Explore topic-wise InterviewSolutions in .

I am running Windows Vista and I use GOOGLE Chrome. More often than not, when I click on a link on a Google search, it will redirect me to a random website for about half a second, then another one with the search results of my original search on another website. For example, when I search "Sins of a Solar Empire: Diplomacy beta", then click on one of the links, it redirects me to "http://sopranoclarinet.com/result.php?Keywords=Sins+of+a+Solar+Empire:+Diplomacy&r=19a62d05d0c76434e38e49a4a1ecec8b19e5d049d86ffbd91fc1205cb0a9d7edc0dd9aa83a2b3ed1e84eee14de24d78c&Submit=Go", then it directs me to "http://www.lowpriceshopper.com/about-solar/shop?rf=llp". When I hit the "back" button, the browser will either show some "generic" website like "www.Corporatehousingproviders.org" or a site that will say "your page is loading" and then will direct me back to the site that I was on before pressing the "back" button. These problems can be AVOIDED by right-clicking the link on the Google search and OPENING it in a new tab. For the most part, the "major" sites such as Google, Yahoo, Miniclip, Wikipedia, etc. are fine, but the "SMALLER", lesser known sites are affected. I have McAfee (the one Comcast gives out for free) and I have run two full scans, both of which have come back negative. Please advise.Click here, follow the directions and post the logs.Here are the logs

[Saving space, attachment deleted by admin]re-run the mbam and remove anything that COMES up and post a clean log

the mbam log says no action taken

please post the sas log as well

Try this.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press ENTER (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

Hi. I'm ASKING this question for a friend. I think he is running XP. He would like to use a graphics CARD from an old, infected PC. Can a virus REMAIN on the card?
Thanks for you help, I'm NEW and it looks like you have a great forum. Viruses do not transfer themselves to video cards. YES, you can use it.Thanks Allen!

Cannot run Viruseffect remover:
" says system administrator has set polices to prevent its installation"Try OTL please.Sorry about that. It is hard to KNOW if ONE program is dependent upon the first running successfully. I will assume they are independent in the future unless stated otherwise.
Logs attached:

[Saving space, attachment deleted by admin]Quote from: Jhavey on January 05, 2010, 07:30:53 PM

It is hard to know if one program is dependent upon the first running successfully.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the BACKGROUND labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 BOXES under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run UNDISTURBED until the window with the blue progress bar goes away

I have toshiba satalite laptop A25-s3072. recently while working on my laptop it crashed and shut down. After five minutes when I power up the computer I got the following message:
A problem has been detected and window has been shut down to prevent damage to your computer.


Disable or uninstall any anti-virus, disc de frangementation or back-up utilities. Check your hard drive configuration and check for any updated DRIVER corruption and then restart your computer.

Technical INFORMATION:
STOP: 0x00000024,(0x00190203, 0x85FDC5B8, 0x c 0000102, 0x 00000000)

I really do not know how to clear this fault. Any one can please help me to get out of this trouble?
Where you blocking the vent?? (like putting it on a bed) if you do that you blocking ventilation to cool off your cpu. if you do that your cpu BECOMES overheated and your computer will shut off to prevent a fire or damage to your computer. next time go to a flat surface so your computer can have ventilation.this should be in the hardware FORUM

I have tried several free anti-virus programs and have found that most of them just don't cut the mustard.
I prefer ONE that you make a one-time PAYMENT and can use it on as many computers as you want to, but if you have to pay a MINIMUM yearly subscription, that's okay, too. PCW rated 5 AV programs from best to worst-
G-Data, Symantic Norton AV 2010, Kapersky AV 2010, Bit Defender AV 2010, and Panda AV Pro 2010. Users NEARLY 2-1 didn't like G-Data.
I used Avg for many years and it didn't catch all problems. Then I went to AVIRA. When working on other people's computers, I've found Norton AV a bear to remove. Plus, they want to keep charging on your credit card. Any feedback on NOD?I never tried NOD, but I have Kaspersky and I think its the best subscription Internet Security Suite and I never had any problems with Kaspersky and my PC still has high performance and no viruses.

Just finished BOOT scan USING avast there was multiple items show up saying files corrupted, the items were registry items is this something to be worried about. Also is there a way to post logs from avast of the boot scan that i can post here?

Thanks Bunafireman825Welcome the COMPUTER Hope MESSAGE boards.

I have noticed you have not followed the guidelines SET by Evilfantasy. Please follow the guidelines he has posted Here. After you have done them, a malware removal specialist such as Evilfantasy or CBMatt Will come shortly to assist you.

I have Windows Defender and Norton 360, everytime I load the computer Windows Defender says: Windows Defender is not on, would you like to turn it on? So I have to do that everytime.

Is there a way for it to just stay on!?!I may be able to sort this problem out. You will need to follow the simple steps below:

1. Go to start
2. Go to All PROGRAMS
3. Click the startup folder (This is the folder that will startup programs on startup)
4. Now that you have taken note of where the startup folder is find the windows defender icon
5. Click and DRAG the icon into "Startup" (In step 1, 2 and 3.)

The program will now start on startup, if there is any PROBLEMS, PLEASE contact me back.

link removed , what was wrong with it , i took wot out I prefer AVAST.I'll have to give it a try. Has anyone had trouble getting AVG completely off their pc?Here's the AVG removal tool.

http://www.avg.com/download-toolsAvast here also....
Thanks Karnac.On my main PC I use Kaspersky Internet Security and Avast Home on all the others.

Cameron GrayQuote from: camerongray on August 09, 2009, 05:46:17 AM

On my main PC I use Kaspersky Internet Security and Avast Home on all the others.

Cameron Gray

I suggest staying away from Norton (personal experience: very slow and resource greedy).

Every time i turn on my machine i get this program that WANTS to install looks like a EXE that has been download
off of firefire fox i am not GOING to install its more annoying than anything anyone GOT any ideas on how to get rid of this little annoying problem I got windows vista HOME basic on this machineWhat is the program?

Do you know if it's ok to run other PROGRAMS while doing an AV SCAN?

I have windows xp and it shut down on its own. I restarted ran for half hour then shut down again. This went on two more times and the last time it said window shutting down and cannot restart. Help Carol,

SOUNDS like a heat or power problem....how is your housekeeping?........check inside the case and blow out all the dust with a can of compressed air.......not difficult to check......UNSCREW two or three screws on the edge of the case and slide the panel back...

Maybe this should be moved to hardware.....This could possibly be a virus effecting your computer in an annoying way. Have you got internet security? Also, Karnac is correct, try blowing the dust out of the computer, as SOMETIMES it can clog THING's up. There are also other suggestions, such as power supply problems, your power supply could be SHORTING out, it can be loads of things..

