . 2009-12-12 05:1924064----a-w-c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-12 05:1931232----a-w-c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-12 05:19411136----a-w-c:\windows\system32\drivers\http.sys
2009-10-29 09:41 . 2009-11-25 05:362048----a-w-c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 20:10833024----a-w-c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 20:1078336----a-w-c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 20:1026624----a-w-c:\windows\system32\ieUnatt.exe
2009-04-12 00:50 . 2009-04-12 00:50122880----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2006-12-18 77824]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-20 30192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2009-3-18 806912]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-3-14 2756608]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"AUX"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcsREG_MULTI_SZ BthServ
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobileREG_MULTI_SZ wcescomm rapimgr
LocalServiceRestrictedREG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3006168838-3830565526-230390905-1000Core.job
- c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-04 01:36]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3006168838-3830565526-230390905-1000UA.job
- c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-04 01:36]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-01-23 c:\windows\Tasks\User_Feed_Synchronization-{5E106CD2-F4D7-455D-AD14-67F094C60969}.job
- c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: ADD to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Answers... - file://c:\program files\1-Click Answers\Html\atiemenu.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Linked&In Search
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - hxxp://download1.answers.com/pub/AnswersSetup.cab
DPF: {74F4F118-91E6-4AFC-B8D2-04066781F239} - hxxps://www.member-data.com/rdc/EZTwainX.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2124)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\progra~1\1-CLIC~1\agtserv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-22 23:12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 04:12
ComboFix2.txt 2010-01-21 01:31
ComboFix3.txt 2010-01-19 03:25

Pre-Run: 8,400,478,208 bytes free
Post-Run: 8,400,031,744 bytes free

- - End Of File - - 5B68C4A01E0905193521FAB61A998087
Some of those files are persistent. Another script to run.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\temp\7zSC763.tmp

Folder::
C:\32788R22FWJFW
c:\temp\7zSC763.tmp


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in CASE it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

if anything its very little , i cannot SAY yes , WAIT for a malware EXPERT to CLEAR you , HARRY

Yes evilfantasy it looks like you are right. After running the Dr Web rescue cd, the machine will no longer boot, I get a blue SCREEN of death telling me windows is shutting down to keep from damaging the computer. I do have all of my pictures an other personal files on the second drive. I tunes is backed up right after my last purchase to a dvd. So I'm hoping it is all ok.

I am opening the box now to take that drive out physically. Then I will boot with the installation disk.This is my new hijack this log: As you see my install regressed to XP SP 1.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:39 PM, on 1/21/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151198641555
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164587105921
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Adobe Active File MONITOR V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\DRIVER\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe

--
End of file - 9966 bytes


[Saving space, attachment deleted by admin]Right now I am on hold again.What is that log from?One I ran about 5 minutes ago. Do I need to start at the first of the instruction sticky? I know I don't have any anti vir or anything right now.If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will PRODUCE a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixLet me clarify. It's a HiJack This Log. I am following your instructions on combo fix right now.I've run in to a problem. Combo Fix tells me avg real time scanner is running, but AVG is supposed to be uninstalled. I haven't let Combo Fix Run. How do I stop it?Run this first. http://www.avg.com/download-toolsI had already run the uninstaller download. After i reinstalled I was back to SP1 which AVG 9 didn't like. I had to format and re-install the OS. That is giving me fits too. When Dell originally built this machine it had and IDE boot drive, one lightning strike later it it had a new motherboard and SATA boot drive. The restore disk doesn't have the drivers on board for the controller, setup cannot even find the drive. I opened the BIOS setup and changed the dive to IDE ( I don't know why I got away with this but I did), Booted from Cd then reformatted and re-installed the OS. I have an SP2 disk (freebie), I tried to run it but it hung up. I also tried update Via the internet but the updates wouldn't take. I have a retail version of XP Home so I booted from cd and installed it, it took the SP2 disk no problem. I did notice I have 2 partitions on the disk, one of them is only around really small.

My question is, could that be malware or virus?

I am also wondering if there is some way to get back to a Sata Drive. The guy that patched it up didn't give a driver disk for the motherboard, it's an MSI board but their homesite trips all kinds of warnings.
What should I do now as far as malware and virus scanning. The computer tech locally hooked the drive up ( I thought it was trashed) and ran Malware Bytes on it at his shop while it was out of the machine.

What should I do now?The smaller partition is likely a factory backup for the OS.

The other questions will need to be addressed in the Windows forum.