Question: Does it just cut out? Or says "Windows is shutting down" ?The computer shut down twice with no warning. The computer came up again then shut down with windows saying windows shutting down. When the computer shut down the second time I was running a virus scan. When I tried to restart the power only lasted 3 seconds never came .

but NEVER pay for questionable software
if it SEEMS fishy dont use it
i am not an expert in viruses and SPYWARE but i dont recommed using it
There are many websites/companies who MAKE GOOD or legitimate softwares/fixes but just charge way more than necessary to fix it.

I've read the info page and thus far have run Avast, which found three or four trojans. Before coming here I had already tried to run SUPERantispyware (already on my machine) and couldn't. I uninstalled but was unable to reinstall from the site. I was able to download from Cnet but I cannot install it. I have also run Windows Defender and the regular version of Ccleaner which I already had on. I wanted to double check if I need to specifically download the CC slim version, if I am able to download. At the moment I cannot access most antispyware related sites.

I am pretty sure I'm dealing with ad.doubleclick.net issues as ads on websites are being switched to the inappropriate kinds and my dh had vulgar pop ups to deal with. Never had the latter kinds of problems before. Comp is running slow and sometimes freezing up.

Since I cannot download SAS, do I just continue down the list and see what I am able to do?

TIA for your help!Just make note of what happens and continue on with the next step....I've completed steps 1 and 2.

Couldn't complete 3 or 4. I was able to download from alternative download sites but they wouldn't install - got Microsoft message "SUPERantispyware has encountered a problem and needs to close" and the same for Malwarebytes.

I completed step 5, although I forgot to close my browser. Am I okay or should I reinstall?

That brings me to step 6, Hijack This. The directions SAY to run this after the other steps have been completed. Since they can't be completed, should I just go ahead and run Hijack This and post the log?Mbam renamer


Try the renamer download for Malwarbytes.

http://kixhelp.com/wr/files/mb/randmbam.exe

The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already.

If it installs then use this link to download the updates.

Download Malwarebytes' Anti-Malware Database - GT500.org

Just download it to the desktop and run the exe then run Malwarebytes


You can try download SAS in safe mode or try renaming the file to sniper.exe and see if you can run it that way........if you can't then just go on to HJT and see if you can run it.............Ok, I was able to get SAS and Malwarebytes logs. Had to get a go-around download and run from SAS support. It made it through but froze as I clicked to quarantine. The renamer worked for Malwarebytes and I was able to complete the scan. Followed the directions for HijackThis. It took several tries because it either froze or the comp restarted, but I got the log. I'll post all three below.

Although some trojans have been detected and quarantined, the comp is still running slow or freezing, and I am still dealing with inappropriate pop ups and switched ads on websites. Two other things I forgot to mention: my Seagate external hard drive has stopped functioning in all this, with a message that it cannot find any drives; and neither the disk fragmentor or the chkdsk is operational.

Thanks so much for the help thus far. Hope you can help me figure the rest out.

SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2009 at 11:22 PM

Application Version : 4.26.1006

Core Rules Database Version : 3966
Trace Rules Database Version: 1906

Scan type : Complete Scan
Total Scan Time : 01:02:22

Memory items scanned : 619
Memory threats detected : 0
Registry items scanned : 6439
Registry threats detected : 4
File items scanned : 33962
File threats detected : 3

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt



MALWAREBYTES:

Malwarebytes' Anti-Malware 1.39
Database version: 2454
Windows 5.1.2600 Service Pack 2

7/18/2009 12:51:06 AM
mbam-log-2009-07-18 (00-51-06).txt

Scan type: Quick Scan
Objects scanned: 155866
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niguwufosa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.


HIJACKTHIS:

Logfile of Trend Micro HijackThis

v2.0.2
Scan saved at 1:50:02 AM, on

7/18/2009
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows

Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil

Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program

Files\ContentWatch\Internet

Protection\cwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program

Files\CyberLink\PowerDVD\PDVDSe

rv.exe
C:\Program Files\Digital Media

READER\shwiconem.exe
C:\Program Files\Common

Files\Microsoft Shared\Works

Shared\WkUFind.exe
C:\Program Files\Windows

Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\as

hDisp.exe
C:\Documents and Settings\All

Users\common\dll\netdr\msdtc.exe
C:\Program

Files\MEDIC\bin\sprtcmd.exe
C:\WINDOWS\system32\WTClient.ex

e
C:\WINDOWS\system32\rundll32.exe
C:\Program

Files\Seagate\Basics\Basics

Status\MaxMenuMgrBasics.exe
C:\Program

Files\ScanSoft\OmniPageSE4\Opwar

eSE4.exe
C:\Program

Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\a-squared

Free\a2service.exe
C:\Program

Files\QuickTime\QTTask.exe
C:\Program

Files\iTunes\iTunesHelper.exe
C:\Program

Files\ContentWatch\Internet

Protection\cwtray.exe
C:\Program

Files\Java\jre6\bin\jusched.exe
C:\Program

Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware

Terminator\SpywareTerminatorUpdat

e.exe
C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceServi

ce.exe
C:\Program

Files\Seagate\Basics\Service\SyncS

ervicesBasics.exe
C:\Program

Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware

Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.

exe
C:\WINDOWS\System32\Drivers\WT

SRV.EXE
C:\Program

Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program

Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WISPTIS.EX

E
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend

Micro\HijackThis\sniper.exe

R1 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/custo

mize/ycomp_wave/defaults/sb/*http://

www.yahoo.com/search/ie.html
R1 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/custo

mize/ycomp_wave/defaults/sp/*http://

www.yahoo.com
R0 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.crosswalk.com/homeschoo

l
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=

69157
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=

54896
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=

54896
R0 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=

69157
R1 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Road

Runner High Speed Online
R1 -

HKCU\Software\Microsoft\Windows\C

urrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA57

8C2EBDC3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEH

elperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV

Helper -

{DBC80044-A445-435b-BC74-9C25

C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EAB

FE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_pl

ugin.dll
O2 - BHO: (no name) -

{FDD3B846-8D59-4ffb-8758-209B6

AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMan]

SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,Nv

Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe

/install
O4 - HKLM\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll

,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray

Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey]

zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd]

ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl]

"C:\Program

Files\CyberLink\PowerDVD\PDVDSe

rv.exe"
O4 - HKLM\..\Run: [SunKistEM]

C:\Program Files\Digital Media

Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works

Update Detection] C:\Program

Files\Common Files\Microsoft

Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows

Defender] "C:\Program

Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\as

hDisp.exe
O4 - HKLM\..\Run: [QuickTime]

C:\Documents and Settings\All

Users\common\dll\netdr\msdtc.exe
O4 - HKLM\..\Run: [MEDIC]

"C:\Program

Files\MEDIC\bin\sprtcmd.exe" /P

MEDIC
O4 - HKLM\..\Run: [WTClient]

WTClient.exe
O4 - HKLM\..\Run: [basicsmssmenu]

"C:\Program

Files\Seagate\Basics\Basics

Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate]

"C:\Program Files\Common

Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupda

te.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4]

"C:\Program

Files\ScanSoft\OmniPageSE4\Opwar

eSE4.exe"
O4 - HKLM\..\Run:

[CanonSolutionMenu] C:\Program

Files\Canon\SolutionMenu\CNSLMAI

N.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter]

C:\Program

Files\Canon\MyPrinter\BJMyPrt.exe

/logon
O4 - HKLM\..\Run: [Adobe Reader

Speed Launcher] "C:\Program

Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program

Files\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper]

"C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cwcptray]

C:\Program

Files\ContentWatch\Internet

Protection\cwtray.exe
O4 - HKLM\..\Run:

[SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS]

"C:\Program

Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [MoneyAgent]

"C:\Program Files\Microsoft

Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run:

[SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAnt

iSpyware.exe
O4 - HKCU\..\Run:

[SpywareTerminatorUpdate]

"C:\Program Files\Spyware

Terminator\SpywareTerminatorUpdat

e.exe"
O4 - HKUS\S-1-5-19\..\Run:

[niguwufosa] Rundll32.exe

"C:\WINDOWS\system32\zodavula.dll

",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run:

[niguwufosa] Rundll32.exe

"C:\WINDOWS\system32\zodavula.dll

",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run:

[DWQueuedReporting]

"c:\PROGRA~1\COMMON~1\MICRO

S~1\DW\dwtrig20.exe" -t (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce:

[RunNarrator] Narrator.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:

[DWQueuedReporting]

"c:\PROGRA~1\COMMON~1\MICRO

S~1\DW\dwtrig20.exe" -t (User

'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce:

[RunNarrator] Narrator.exe (User

'Default user')
O8 - Extra context menu item: &AOL

Toolbar search - res://C:\Program

Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-0040

1C608501} - C:\Program

Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-0040

1C608501} - C:\Program

Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C

571A8263} -

C:\PROGRA~1\MICROS~3\Office12\

REFIEBAR.DLL
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0

F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba384

96583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba384

96583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04

F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04

F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:

c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\cwalsp.dll
O16 - DPF:

{01113300-3E00-11D2-8470-006008

9874ED} (Support.com Configuration

Class) -

http://activation.rr.com/install/downloa

ds/tgctlcm.cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C5

80BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=

39204
O20 - AppInit_DLLs:

C:\WINDOWS\system32\wugakuwa.dl

l
O20 - Winlogon Notify:

!SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINL

O.dll
O23 - Service: a-squared Free

Service (a2free) - Emsi Software

GmbH - C:\Program Files\a-squared

Free\a2service.exe
O23 - Service: Apple Mobile Device -

Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile

Device

Support\bin\AppleMobileDeviceServi

ce.exe
O23 - Service: avast! iAVS4 Control

Service (aswUpdSv) - ALWIL

Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus -

ALWIL Software - C:\Program

Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner -

ALWIL Software - C:\Program

Files\Alwil

Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner -

ALWIL Software - C:\Program

Files\Alwil

Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service -

Seagate TECHNOLOGY LLC -

C:\Program

Files\Seagate\Basics\Service\SyncS

ervicesBasics.exe
O23 - Service: Bonjour Service -

Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera

Access Library 8 (CCALib8) - Canon

Inc. - C:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: ContentWatch

(CwAltaService20) - ContentWatch,

Inc. - C:\Program

Files\ContentWatch\Internet

Protection\cwsvc.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program

Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple

Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver

Service (NVSvc) - NVIDIA

Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New

Boundary Technologies, Inc. -

C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator

Realtime Shield Service (sp_rssrv) -

Crawler.com - C:\Program

Files\Spyware

Terminator\sp_rsser.exe
O23 - Service: SecuROM User

Access Service (V7) (UserAccess7) -

Unknown owner -

C:\WINDOWS\system32\UAService7.

exe
O23 - Service: WinTab Service

(WinTabService) - Tablet Driver -

C:\WINDOWS\System32\Drivers\WT

SRV.EXE

--
End of file - 11037 bytes

I forgot to mention that I was unable to update SAS or Malwarebytes. I was able to access updates for HijackThis.Good job getting the required logs......Evilfantasy will be along to review them....be patient....it's a summer weekend.you need to go to seagate ( seagate for windows ) sort out your machine download and let it scan the pc


http://www.seagate.com/www/en-us/support/downloads/seatools

go to below and download smart defrag

http://www.iobit.com/Download The Comedian to your desktop.

* Double click the program to run it.
* It will do a series of tasks and tell you when each one is FINISHED.
* You will be prompted to press any key after each step
* When it is done it will close and exit itself automatically.
* You can delete The_Comedian.exe once it is finished.
.
----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixThanks for getting back to me!

I downloaded and ran The Comedian but on Step 4 it said it could not create a restore point. Should I still proceed to Combofix? Also, I wasn't sure when it asked about CREATING registry back ups kept for 30 days; I checked ok. Yes just continue on please.Here's the ComboFix log. Couldn't run it as ComboFix so I tried the renaming to Combo-Fix and that worked.