OK,
here is the combofix log! Thank you

ComboFix 10-01-14.02 - Mary Kate 01/19/2010 16:04:57.5.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.958.448 [GMT -5:00]
Running from: c:\users\Mary Kate\Downloads\ComboFix.exe
Command switches used :: c:\users\Mary Kate\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-19 21:18 . 2010-01-19 21:27--------d-----w-c:\users\Mary Kate\AppData\Local\temp
2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Sega\AppData\Local\temp
2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Public\AppData\Local\temp
2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Default\AppData\Local\temp
2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Guest\AppData\Local\temp
2010-01-19 21:02 . 2010-01-19 21:02--------d-----w-C:\32788R22FWJFW
2010-01-19 02:49 . 2010-01-19 02:49--------d-----w-c:\PROGRAM files\ESET
2010-01-13 03:53 . 2010-01-13 03:53--------d-----w-c:\windows\system32\config\systemprofile\{1d30e7a1-2a41-43cc-b339-46892ab7ddfd}
2010-01-12 23:50 . 2009-10-19 14:42156672----a-w-c:\windows\system32\t2embed.dll
2010-01-12 23:50 . 2009-10-19 14:3924064----a-w-c:\windows\system32\lpk.dll
2010-01-12 23:50 . 2009-10-19 14:3772704----a-w-c:\windows\system32\fontsub.dll
2010-01-12 23:50 . 2009-10-19 14:3710240----a-w-c:\windows\system32\dciman32.dll
2010-01-12 23:50 . 2009-10-19 14:3634304----a-w-c:\windows\system32\atmlib.dll
2010-01-12 23:50 . 2009-10-19 11:45289792----a-w-c:\windows\system32\atmfd.dll
2010-01-12 22:59 . 2010-01-12 22:59--------d-----w-c:\users\Mary Kate\AppData\Local\{6BAF7A6F-C530-45D9-9789-ECFAF9BFDDF2}
2010-01-11 18:09 . 2010-01-11 18:10--------d-----w-c:\users\Mary Kate\AppData\Local\{A8FFFAA9-FE10-424E-A3EB-69CCF85B4075}
2010-01-10 23:05 . 2007-08-29 03:06542720----a-w-c:\windows\system32\sysmain.dll
2010-01-10 23:04 . 2007-09-11 02:20356864----a-w-c:\windows\system32\MediaMetadataHandler.dll
2010-01-10 23:04 . 2009-08-31 15:16428032----a-w-c:\windows\system32\EncDec.dll
2010-01-10 23:04 . 2009-08-31 15:21292352----a-w-c:\windows\system32\psisdecd.dll
2010-01-10 23:04 . 2009-08-31 15:171244672----a-w-c:\windows\system32\mcmde.dll
2010-01-10 23:04 . 2007-10-26 11:14211000----a-w-c:\windows\system32\drivers\volsnap.sys
2010-01-10 23:04 . 2008-01-19 05:08109624----a-w-c:\windows\system32\drivers\ataport.sys
2010-01-10 23:04 . 2008-01-19 05:0745112----a-w-c:\windows\system32\drivers\pciidex.sys
2010-01-10 23:04 . 2008-01-19 05:0621560----a-w-c:\windows\system32\drivers\atapi.sys
2010-01-10 23:04 . 2008-01-19 05:0615928----a-w-c:\windows\system32\drivers\pciide.sys
2010-01-10 23:04 . 2008-01-19 03:06154624----a-w-c:\windows\system32\drivers\nwifi.sys
2010-01-10 23:04 . 2008-10-21 05:161645568----a-w-c:\windows\system32\connect.dll
2010-01-10 23:02 . 2009-08-29 03:411686528----a-w-c:\windows\system32\gameux.dll
2010-01-10 23:02 . 2009-08-29 03:4028672----a-w-c:\windows\system32\Apphlpdm.dll
2010-01-10 23:02 . 2009-08-28 23:314247552----a-w-c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-10 22:58 . 2007-01-26 03:00974336----a-w-c:\windows\system32\crypt32.dll
2010-01-10 22:56 . 2009-09-10 15:29311296----a-w-c:\windows\system32\unregmp2.exe
2010-01-10 22:56 . 2009-09-10 17:397680----a-w-c:\windows\system32\spwmp.dll
2010-01-10 22:55 . 2009-09-10 17:404096----a-w-c:\windows\system32\dxmasf.dll
2010-01-10 22:55 . 2009-09-10 15:298147968----a-w-c:\windows\system32\wmploc.DLL
2010-01-10 22:01 . 2010-01-10 22:01--------d-----w-c:\users\Mary Kate\AppData\Local\{C6E8522D-C5C1-4F4B-89A5-77A2C5760C1F}
2010-01-10 18:58 . 2010-01-10 18:58--------d-----w-c:\users\Mary Kate\AppData\Local\{9E06EAA5-533A-4F87-B916-9597182D73BE}
2010-01-10 12:49 . 2010-01-10 12:49--------d-----w-c:\users\Mary Kate\AppData\Local\{2FADB93F-5DB7-4BD9-A96D-E633F27F0DDF}
2010-01-10 06:36 . 2010-01-10 06:36--------d-----w-c:\users\Mary Kate\AppData\Local\{0B3977F2-E717-4456-BD6B-947A79D1F1E8}
2010-01-10 03:34 . 2010-01-10 03:34--------d-----w-c:\programdata\SUPERAntiSpyware.com
2010-01-10 03:33 . 2010-01-10 03:34--------d-----w-c:\program files\SUPERAntiSpyware
2010-01-10 03:33 . 2010-01-10 03:33--------d-----w-c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com
2010-01-10 03:31 . 2010-01-10 03:31--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-01-09 23:53 . 2010-01-09 23:53--------d-----w-c:\users\Mary Kate\AppData\Local\{478113E6-71FE-4C2A-AEC3-0AD2E4930CD7}
2010-01-09 21:09 . 2010-01-09 21:09--------d-----w-c:\users\Mary Kate\AppData\Local\{9B2F4782-907F-4245-B4EA-2B37CE798041}
2010-01-09 17:38 . 2010-01-09 17:38--------d-----w-c:\users\Mary Kate\AppData\Local\{F5FF984D-C90C-488B-B3E8-5FB4C604CA40}
2010-01-09 17:13 . 2010-01-09 17:13--------d-----w-c:\users\Mary Kate\AppData\Roaming\Malwarebytes
2010-01-09 17:13 . 2010-01-07 21:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 17:12 . 2010-01-09 17:12--------d-----w-c:\programdata\Malwarebytes
2010-01-09 17:12 . 2010-01-09 17:13--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-01-09 17:12 . 2010-01-07 21:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-01-09 16:20 . 2010-01-09 16:20--------d-----w-c:\users\Mary Kate\AppData\Local\{11C626D8-64DD-4B50-BE50-F6A91DD40781}
2010-01-09 16:08 . 2010-01-09 16:07411368----a-w-c:\windows\system32\deploytk.dll
2010-01-09 14:39 . 2010-01-09 14:39--------d-----w-c:\users\Mary Kate\AppData\Local\{223AC774-2053-4D95-A2BA-19D17C2633F8}