ComboFix 09-07-23.04 - Owner 07/24/2009 17:21.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.43 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090723-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2212892535-3016890555-2903492491-1003
c:\windows\desktop
c:\windows\desktop\EA Hot Titles!.exe
c:\windows\Installer\132159e.msp
c:\windows\Installer\acbac.msi
c:\windows\system32\drivers\ESQULxuwyltfqxuuwpdqbpnobodpqqtjkbmup.sys
c:\windows\system32\ESQULabwwxiqpeltobirvvjmldunqkeqbrgai.dll
c:\windows\system32\ESQULrbhtkbljbmtclcvtqjoetiwlrtsrtena.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\MabryObj.dll
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 18:56 . 2009-07-24 18:57--------d-----w-c:\program files\ERUNT
2009-07-22 01:15 . 2009-07-22 01:15--------d-----w-c:\documents and settings\Owner\Application Data\IObit
2009-07-22 01:15 . 2009-07-22 01:15--------d-----w-c:\program files\IObit
2009-07-18 05:06 . 2009-07-18 05:06--------d-----w-c:\program files\Trend Micro
2009-07-18 04:38 . 2009-07-18 04:38--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-18 02:13 . 2009-07-18 02:13--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-07-18 00:55 . 2009-07-18 00:55142592----a-w-c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-18 00:54 . 2009-07-24 20:37--------d-----w-c:\documents and settings\Owner\Application Data\Spyware Terminator
2009-07-18 00:54 . 2009-07-24 18:46--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2009-07-18 00:54 . 2009-07-18 00:59--------d-----w-c:\program files\Spyware Terminator
2009-07-17 21:31 . 2009-07-17 21:32--------d-----w-c:\program files\a-squared Free
2009-07-17 13:17 . 2009-07-17 13:17410984----a-w-c:\windows\system32\deploytk.dll
2009-07-17 13:12 . 2009-07-17 13:12152576----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 12:59 . 2009-07-13 17:3638160----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 12:59 . 2009-07-17 12:59--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 12:59 . 2009-07-18 04:38--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2009-07-17 12:59 . 2009-07-13 17:3619096----a-w-c:\windows\system32\drivers\mbam.sys
2009-07-11 03:02 . 2009-07-11 03:02--------d-----w-c:\documents and settings\Owner\ContentWatch
2009-07-07 01:49 . 2009-07-07 01:497639----a-w-c:\windows\extend.dat
2009-07-05 20:43 . 2004-08-04 02:585504-c--a-w-c:\windows\system32\dllcache\mstee.sys
2009-07-05 20:43 . 2004-08-04 02:585504----a-w-c:\windows\system32\drivers\MSTEE.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 19:45 . 2007-01-30 15:13--------d-----w-c:\program files\Mozilla Thunderbird
2009-07-23 15:57 . 2005-01-08 20:3439514----a-w-c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-07-22 00:36 . 2008-05-28 11:47--------d-----w-c:\program files\SUPERAntiSpyware
2009-07-17 13:39 . 2004-10-01 15:45--------d-----w-c:\program files\Java
2009-07-16 11:31 . 2004-10-01 16:04--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-10 21:36 . 2009-07-10 21:34--------d-----w-c:\program files\ContentWatch
2009-07-10 21:20 . 2007-12-04 14:25--------d-----w-c:\program files\Internet Content Filter
2009-07-10 19:33 . 2008-07-02 18:3034----a-w-c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-07-07 23:04 . 2008-10-14 21:54139776----a-w-c:\documents and settings\Gabe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 01:46 . 2008-10-15 12:33139776----a-w-c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 00:29 . 2007-10-22 23:51139776----a-w-c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 00:03 . 2007-10-12 03:10139776----a-w-c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 18:54 . 2009-06-11 22:09--------d-----w-c:\documents and settings\Owner\Application Data\vlc
2009-06-26 00:28 . 2005-01-08 20:34139776----a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 19:13 . 2004-10-01 15:35--------d--h--w-c:\program files\InstallShield Installation Information
2009-06-25 15:46 . 2007-10-30 16:34--------d-----w-c:\documents and settings\Owner\Application Data\gtk-2.0
2009-06-19 02:18 . 2009-06-25 16:0916980----a-w-c:\windows\Fonts\electroh.ttf
2009-06-16 14:55 . 2004-01-02 08:06119808----a-w-c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-01-02 08:0382432----a-w-c:\windows\system32\fontsub.dll
2009-06-11 22:10 . 2009-01-05 22:52--------d-----w-c:\program files\Graboid
2009-06-11 22:03 . 2009-06-11 22:03--------d-----w-c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-11 03:49 . 2009-06-11 03:49--------d-----w-c:\program files\iTunes
2009-06-11 03:49 . 2009-06-11 03:49--------d-----w-c:\program files\iPod
2009-06-11 03:49 . 2009-01-16 06:52--------d-----w-c:\program files\Common Files\Apple
2009-06-11 03:46 . 2009-06-11 03:45--------d-----w-c:\program files\QuickTime
2009-06-11 03:40 . 2009-01-16 06:52--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-06-08 15:32 . 2009-07-10 21:34247616----a-w-c:\windows\system32\wxIE.dll
2009-06-08 15:32 . 2009-07-10 21:341859584----a-w-c:\windows\system32\AltaRecovery.exe
2009-06-08 15:12 . 2009-07-10 21:34666624----a-w-c:\windows\system32\cwalsp.dll
2009-06-08 14:52 . 2009-07-10 21:3481920----a-w-c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2009-06-08 14:52 . 2009-07-10 21:34991232----a-w-c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2009-06-08 14:50 . 2009-07-10 21:34975872----a-w-c:\windows\system32\libxml2_CW.dll
2009-06-08 14:46 . 2009-05-19 17:13151552----a-w-c:\windows\system32\libexpat.dll
2009-06-08 14:27 . 2009-07-10 21:34524288----a-w-c:\windows\system32\wxmsw28u_xrc_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34499712----a-w-c:\windows\system32\wxmsw28u_html_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:342904064----a-w-c:\windows\system32\wxmsw28u_core_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34110592----a-w-c:\windows\system32\wxmsw28u_media_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34712704----a-w-c:\windows\system32\wxmsw28u_adv_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34135168----a-w-c:\windows\system32\wxbase28u_xml_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34135168----a-w-c:\windows\system32\wxbase28u_net_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:341232896----a-w-c:\windows\system32\wxbase28u_vc_CW.dll
2009-06-05 15:42 . 2009-03-20 01:482060288----a-w-c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-01-16 06:5239424----a-w-c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:27 . 2004-01-02 08:061290752----a-w-c:\windows\system32\quartz.dll
2009-05-27 21:43 . 2009-05-27 21:43--------d-----w-c:\program files\Unity
2009-05-07 15:44 . 2004-01-02 08:04344064----a-w-c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-01-02 08:06827392----a-w-c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-01-02 08:0378336----a-w-c:\windows\system32\ieencode.dll
2009-07-24 18:46 . 2009-03-09 18:10134648----a-w-c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-24 18:44 . 2009-01-24 18:448--sh--r-c:\windows\system32\B3590867F3.sys
2009-04-12 16:20 . 2009-01-12 16:205696--sha-w-c:\windows\system32\bahegope.exe
2009-01-25 04:14 . 2009-01-24 18:44848--sha-w-c:\windows\system32\KGyGaAvL.sys
2009-04-11 22:08 . 2009-01-11 22:085696--sha-w-c:\windows\system32\yewukulu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-18 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-04 2904064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-03-04 46080]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944]
"MEDIC"="c:\program files\MEDIC\bin\sprtcmd.exe" [2006-12-27 192512]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2009-06-08 351040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-03-04 782336]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2003-09-03 73728]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Motocross Madness 2\\MCM2.ICD"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\k9-webprotection.exe"=
"c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2008 6:13 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/17/2009 8:55 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2008 6:13 AM 20560]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [7/10/2009 5:34 PM 2072384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [3/7/2008 1:53 PM 20608]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/5/2009 4:42 PM 107904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.crosswalk.com/homeschool
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
LSP: c:\windows\system32\cwalsp.dll
Trusted Zone: christianbook.com Trusted Zone: christianbook.com https\dlm
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\ne8x1sqs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.conservapedia.com/Main_Page
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a03680\stamp.tmp 10 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:0d,3b,25,66,19,03,6e,fd,4f,a8,a2,fa,9d,e1,52,c2,8a,f9,01,99,
85,ff,f4,59,07,45,91,f9,29,b3,aa,34,31,2b,f2,f4,e1,09,ad,08,4c,48,f7,d3,42,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\drivers\WTSrv.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-24 18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 22:04