2010-01-08 15:30 . 2010-01-08 15:30--------d-----w-c:\users\Mary Kate\AppData\Local\{63F192F2-6498-43DF-B8A6-A4F8D2DE063C}
2010-01-07 22:29 . 2010-01-07 22:29--------d-----w-c:\users\Mary Kate\AppData\Local\{2188F2C8-523D-42AB-BA98-DA8275A137E1}
2010-01-07 16:30 . 2010-01-07 22:21--------d-----w-c:\program files\Windows Live Safety Center
2010-01-07 01:39 . 2010-01-07 01:39--------d-----w-c:\users\Mary Kate\AppData\Local\{8B0F77DB-0DB8-4628-9DF8-C434ACC6443F}
2010-01-06 17:43 . 2010-01-06 18:09--------d-----w-c:\users\Mary Kate\AppData\Local\ElevatedDiagnostics
2010-01-06 17:38 . 2010-01-06 17:38--------d-----w-c:\program files\Microsoft ATS
2010-01-04 04:49 . 2010-01-04 04:49--------d-----w-c:\users\Mary Kate\AppData\Local\{17F531F5-BD41-438B-805F-EAD27BE2352D}
2010-01-03 04:16 . 2010-01-12 22:590----a-w-c:\users\Mary Kate\AppData\Local\Tkuki.bin
2010-01-03 04:16 . 2010-01-11 23:01120----a-w-c:\users\Mary Kate\AppData\Local\Amupova.dat
2010-01-03 01:33 . 2010-01-03 01:33--------d-----w-c:\program files\Belkin
2010-01-03 01:32 . 2010-01-09 17:37--------d-----w-c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 21:00 . 2009-12-03 02:50--------d-----w-c:\program files\Trend Micro
2010-01-19 20:03 . 2007-05-28 01:1225515----a-w-c:\users\Mary Kate\AppData\Roaming\nvModes.dat
2010-01-14 16:12 . 2009-10-02 20:48181120------w-c:\windows\system32\MpSigStub.exe
2010-01-13 15:44 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-01-11 17:59 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Calendar
2010-01-11 17:58 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Defender
2010-01-10 02:46 . 2007-06-04 21:59--------d-----w-c:\programdata\Viewpoint
2010-01-09 16:07 . 2007-01-19 01:10--------d-----w-c:\program files\Java
2010-01-07 22:31 . 2007-05-27 15:1192456----a-w-c:\users\Mary Kate\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-03 01:34 . 2007-01-19 00:10--------d--h--w-c:\program files\InstallShield Installation Information
2009-12-20 00:21 . 2009-12-20 00:20--------d-----w-c:\users\Mary Kate\AppData\Roaming\GTek
2009-12-19 00:49 . 2008-11-04 03:461356----a-w-c:\users\Mary Kate\AppData\Local\d3d9caps.dat
2009-12-13 15:18 . 2007-06-04 20:4020274----a-w-c:\users\Mary Kate\AppData\Roaming\wklnhst.dat
2009-12-12 23:30 . 2009-12-12 22:34--------d-----w-c:\programdata\Lavasoft
2009-12-12 22:35 . 2009-12-12 22:17--------dc-h--w-c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-12 22:34 . 2009-12-12 22:34--------d-----w-c:\program files\Lavasoft
2009-12-11 02:17 . 2009-12-11 02:17--------dc----w-c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-11 01:30 . 2009-12-11 01:30--------d-----w-c:\programdata\AVP 2009
2009-12-03 02:34 . 2008-08-28 17:17--------d-----w-c:\programdata\avg8
2009-12-02 13:19 . 2009-12-12 23:3064288----a-w-c:\windows\system32\drivers\Lbd.sys
2009-12-02 13:19 . 2009-12-13 07:3415880----a-w-c:\windows\system32\lsdelete.exe
2009-11-09 13:34 . 2009-12-11 03:1224064----a-w-c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-11 03:1131232----a-w-c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-11 03:11396800----a-w-c:\windows\system32\drivers\http.sys
2009-10-29 07:59 . 2009-12-02 04:412048----a-w-c:\windows\system32\tzres.dll
2009-10-27 15:05 . 2009-12-11 02:35832512----a-w-c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-11 02:3556320----a-w-c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-11 02:3578336----a-w-c:\windows\system32\ieencode.dll
2009-10-27 14:59 . 2009-12-11 02:3572704----a-w-c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-11 02:3526624----a-w-c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-11 02:3548128----a-w-c:\windows\system32\mshtmler.dll
2007-06-28 20:43 . 2007-06-28 20:43774144----a-w-c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-1-18 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:1639792----a-w-c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2007-04-03 13:54753664----a-w-c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13267048----a-w-c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50413696----a-w-c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-01-19 01:1177824----a-w-c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-15 23:11185896----a-w-c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16158448----a-w-c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/12/2009 6:30 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [1/29/2007 8:56 PM 451072]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [4/20/2007 5:44 PM 307984]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Mary Kate\AppData\Roaming\Mozilla\Firefox\Profiles\8eegdjyd.default\
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\users\Mary Kate\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\Mary Kate\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 16:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\Mouse Driver\KMConfig.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Mouse Driver\KMProcess.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2010-01-19 16:42:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 21:41
ComboFix2.txt 2010-01-14 23:27
ComboFix3.txt 2010-01-14 22:25
ComboFix4.txt 2010-01-13 17:42
ComboFix5.txt 2010-01-19 21:02

Pre-Run: 34,275,840,000 bytes free
Post-Run: 34,208,948,224 bytes free

- - End Of File - - 2190D2E7CF078A1962618EFEA1D5FC2A
Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.Hi, I TRIED doing the gmer rootkit scan twice. Both times I got the crash dump blue screen after more than an hour. It said: page_fault_nonpage_areaThat's about the third time that has happened. I'll have to check what's wrong with the program. I'll be back.OK, thank youTry running this before the GMer Rootkit scan to see if it makes any difference. BTW, I tried Gmer on my computer. It ran ok but I stopped it in mid-scan. When I tried to save the log, it froze my computer.

Download DeFogger by jpshortstuffand save it to your desktop.

* Double click DeFogger.exe to run the tool.
* The application window will appear.
* Click the Disable button to disable your CD Emulation drivers
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK.
* DeFogger will now ask to reboot the machine...click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

To re-enable your Emulation drivers, double click DeFogger to run the tool.

* The application window will appear.
* Click the Re-enable button to re-enable your CD Emulation drivers.
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK
* DeFogger will now ask to reboot the machine, click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.Sadly, that did not work. I followed the defogger steps, but when I ran gmer, I got the blue screen again.
Page_fault_in_nonpaged_area
0x00000050 (0x8C800000B, 0x00000000, 0x9583oF60, 0x00000000)
ThanksOk. Follow the directions to re-enable your emulation drivers as described in the previous post. I'll check this out further and be back when I have more information.OK!
How is your computer working now? Any redirects?I've been the internet pretty frequently over the last couple of days and have not stumbled across any redirects, which is great. I've also noticed a couple other minor problems I was having have disappeared. Ok. If there are no other issues we'll do some clean-up. You can uninstall HJT, delete Defogger, Gmer Rootkit detector and ESET. You can keep SAS and MBAM. Update them and run them about once a week depending on your internet activity.
-----------------------------------------------------------------------------------------------------------------------
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above PROCEDURE will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
-------------------------------------------------------------------------------------------------
Clean out your TEMPORARY internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------------------------------------------------------------------------------------------------------
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and UNRELIABLE shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!OK, thanks a lot for all of your help!!

Hi
Hope someone can help

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (Rogue.ControlCenter) -> QUARANTINED and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> BAD: (1) Good: (0) -> Quarantined and deleted successfully.

After malware byte deletes these ENTRIES my antivirus (mse) stops working.
Is malware bytes flagging these entries wrongly, they appear to have something to do with mse.
Thanks.
Could you please go to this link and follow the directions and post the required logs. That way, we'll have a better idea what we're dealing with. We will need the SAS, MBAM and HJT logs.

I am having the following problems:

This is the first problem i noticed
searching using yahoo when i click on the search result i want I do not get sent to the one i selected I get redirected to off the wall sites
i able able to enter the http in the address bar and i have no problem. I use firefox.

i am getting a pop saying that my computer is being attacked by viruses and then it pops up a fake My Computer page

my right click menu stopped working

i have been using MP3 Rocket with no problems for over two years but since yesterday i have been unable to open the application. i have went and uninstalled it and re installed it just like i have done before,..i can download and install it but can not open it to finish to set up.. i even tried to install a older vision but nothing


The computer is many used for pictures, downloading music and movies, burning music cds, using the internet to socialize, search, email, some shopping and kid's games and watching movies that we download.

Norton shows no viruses

windows xp home edition version 2002 service pack 2.
intel(R), Celeron(R) CPU2.20 GHz, 768MB of RAM

i have 8.16 GB of free space and total size is 38.2

i am using Norton SYSTEMWORKS 2003 professional Edition

here are my logs

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/20/2010 at 01:05 PM

Application Version : 4.33.1000

Core Rules Database Version : 4496
Trace Rules Database Version: 2310

Scan type : Complete Scan
Total Scan Time : 03:38:13

Memory items scanned : 500
Memory threats detected : 0
Registry items scanned : 4305
Registry threats detected : 0
File items scanned : 68598
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2010 at 05:20 AM

Application Version : 4.33.1000

Core Rules Database Version : 4496
Trace Rules Database Version: 2310

Scan type : Complete Scan
Total Scan Time : 01:41:44

Memory items scanned : 441
Memory threats detected : 0
Registry items scanned : 4524
Registry threats detected : 0
File items scanned : 65998
File threats detected : 2

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2010 at 11:48 AM

Application Version : 4.33.1000

Core Rules Database Version : 4496
Trace Rules Database Version: 2310

Scan type : Complete Scan
Total Scan Time : 01:43:06

Memory items scanned : 432
Memory threats detected : 0
Registry items scanned : 4537
Registry threats detected : 0
File items scanned : 67469
File threats detected : 0

Malwarebytes' Anti-Malware 1.41
Database version: 3205
Windows 5.1.2600 Service Pack 2

1/20/2010 9:51:49 AM
mbam-log-2010-01-20 (09-51-49).txt

Scan type: Quick Scan
Objects scanned: 98587
Time elapsed: 36 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\My Documents\downloads\setup.exe (Adware.Seekmo) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/22/2010 12:09:24 PM
mbam-log-2010-01-22 (12-09-24).txt

Scan type: Quick Scan
Objects scanned: 102805
Time elapsed: 9 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:12 PM, on 1/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\apitrap.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AUTOMATIC LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9682 bytes

here is the report after i defragmented last night
Volume (C:)
Volume size = 38.28 GB
Cluster size = 4 KB
Used space = 30.11 GB
Free space = 8.17 GB
Percent free space = 21 %

Volume fragmentation
Total fragmentation = 16 %
File fragmentation = 33 %
Free space fragmentation = 0 %