Pre-Run: 75,996,536,832 bytes free
Post-Run: 76,592,431,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

279--- E O F ---2009-07-23 15:28
Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combo-fix /u in the runbox
* Make sure there's a space between Combo-fix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.I think I uninstalled Windows Messenger. I followed the directions and chose the appropriate box. On the desktop I found only the icon for the zip file, so I deleted that. I had the save file box pop up several more times. Not sure why. I just clicked them off and restarted the comp. The Windows Messenger icon is gone and a search for it yielded nothing, so here's hoping.

I haven't been able to uninstall Combo-fix. When I try to run Combo-fix /u, I get a message that the file can't be found. When I try to uninstall Combofix /u, I get the prompt to run combofix.exe. I did check C: for Combofix and Combo-fix files and folders and they are still there. I'm checking back to see how to proceed.

I recently installed Nortons 360 on my home computer. I received a NOTICE that I had a upgrade to Nortons 2009 which I received. When the program removed my old Nortons and restarted my computer I received a message that Windows could not start because PART was missing. After much trial and error I finally got the computer up using my start up CD. Each time I contacted Nortons and they tried to work the issue a reboot of the system yielded the same message as before. Now my system will not restart even using the start up CD. I now get the message "Window could not CONFIGURE one or more system components. To install Windows, restart the computer and reinstall." Any help would be greatly appreciated. Also I have not tried a total restart from the CD since there is material that I would rather not loose.go to tools , internet options , advanced , reset internet explorer options , reset , and follow through

read what it will do before you start , this will put your pc back to factory settings but take

nothing you need outXP? If so, boot to the XP CD and choose the SECOND repair OPTION and do a repair install.Quote from: harry 48 on August 18, 2009, 01:53:10 PM

go to tools , internet options , advanced , reset internet explorer options , reset , and follow through

read what it will do before you start , this will put your pc back to factory settings but take

nothing you need out

Harry, how is resetting Internet Explorer going to put his computer back to factory settings?

sorry it puts windows back to when you got it , am i wrong in saying this because this is what i got out of the reading when i do it twice a year

ok , i'll go read it

Please copy and paste the thing you read.

I'm not sure what part of that you think refers to the OS as opposed to Internet Explorer, but it certainly seems clear to me.

What is a BIOS Virus?
Are they preventable? (besides having an AV scanner)
Are they common, or were they at one time?
Are new computers exposed to them?
What damage do they cause?
Is it difficult to make a program or malicious code that can access the BIOS?

A bit questioning today - Zylstra555http://www.google.com/search?hl=en&q=BIOS+virus

I don't think so.You're probably thinking of a BOOT sector virus...not as common as they used to be but are going through a resurgence as the newest batch of malicious idiots are cutting their chops in the malware world.
They are particularly hard to get rid of and usually need a floppy based AV to sniff them out and remove them or a complete low-level FORMAT and re-partitioning of a HDD in extreme cases.Quote

You're probably thinking of a boot sector virus...not as common as they used to be but are going through a resurgence as the newest batch of malicious idiots are cutting their chops in the malware world.
They are particularly hard to get rid of and usually need a floppy based AV to sniff them out and remove them or a complete low-level format and re-partitioning of a HDD in extreme cases.

No, not thinking of an MBR virus.
(Easy fix for those since I had a problem with a Windows 3.0 instalation disk at one point:
fdisk /mbr
re-writes the Master Boot Record. It can even clear a program like Lilo, so it can be problamatic)
After my research, (From GX1_Man's link to Google), I found out that they do exist, and that they can be quite dammaging.
I had an uncle who said at one time a long time ago that he had a BIOS virus, and I wanted to do more research on it some day. (now I know)
The BIOS are infected through the BIOS Updates (which, on many BIOS chips, can be dissabled to prevent such a virus)

I was doing some general cleanup on my computer and happened to come across some unusual files. I'm HOPING someone here can maybe help me find out what they are and if I should DELETE them. I'm on WinXP, by the way. The files are:

ÝÃÄ›Ò3113›.sys
(located in C:\Documents and Settings\All Users\Application Data)

PFP120JCM.{PB
PFP120JPR.{PB
(both located in C:\Documents and Settings\[my name]\Application Data)

Any help at all would be appreciated. Thanks!I'm having trouble find any actual info on the .{PB files. Most people who have them are infected, but it doesn't mean that they are malicious. Could just a coincidence. All I know is that I don't have any such files. In fact, although I have plenty of folders in Application Data, I don't have any stray files. The first file...well, I can find nothing at all about it.

Unless anyone can give some insight, I would suggest uploading/scanning them (individually) at VirusTotal. Post back with the results.I know of only ONE other instance of that first file coming up and no idea about the other two.

I don't like the look of any.

CBMatt ... I suggest you get the OP to d/l AVG AS, unhide HIDDEN Files & Folders, run a scan in safe mode then post a HJT v1.99 log from normal mode.


OJYou could also make a temporary directory and MOVE, not copy the files there for the time being.
If they are needed by any programs you are running the error message will tell you which program uses/needs these files.
After a few weeks or so if it is running fine with no hiccups i would say they are safe to delete...The only page I could find about that first file was this:
http://forums.spybot.info/showthread.php?t=11301&page=2

Even then, no one who replied to that user seems to have noticed it or thought it unusual. It seems very strange to me though, especially with a filename like that. It was marked as hidden, too--it wasn't until I turned on "show hidden files and folders" that I came across it.DLoad all the updates for your current protection apps and re-boot into safemode and run all your scans just to be safe...Have you tried uploading them to VirusTotal? And go ahead and follow along with the suggestions of oddjob and patio. Download AVG Anti-Spyware and update it to the latest definitions. Reboot in Safe Mode and unhide all of your hidden folders (click here if you don't know how). Then go ahead and run a complete system-wide scan. It's time-consuming, but it's worth the effort.I know that this is a really really old thread;

but since no one actually answered it with any info on the files
and I was directed here from a Google search for the files

I thought I would answer, just in case anyone else ever was looking for info on these files
as I was in the past 24 hours:

the two files:
- PFP120JCM.{PB
- PFP120JPR.{PB

Located in
- C:\Documents and Settings\User Name\Application Data\

are files wholly related to WordPerfect12 and nothing else*

it's easy to test it:

a> open windows exploder and navigate to the profile that is currently logged on,
- ie. Administrator
- C:\Documents and Settings\Administrator\Application Data
b> delete the two files
c> open Word Perfect
d> switch back to Windows Exploder
e> the two files will be there again with the current date & time

* if the system has never had Word Perfect 12 installed then there may be a problem with the file names being hi-jacked by malware

I had the Sysvxd.exe virus. I followed all the steps and have the 3 logs attached below. Those programs may have DELETED it, but I just want to make sure that EVERYTHING is gone so I won't have this problem again. Thank you so much for your help.

I do still have the "common" window that opens at startup.

[attachment deleted by admin]Looks LIKE everything was removed. Just a few things left to do.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O18 - Filter hijack: text/html - {f5b9c876-c1dc-47cb-8f1d-f03f74cef11e} - C:\WINDOWS\system32\mst122.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

• ViewMgr.exe - Useless
  
• Viewpoint to Plunge Into Adware

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

My computer seems to have slowed down considerably in the past few weeks. The question I have is in regards to ANTI Virus/Anti Spyware programs.

I am currently using AVG 8.5 for my ANTIVIRUS, and for the spyware programs I am using Spyware Blaster/Super ANTISPYWARE/Spybot Search & Destroy/Malwarebytes Antimalware.

My question is this...........are the free programs sufficient, or are the programs available for purchase able to do a better job of detection?

My OS is Windows XP Home.

If anybody has any feedback, I would appreciate it, or if there are any tips on speeding up my computer that would be great too!

Thanks,

Jim The free programs are sufficient..... Only run one antivirus program, one firewall, and use a couple of good antispyware programs and alternate their usage as no program will catch all threats.

Couple of good articles.....

http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/

http://www.malwareremoval.com/tutorials/runningslowly.phpOne AV in conjunction with Spyware Blaster, MalwareBytes & Super AntiSpyware should be fine (though AVG may not be the best AV). More important, however, is "smart computing" (know where you go on the internet, what emails to open and not, etc).Thanks ADG,

What would you recommend for a AV?As a free program I GUESS Avast or Avira are pretty good. I use Kaspersky on all my systems (not cheap, but I trust it / them IMPLICITLY)

Quote

like, literally, 7 years ago and not since then. Should I uninstall avast since I cannot find a place to uninstal MCAFEE?

how can I make sure of that?

I opened regedit and went to HKEY_LOCAL_MACHINE. Then went to SOFTWARE. Then I found these programs: C07ft5Y, Codec tweak tool, divxnetworks, gemplus, S3R521, Schlumberger, x-avcsd. Can anyone explain what are these programs for? Thank you very much.Codec tweak tool --> do you have klite codec pack or something?

Divxnetwork --> do you have divx codec or divx codec bundle or some other codec pack that installs for your the divx codec?

x-avscd --> this should have came as part of the avira antivirus software installation.

C07ft5Y--> seems to be coming from a copy protection software or something ... not too sure

gemplus --> does this registry entry contain the subkeys: Cryptography, SmartCards and GemSAFE which are stuff related to smart cards? It´s a part of the standard installation of XP

Sclumberger --> Should be for smart cards, even if you don't use one ... but it is installed by default in Windows XP. See this link]http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_sc_use_sctypes.mspx]link for more help on that.

S3R521--> this I don't know but it seems ok.

You probably want to run Hijack this software and have a malware specialist of this forum to check that your computer is clean. Would be good to know if whether your computer is sick or not.







I know something that has info on all those. GOOGLE. Spending 5 minutes can save you hours waiting on a forum. C07ft5Y is made by SecuROM.Quote from: BC_Programmer on August 25, 2009, 10:41:54 PM

C07ft5Y is made by SecuROM.

only one hit? I got several thousand:

http://www.google.ca/#hl=en&source=hp&q=C07ft5Y&btnG=Google+Search&meta=&aq=f&oq=C07ft5Y&fp=a1047c2a76fad57b

but... regarding the key;

I was actually curious about that key myself, some time ago. it's been present on my XP desktop, as well as Vista laptop and new desktop build running vista.

In my case I have several keys underneath it reflecting the games I have installed that use that copy-protection technology, Age of empires 2, quake 4, Halo... etc.

while the name they chose certainly raises an eyebrow, looking past the name, it's really just a few morsels of irrelevant data- nothing to be concerned about. Again- I was quite curious about the key myself, and in fact ran Registry Monitor to find out what was accessing the key, to discover it was accessed when I played some of my games. After much investigation about the games that did and did not trigger the discovery I discovered each game that did access the mystery key had the "secuROM" copy protection.

Of course if I had simply done a google search I would have discovered that quite quickly, but I guess I like the thrill of the chase

Hi,

This is my first post and am desperate for advice regarding the removal of the Rootkit-pakes.M.

OK first things first, the history.

I've just started the standalone again having not used it for months. Got it all cleaned up and had it running nice n fast. On 16 Aug I went to the site FMportals.com and AVG 8.5 flashed up with a warning that the site was dangerous. Before I could do anything it appeared that I had been attacked/downloaded the trojan unwittingly.

I actually figured it had been a false alarm until starting the PC on 17 Aug, when AVG Resident shield flagged up the rootkit sitting at the following filepath:

C://WINDOWS//system32/drivers/ntfs.sys

This was also accompanied by a couple of other related FILES, opening a back door. AVG was able to get rid of these files but not the rootkit. (cont)I then tried ccleaner before stumbling upon your wesbite.

I have now followed your step by step guide and will attach the logs.

What concerns me though is that none of the logs makes mention of the rootkit-pakes.M trojan BUT have found several others including win98.exe and a couple more.

All your help and advice will be most greatfuly received!