File fragmentation
Total files = 68,916
Average file size = 572 KB
Total fragmented files = 13
Total excess fragments = 3,296
Average fragments per file = 1.04

Pagefile fragmentation
Pagefile size = 1.13 GB
Total fragments = 1

Folder fragmentation
Total folders = 5,173
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 112 MB
MFT record count = 74,261
Percent MFT in use = 64 %
Total MFT fragments = 3

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
14 655 MB \Documents and Settings\Owner\Shared\Tom & Jerry Collection (14 cartoons).avi
42 697 MB \Documents and Settings\Owner\Shared\The.Sound.Of.Music 1.avi
18 699 MB \Documents and Settings\Owner\Shared\The.Sound.Of.Music.1965.DVDRip.MP3.DivX-WRD.CD2.avi
16 699 MB \Documents and Settings\Owner\Shared\P90X Beachbody - Turbo Jam - 20 Minute Workout.avi
17 700 MB \Documents and Settings\Owner\Shared\Horton.Hears.A.Who![2008]DvDrip-aXXo.avi
23 700 MB \Documents and Settings\Owner\Shared\Alvin and The CHIPMUNKS and The Chipettes (2009) DVDRip Occor avi.avi
44 701 MB \Documents and Settings\Owner\Shared\Alvin.And.The.Chipmunks.2007.DvDRip.Eng-FxM.avi
17 701 MB \Documents and Settings\Owner\Shared\Wall-E @ 2008 -Disney Pixar - FULL movie(dvd).avi
16 728 MB \Documents and Settings\Owner\Shared\P90X - Part 1 - Chest And Back.mpg
22 773 MB \Documents and Settings\Owner\Incomplete\T-810313728-Red Light District - Out Numbered 2 Cd1 (Lucy Lee,Jessica Fiorentino,Stacy Silver,Karma,Sandra Romain).mpg
3,051 773 MB \Documents and Settings\Owner\Shared\Red Light District - Out Numbered 2 Cd1 (Lucy Lee,Jessica Fiorentino,Stacy Silver,Karma,Sandra Romain).mpg
21 1.75 GB \Documents and Settings\Owner\Shared\Tyler Perry's - I Can Do Bad All By Myself.avi

I hope that i have included everything you need to help me. I do appreciate all the work yall do.

Thank You so MUCH

I am USING Windows Xp, and downloaded. kav_rescue_2008
then burned it with Active ISO Burner.

Now I am getting this...

Unknown keyword in configuration FILE: f 'f.C>

Could not find kernel image: linux

boot:

What are you trying to do?Quote from: Carbon Dudeoxide on January 21, 2010, 08:12:55 PM

What are you trying to do?

Then it looks like you're fine.

If not, download an antivirus (such as AVG Free).

I have about 23 folders in my USB flash drive. When I double click to one of these folders it disapears. And I did the same THING to another FOLDER. The same thing HAPPENED. So I enabled the system files to be appeared in the folder OPTIONS. But that folder cannot be found. Please help me with this issue.

Thank you.

A RIPPER virus has taken over my computer. I am told by my pc that it doesn't detect my modem, CD-ROM Drive, CD-RW Drive, and until I did a quickrestore it changed my display settings to the lowest settings possible, then it changed it back when I tried to correct it. Now the only Disk Drive my pc detects is the Floppy Drive. I can't reboot it because it freezes my pc when I try to create a BOOT up diskette. Can someone please help. If so I would Really appreciate it. I am going to check for replies everyday until one works. THANK You for your time!!! http://vil.nai.com/vil/content/v_1037.htmRlCowboy02.....How did you determine that is a the "Ripper " virus....? If thats what it is you willl probably have to D/L the tool that merlin has pointed you at and put it on a cd as opposed to a floppy ........boot your P/C up in Safe Mode ......and the cd drives should be seen .......run the removal tool and you should be RID of it . The odd thing is if its ripper , thats a old virus, it funny your anti virus didnt catch it.....is it current ?
let us know ...

dl65 It needs to be updated. Bad. I did the restore thing so it is the 1999 version virus scan that It came with that I have.RLCowboy....so is your machine running ok now and have you replaced your Anti virus with something thats current ?

dl65 lol you guys dont have WINDOWS 7....shame....rock solid ahahahaWHY have you OPENED a topic nearly 6 years old

Just ran into a problem today. didnt DOWNLOAD ANYTHING or go on any wrong sites. it happened while i was on youtube. I got this program that showed up in my icons at the bottom right called "INTERNET Security 2010". Im like oh great not this again. \so my background gets changed to keep my attention. Every like minute some pop up comes up from it " please update your anitvirus software" "your computer is infected". Ran a virus scan with avast and nothing came up. I had this happen to me before and i cant remember what i had to do but i remember is had to do with hijack this and regestry junk. Ill post what I got from Hijack this. BTW It wont let me open notepad or task manager. Code: [Select]Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:42:57 PM, on 19/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\TYLERL~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7764 bytesInternet Security 2010 is a rogue antivirus program. Over the past year, there have been many variants of these fake antivirus programs. I haven't been able to determine what the software is attempting to do but the best thing to do is FORMAT your computer and reload your O/S. You can attempt to remove the trojan but this is very advanced malware and there will probably STILL be remnants of the trojan hiding in the registry.Quote from: tmoe30 on January 20, 2010, 02:17:23 AM

Internet Security 2010 is a rogue antivirus program. Over the past year, there have been many variants of these fake antivirus programs. I haven't been able to determine what the software is attempting to do but the best thing to do is format your computer and reload your O/S. You can attempt to remove the trojan but this is very advanced malware and there will probably still be remnants of the trojan hiding in the registry.