Here come the logs...SAS Log

[attachment deleted by admin]MBam Log and Sniper Log

[attachment deleted by admin]Also, just how dangerous is this rootkit and what are the consequences of leaving it in place?Leem, your HJT log looks quite clean. The two scans you ran before cleaned up some infections. Here is some information about rootkits and there are also some tools you can use to scan your machine. I also noticed that you have no Firewall running on your computer. You should activate the Windows Firewall or BETTER yet, download one of these free third-party firewalls which are superior to the Windows Firewall found here. Personally, I prefer ZoneAlarm. You should keep SAS and MBAM on your computer and run them weekly but you should also add programs such as Spybot S&D, Ad-Aware, and SpywareBlaster to protect against malware and spyware. They're all free. Wait a few days to see if the resident specialists have any other things for you to do. If not, try these tips. Oops, almost forgot. You should download and install Service Pack 3 which will give you additional protection.Hi Superdave,

Many thanks for all of you advice. I had previously been told that running Windows firewall alone was sufficient and had gotten rid of my Zonealarm. I have no idea how the windows firewall got turned off though...

Anyway. I did as you said and added Commodo, which so far seems a little less INTRUSIVE then Zonealarm, so I'm happy there on all counts.

I am keeping the SAS and MBAM to complement AVG 8.5, as well as running CCleaner. The big difference that cleaned the virus though was the Windows SP. It seems that when it installed it uninstalled the infected old drivers (which have now been CCleaned!)

So again, many, many thanks :-D

I currently run AVG. I also now have sas and MBAM. Do the spybot/adaware/spywareblaster programme slow the machine down much? Why so many programmes that seemingly serev the same function? Or do they all do something alightly different?Quote

I currently run AVG. I also now have sas and MBAM. Do the spybot/adaware/spywareblaster programme slow the machine down much? Why so many programmes that seemingly serev the same function? Or do they all do something alightly different?

My boyfriend wanted a stupid fireplace screensaver because we have our pc conntected to our tv. Well he downloaded something CALLED 'Relevant Knowledge' that was attached to one of the downloads and I did some research and found out its malware.

I have an eMachine T3418 and service pack 2.
I use Panda Cloud Antivirus but I just installed it after this problem.
I've had this pc for years and never had a problem but believe me I will always have some sort of protection now.

Some helpful things may be :

I tried going to add/remove programs and uninstalling the program obviously to no avail and everytime I turn on my computer I have a error dialog box that says

c:\program files\relevantknowledge\rlls.dll uninstal.exe

it won't go away no matter how many times I press OK.

I tried moving the screensaver files he downloaded into the recycle bin and the empty recycle bin link disappears and when I manually right click to delete it says delete "WINDOWS" and then says it's invalid.

lastly, everytime I follow every step to download CCleaner, SAS, MBAM, I click run once installed and I get the hourglass for a second then nothing happens for each. I can't uninstall and reinstall because it errors and says in use. When I use hijack this everything is successful until I open TRY and open the log and it just does the same thing... nothing. User error? Help please!

Thanks in advance.


Try run the antimalware programs in safe mode.....you might have to rename them.

That's nasty malware and evilfantasy may have to open the magic toolbox to straighten things out.SAS still would not work saying because I was in safe mode and my installer couldn't be found or something but...

HJT did and so did MBAM ; Results are here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:52 AM, on 8/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\relevantknowledge\rlvknlg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp147.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\SeekappSrch\seekappsrch.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\Freeze.com\Living Beaches Full\UNINSTAL.EXE
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Documents and Settings\Cassaundra\Desktop\SUPERAntiSpyware.exe
C:\Documents and Settings\Cassaundra\Desktop\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Freeze.com\TROPIC~1\UNINSTAL.EXE
C:\Documents and Settings\Cassaundra\Desktop\SUPERAntiSpyware(2).exe
C:\Documents and Settings\Cassaundra\Desktop\mbam-setup.exe
C:\Documents and Settings\Cassaundra\Desktop\mbam-setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: RelevantKnowledge - c:\program files\relevantknowledge\rlls.dll
O23 - Service: NanoServiceMain - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeekappSrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp147.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4684 bytes


_______________________________________ __________


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2 (Safe Mode)

8/22/2009 11:55:57 AM
mbam-log-2009-08-22 (11-55-45).txt

Scan type: Quick Scan
Objects scanned: 86000
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry KEYS Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
c:\program files\relevantknowledge\rlvknlg.exe (Spyware.Marketscore) -> No action taken.

Memory Modules Infected:
c:\program files\relevantknowledge\rlls.dll (Spyware.Marketscore) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\relevantknowledge (Spyware.Marketscore) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\components (Spyware.Marketscore) -> No action taken.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\chrome.manifest (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\install.rdf (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rlls.dll (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rloci.bin (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rlph.dll (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rlvknlg.exe (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\rlxf.dll (Spyware.Marketscore) -> No action taken.
C:\Program Files\RelevantKnowledge\components\rlxg.dll (Spyware.Marketscore) -> No action taken.
after going into safe mode I figured it out myself.
now I feel slow for making a big deal about it when it really was as easy as deleting a few files.

thanks for your help otherwise though =)

computer it back in action.Just to be on the safe side you might want to go ahead and let one of the specialist have a look over things to make sure it is completely gone.yeah feel free, I feel skeptical myself but the pop ups are gone + error messages.
but if you guys think of anything else lmk and i'll try it out.You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

• ViewMgr.exe - Useless
  
• Viewpoint to Plunge Into Adware

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

I checked my SECURITY centre and my Windows is already up to date. Java still failed to be installed, with the same message.
The Adobe file, AdbeRdr910-en-US.exe, also failed to be installed for the same reason: Error 1606 - could not access network location %APPDATA%\.Can you create a new user account and try to download/install Java from it?

This way we will know if it's the computer itself or just your account.I created a new user account but had the same result with Java. Installation still failed with the same message: could not access network location %APPDATA%/.I'm out of ideas.

Maybe try to scan your computer for faulty FILES.

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the BLUE progress bar goes away

Hello: I use an XP service pack 3 and I have the free AVG Anti-virus completely updated. After updating I did a scan and found two infected files, both infected with Trojan Horse Clicker.ZGZ When I try to REMOVE the infected files, I GET the message from AVG: "Moved OBJECT is bigger than the ARCHIVE size limit" and so it doesn't remove the infected file. What can I do to get RID of this?

What's a little strange, though, is that when I click on "take me to the file" I come up with a file that is two years old. I've done many virus checks in the last two years. Why wasn't this picked up? Is this spurious or a real threat?

Thanks
Dr. D. Again!virues can modify the timestamp
Drd, why not visit this link ,follow the directions and post the three logs. Then we can determine what the problem is.

Hi,

Having received your great advice the other day I HAVER thoroughly cleaned all my computers at home - and they're all running like new.

All that is, except the NEW one!!!!

I've begun to deep clean it and, am at the stage where I have just added Comodo. As the title suggests, the laptop is new and has vista. The firewall with this seems pretty competant and interjects every time u click to DOWNLOAD SOMETHING, breathe out of place or scratch your arse!!!!