Can you refer me to a good freeware av BOOT cd DOWNLOAD?HTTP://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&hs=QWv&q=dowlnoad+boot+time+av&aq=f&aql=&aqi=&oq=Boot Time, ok THANKS.

Getting this all the time, unhandled win32 exception occurred in svchost.exe, comes up in Visual Studio JIT Debugger.
If I kill the message it either reboots or hibernates the system. Sometimes comes back with no icons and I have to remove power and bettery to power off in order to reboot
I now have no network connectivity, LAN is disabled & will not enable, Wireless has nothing in the list when I refresh network list. Even tried my verizon wireless card which worked for a short while but no more
Have run Symantec with live UPDATE of 1/8/10 in both normal & safe more, nothing found. Managed to load and do deep scan using root analyzer but nothing there either.
Event VIEWER gives me no joy, just lots of informational messges with no real useful conent
I think it's a trojan but where to start to put it back together?

Anyone offer advise / help
go to a clean pc and do this

Download a boot time anti virus scanner (pick one: http://www.google.com/search?hl=en&rlz=1T4GGLL_enUS304US305&ei=WHFCS-DZLMW8lAeTsP2fBw&sa=X&oi=spell&resnum=0&ct=result&cd=1&ved=0CAYQBSgA&q=download+boot+time+av+scanner&spell=1). Burn it to a cd and put the cd in the infected COMPUTER. Make sure the cd is at the top of the boot order in bios, then boot to the cd and run the scan.I have DOWNLOADED on a different PC but it needs to be installed, how do I install so I can run from a CD? I'm guessing but I assume something like Avast will insert ITEMS into registry etcGo to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

It appears that my machine has caught an infection, and I am having difficulty cleaning it. This bug appears to be blocking my attempts to download ComboFix from the three known mirrors for the download. On the first attempt, my anti-virus pops up and DELETES the ComboFix download, calling it "WIN32/SillyDl.PRR". On subsequent attempts, Firefox says that it cannot make the connection to the website.

Attached are my logs from SAS, MBAM, and HJT.

Any help you can provide would be rather... um... helpful

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/28/2009 at 04:17 AM

Application Version : 4.32.1000

Core Rules Database Version : 4415
Trace Rules Database Version: 2243

Scan type : Complete Scan
Total Scan Time : 00:41:11

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 6080
Registry threats detected : 0
File items scanned : 65680
File threats detected : 2

Trojan.Agent/Gen-PEC
C:\WINDOWS\PEV.EXE

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID


Malwarebytes' Anti-Malware 1.42
Database version: 3443
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/28/2009 2:40:02 AM
mbam-log-2009-12-28 (02-40-02).txt

Scan type: Quick Scan
Objects scanned: 121351
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner.VICTOR\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.VICTOR\Local Settings\temp\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.VICTOR\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.VICTOR\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.VICTOR\Local Settings\temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:04 AM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1645522239-73586283-725345543-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASP.NET STATE Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5741 bytes


[Saving space, attachment deleted by admin]Download on a different system and transfer to yours.Downloaded ComboFix on my laptop and emailed it to myself. I was able to get it to run; however, I still believe I have a problem. I still can't download ComboFix on the infected computer. Included is the output from my combofix run.

ComboFix 09-12-27.02 - Owner 12/28/2009 12:58:35.6.2 - x86
Running from: c:\documents and settings\Owner.VICTOR\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 08:29 . 2009-12-28 08:29--------d-----w-c:\program files\CCleaner
2009-12-28 08:04 . 2009-12-28 08:0452224----a-w-c:\documents and settings\Owner.VICTOR\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 08:04 . 2009-12-28 08:04117760----a-w-c:\documents and settings\Owner.VICTOR\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-28 08:04 . 2009-12-28 08:04--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-28 08:04 . 2009-12-28 08:04--------d-----w-c:\program files\SUPERAntiSpyware
2009-12-28 08:04 . 2009-12-28 08:04--------d-----w-c:\documents and settings\Owner.VICTOR\Application Data\SUPERAntiSpyware.com
2009-12-28 08:03 . 2009-12-28 08:03--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-12-28 07:57 . 2009-12-28 08:02152576----a-w-c:\documents and settings\Owner.VICTOR\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-28 07:35 . 2009-12-28 07:35--------d-----w-c:\documents and settings\Owner.VICTOR\Application Data\Malwarebytes
2009-12-28 07:35 . 2009-12-03 21:1438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 07:35 . 2009-12-28 07:35--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 07:35 . 2009-12-28 07:35--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2009-12-28 07:35 . 2009-12-03 21:1319160----a-w-c:\windows\system32\drivers\mbam.sys
2009-12-28 06:42 . 2009-12-28 06:42--------d--h--w-c:\windows\PIF
2009-12-28 03:31 . 2009-12-28 08:32--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-28 03:31 . 2009-12-28 03:35--------d-----w-c:\program files\Spybot - Search & Destroy
2009-12-16 04:09 . 2009-12-16 04:094096----a-w-c:\windows\d3dx.dat
2009-12-16 04:09 . 2009-12-16 04:09--------d-----w-c:\documents and settings\All Users\Application Data\Digital Praise
2009-12-16 04:03 . 2009-12-16 04:03--------d-----w-c:\program files\Digital Praise

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 08:03 . 2009-05-04 00:34411368----a-w-c:\windows\system32\deploytk.dll
2009-12-28 08:02 . 2009-11-28 00:0179488----a-w-c:\documents and settings\Owner.VICTOR\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 07:58 . 2009-05-04 00:34--------d-----w-c:\program files\Java
2009-12-28 06:03 . 2008-12-26 22:59--------d-----w-c:\documents and settings\Owner.VICTOR\Application Data\uTorrent
2009-12-23 22:17 . 2008-12-08 04:23--------d--h--w-c:\program files\InstallShield Installation Information
2009-11-28 00:01 . 2009-03-04 03:08111856----a-w-c:\windows\system32\isafprod.dll
2009-11-25 03:53 . 2009-11-25 03:50--------d-----w-c:\program files\Wings Over Europe
2009-11-23 00:09 . 2008-12-09 03:26--------d-----w-c:\program files\Sierra
2009-11-22 23:49 . 2009-11-22 23:49--------d-----w-c:\documents and settings\Owner.VICTOR\Application Data\Command & Conquer 3 Tiberium Wars
2009-11-13 02:36 . 2009-11-13 02:25--------d-----w-c:\documents and settings\Owner.VICTOR\Application Data\Juniper Networks
2009-11-13 02:25 . 2009-11-13 02:2537021----a-w-c:\documents and settings\Owner.VICTOR\Application Data\Juniper Networks\setup\uninstall.exe
2009-11-13 02:25 . 2009-11-13 02:25--------d-----w-c:\documents and settings\All Users\Application Data\Juniper Networks
2009-11-08 03:56 . 2009-11-08 03:56--------d-----w-c:\program files\Hasbro Interactive
2009-10-29 17:09 . 2009-03-04 03:08739696----a-w-c:\windows\system32\drivers\vetefile.sys
2009-10-29 17:09 . 2009-03-04 03:0826352----a-w-c:\windows\system32\drivers\vet-filt.sys
2009-10-29 17:09 . 2009-03-04 03:0821488----a-w-c:\windows\system32\drivers\vetfddnt.sys
2009-10-29 17:09 . 2009-03-04 03:0821104----a-w-c:\windows\system32\drivers\vet-rec.sys
2009-10-29 17:09 . 2009-03-04 03:08161008----a-w-c:\windows\system32\drivers\vetmonnt.sys
2009-10-29 17:09 . 2009-03-04 03:08133520----a-w-c:\windows\system32\drivers\veteboot.sys
2009-10-29 07:45 . 2006-02-28 12:00916480------w-c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-02-28 12:0075776----a-w-c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 12:0025088----a-w-c:\windows\system32\httpapi.dll
2009-10-20 21:49 . 2009-03-24 02:2668648----a-w-c:\documents and settings\Owner.VICTOR\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 16:20 . 2006-02-28 12:00265728----a-w-c:\windows\system32\drivers\http.sys
2009-10-13 12:45 . 2009-03-31 23:021541416----a-w-c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-10-13 10:30 . 2006-02-28 12:00270336----a-w-c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-02-28 12:00149504----a-w-c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-02-28 12:0079872----a-w-c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-11-28 271600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2009-02-15 324848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-28 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 20:4679368----a-w-c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S0 KmxStart;KmxStart;c:\windows\System32\DRIVERS\kmxstart.sys [2009-01-05 107512]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-11-18 72696]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2009-11-11 128240]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-12-12 205304]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2009-02-15 222448]

.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Owner.VICTOR\Application Data\Mozilla\Firefox\Profiles\3fwv3dha.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-73586283-725345543-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:85,f6,c4,aa,69,14,e7,25,b1,86,3b,13,3e,ee,37,b0,03,da,26,24,67,6e,62,
7f,7a,e2,e1,fa,86,e8,9e,d7,43,b6,24,de,1d,78,ec,e7,da,21,5e,cb,be,58,45,8a,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12

[HKEY_USERS\S-1-5-21-1645522239-73586283-725345543-1006\Software\SecuROM\License information*]
"datasecu"=hex:cf,87,57,42,04,39,5c,cb,64,97,27,d9,b7,9e,e3,28,ec,cf,09,18,cb,
f3,45,62,90,ed,01,17,38,61,26,88,12,ed,b1,b4,29,b2,1b,4e,93,6b,85,8f,85,97,\
"rkeysecu"=hex:14,53,cf,21,8e,0b,7b,e8,17,15,a9,b0,01,ce,5b,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1404)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1724)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-28 13:01:41
ComboFix-quarantined-files.txt 2009-12-28 18:01
ComboFix2.txt 2009-12-28 17:52
ComboFix3.txt 2009-07-09 02:53

Pre-Run: 243,469,676,544 bytes free
Post-Run: 243,459,395,584 bytes free

- - End Of File - - FD521EC8A7D771D97A384333ED61C98F
Hi. Sorry for the delay. I'm waiting to check over your logs with my MENTOR. I hope this is not too much of a bother for you.where can i find the installation code because my keygen wont load?Install code for what? Combofix is free and does not need a key. Also, we do not approve the use of software such as keygens in this forum, so you won't find any help about THAT here.Hello jesusknight. I hope that you're not tired of waiting. I'm still working on your problem and I will post a fix for you ASAP.I'm back. Sorry for the delay. I noticed in your HJT log that you are running a P2P file-sharing program ( uTorrent) on your computer. While the program itself is probably safe, the files you download with this program are a major source of infections. Therefore, I strongly urge you to uninstall it.

Please delete ComboFix from your desktop and install a new version.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
Link # 2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

[/COLOR]Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\windows\d3dx.dat
c:\documents and settings\Owner.VICTOR\Local Settings\Application Data\GDIPFONTCACHEV1.DAT


3. Go to the Notepad WINDOW and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

SD, just wanted you to know I haven't forgotten what you've asked me to do, downloading Security Check. We've had a serious illness in the FAMILY and I will do it as soon as I have time. I was on computer checking email and thought I'd let you know that I know I still need to do this. I'll get back with you. Thanks!
I understand. Family comes first. Here's HOPING everything works out ok.Here you are SD:

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
F-Secure Anti-Virus 2010
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other UTILITIES Check:
SUPERAntiSpyware Free Edition
CCleaner
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````



Do I leave SuperAntivirus, Anti-Malware, ccsetup227 and CCleaner on computer? Or delete or uninstall where necessary? Thanks for all your help.
Hello Debby. I hope everything is well with you and your family. At the present time you have F-Secure as your AV program. If you want to dump this, you will have to install another AV program. I'll attach a list of free AV's you can DOWNLOAD and install. You are using Windows Firewall which is not very good. Attached you will find a list of free third-party Firewalls. Only install one. The problem with Windows firewall is that it doesn't block out-going traffic which can be very harmful. ie; malacious programs reporting back to homebase with your passwords and banking information. SAS(SuperAntiSpyware) and MBAM (Malwarebytes Anti-malware) are not full-time scanners. You have to run the scans yourself. About once a week should be ok. Make sure to update them before running the scans. Java and Adobe have to be kept up-to-date in order to be effective. SpywareBlaster and Spybot S&D are really good programs to have as well as Windows Defender. You can uninstall Ccleaner and ccsetup227.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.Thanks, SD. Since I have paid for F-Secure, I guess I'll keep it until it runs out and then go for the free ones. I don't see where it has a Firewall, it has something called Deep Guard, not sure what that is but will look into it. Otherwise, I will download one of the Firewalls you recommended.

Family SITUATION better. Thought we were going to lose my 90-year-old mother-in-law but it seems she is getting better. It all started with a fall where she broke her right arm (thank goodness she is left-handed) and they couldn't put it in a cast because of the type of break, and they didn't want to operate on a 90-year-old, then she got sicker and sicker, talking crazy, blood pressure up, down, everywhere, and come to find out not only did she have a kidney infection they weren't treating her for, they were not giving her the daily requirement of pills for Addison's disease (has to do with the adrenalin glands and an episode such as the one she had is life threatening). She is a rehab place for next 2 weeks, but we know she's feeling better as she's asking for some of her personal things be brought to her. I don't know that I want to live to 90, but she makes it look good - grocery shops, cooks, cleans a little - except for that Addison's she'd be fine.

I sincerely thank you again for your help SD. I sure couldn't have done it without you!

I can't run anything on my computer it is infected with something. I can't even access any of these programs to begin to try and remove this infection. I click on each one and I get the same thing everytime! help?

Application Cannot be executed...file mbam.exe is infected.
Do you want to activate your antivirus software now?


Application Cannot be executed...file spybotsd.exe is infected.
Do you want to activate your antivirus software now?


Application Cannot be executed...file (hjt) is infected.
Do you want to activate your antivirus software now?


Application Cannot be executed...file rkill.exe is infected.
Do you want to activate your antivirus software now?


Application Cannot be executed...file avgui.exe is infected.
Do you want to activate your antivirus software now?I cannot even run ccleaner. Or add and remove programs...I was retracing my STEPS ...the only place I was in my yahoo mail before all this started. I was using the chat there because my Yahoo instant messenger would not sign in.hjt LOG I restarted my pc and imediately started task manager

and was able to stop what ever is eating at my computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:00 AM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search PAGE = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE PROTECTION - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [wkbckdql] C:\Documents and Settings\Kyle\Local Settings\Application Data\taaall\mfgnsysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wkbckdql] C:\Documents and Settings\Kyle\Local Settings\Application Data\taaall\mfgnsysguard.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Advanced Micro Devices - (no file)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Iomega Active DISK (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)

--
End of file - 5270 bytes
re-name mbam.exe to mbam2.exe and run and post the log

then try sas and ccleaner

Hello all,

Just a question of how many is too many In reality, how many anti-spyware PROGRAMS do I need? I am currently running Super Aniti-spyware, Malware Bytes Anti-Malware, Spyware Blaster, & Iobit Security 360. I vary my scans USING the different programs with the thought that one MAY catch something that the others won't.

Is this overkill??....................just curious

ThanksYou really should just do a FORUM search - the same question is answered several times a week.

You need:
A good av always active
MalwareBytes or SuperAntiSpyware (or both) - scan every couple of weeks
Spyware Blaster (update weekly, does not remain resident)

Other than that, just pay attention to what you are doing and don't open any email links unless you are 100% certain you know what they contain.

Hello SD,
It's been roughly 7 days I believe, I apologize for not using a PM to contact you as you asked, but currently the only internet access I have on a regular basis is my wife's blackberry. I did get a desktop and should be getting internet access Friday.

ANYWAYS, was hoping you had some new advice on my netbook?

Thanks.I'm sorry. Nothing yet. I sent off another pm to another EXPERT and, hopefully, he come BACK with something positive.Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will PRODUCE a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
Hey!!! SD!

Thanks for the thought, but again, I literally can do nothing with the netbook as there are no icons, start bar and task manager will not work. Safe mode does not work either. Any additional advice?I'm afraid I'm out of ideas. I'll run this by Evil to see if he can help.I checked with EF and he can't think of anything else we can do. Perhaps, it's time to TAKE it to a repair facility.Thanks SD. I appreciate it! Waiting with anticipation. Lol.Oops. Haha, I apologize for the previous post. Anyways, thanks for all the attempts in helping me.

Evilfantasy,
Thank you for your instructions and help......by using SUPERAntiSpyware
I have been able to STABILIZE my screen and actually use my computer
THANKS MAN.....my view on my screen is STILL slightly distorted and
I have installed the HIJackThis and NEED to know how to use it and
what it actually does for me..........thanks for the help.