Is it necessary/efficient to run another firewall such as Commodo or Zonealarm - or is the WHOLE idea of Vista to be self sufficient?Quote

Is it necessary/efficient to run another firewall such as Commodo or Zonealarm - or is the whole idea of Vista to be self sufficient?

I had posted a topic in the the Windows XP section of the forum previously, but nothing suggested seemed to clear up my problem, so I was told to post here.

What I'm dealing with basically is a few issues, mainly unwanted capitilization of text occuring randomly which is accompanied by other problems including
- INABILITY to send messages on MSN
- inability to click on a single file, as a single click will now highlight/open many files unintentionally
- problems with selecting text, as large blocks will be selected from a single click
- clicking on a link that should just open a new PAGE in the current browser window, now cause an entire new window to open

These are some very frustrating problems, and make it hard to do anything when they appear. It's not the keyboard, as it's happened on more than one. No hotplugging. I regularly run AVG and Spybot. I just started running CCLEANER. I even tried a standard System Recover and no change.

The problem usually occurs after my PC has been actively running while I'm using it for an hour or so. I dl'ed SPEEDFAN and noticed that my GPU, Temp 1 and 2 and Core appear with a 'fire' icon when the problems occur.

I performed all the scans suggested in the sticky and have them attacked in a .txt file.

[attachment deleted by admin]

i will remove one after this is fixed
doesnt seem to conflictI assure you they DO conflict. Anyway, get rid of MCAFEE - it's really the worst out there.Quote from: smeezekitty on August 23, 2009, 03:47:05 PM

i will remove one after this is fixed
doesnt seem to conflict

Smeezekitty, you should run SuperAntispyware and Malwarebytes-Antimalware programs found here and post the logs. Also run HJT again and post the log.

I ATTACHED my logs. I don't know if it is something I should worry about. Just THOUGHT I would GET some advice. My MBAM says I have a worm, but I think it could be wrong. Thanks in ADVANCE for any help.

[attachment deleted by admin]click start click programs click accessories click COMMAND prompt
an type del C:\Users\Public\Favorites\NginuL_na.exeThis may or may not be an issue.....evilfantasy will confirm.

http://www.malwarebytes.org/forums/index.php?showtopic=19837

I got rid of limewire and windows messenger alsoyou have a few things that a malware expert will help you with so wait for one to get in touch please

i'm not an expert and can only help a little

you did right removing limewire

avg takes up a lot of room and tends to slow the pc , try avira or avast both free if you do ask here for avg removal tool

I had Avira on it for a while, I like the AVG better, or maybe I am just more used to it.ok you will have to wait for an expert for the rest , harryDid the Antivirus 2010 get removed?Hello 72GSX. It looks like your computer is clean. If there are no other issues, LET's do some clean-up.


Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Looking over your log it seems you don't have any evidence of a third PARTY firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop CERTAIN cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Safe Surfing. sorry dave i did not see you on before , harry The computer that had the problems has a router card installed in it and is connected to the DSL, I have my PC and sometimes another PC hooked into the router card, A small home network I guess I would call it.

If I put a firewall on the main PC will it protect other PC's plugged into it? Or will it block the other PC's from working on line?

Tomhi tom , me again , a good QUESTION

if you have completed everything that dave asked you to do , i would ask that question in the software forum

on the home page , you will get experts there for that type of thing, harryHi, Sorry for not getting back right away. I did most everything suggested to the PC, the only problem I had was when I installed a firewall, I couldn't get it to let my other computer go on line, so for now I just removed it. It was the On line Armor that I tried. It didn't say anything about it but do I have to turn off or disable the windows firewall when adding a different one?

No more problems with the 2010 scam deal popping up and its working good again so it must not have damaged anything while it was on it.

Tomjust use windows firewall it is good 5 YEARS iv'e had it just keep windows up to date

Morning SD,
The Scan said, No Threats Found. It did not give me an option to download a text file. I think that is really good, right? If not I can try running it again. Thank you.
-R If is said "no threats found" it look like your computer is clean. If there are no other issues, it's time for some clean-up. You can uninstall HTJ but you can keep SAS and MBAM. Update them and run them about once a week.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will CLOSE all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to FINISH and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT WARNS you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain COOKIES from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Safe Surfing!

Hi, first post coming here but I had the exact same problem from a rogue anto-virus software called internet security2010, i got RID of the anti-virus with SPYWARE DOCTOR, and fixed the obviously FAKE background with the file suggested on the first page of this thread, and it worked! So I hope you can fix yours soonPlease go to this link and follow the DIRECTIONS and post the required logs.

HI everyone, my boyfriend and I have a computer and his sister set it up for us. She has him as the "ADMINISTRATOR" and me I guess as a regular user. She is on vacation, so I can't ask her and I know the computer has a virsus because it didn't have any protection when my bf started to use it and it is really, really slow. I brought Norton anti-virus and want to install it, but it will not let me install it because I am not the administrator. How do I make myself an administrator??? thank you. I want to install it but my bf thinks we don't need it so that is why he is not installing it, so I have to do it!You have to be an administrator to change user account rights. Sorry, but you'll have to ask your boyfriend to either install it or make you an administrator too.okay thank you I will try!That, or log in as your bf.

Alan <>< thats a good one!! he won't let me know what is password is, but I won't let him know mine

But you would think with a computer that I would be ABLE to do it, since I am set up, he doesn't think that we need the Norton because we have verizon as our computer service and he thinks they take care of everything. So if he won't set me up as administrator because I think you can have more than one admin. he will screw the computer up and then we won't have one!! the computer is acting so weird and so, I am almost positive it has a virus, First, having no antivirus I garuntee you have an infection.
Second, Verizon (the internet service) does not to anything regarding malware and viruses. To TRUST a Service Provider with your computer's security is very foolish. (no offense intended) An antivirus software is absolutely necessary.
Third, having more than one administrator accounts will not damage the computer in any way.Time for a new bf?

Alan <>< Your boyfriend is probably a nice person, but tell him to back away from his passive-agressive stance, and grant you admin. rights...or, when it all crashes, SHRUG, and say, "Hey, I'm not the administrator."

latest update

Ok, we did the file cabinet backup according to instructions from the AOL support site and reinstalled AOL 9.0. After checking various sites it looked like the problem was resolved.

Unfortunately after about 3 hours or so, the user closed down the internet window on AOL and IE opened up a window with multiple tabs of the same page.

And to top it off when we tried to restore the file cabinet we got a message that there was not backup. The file was saved twice in the documents folder as well as once on the desktop. The backup will open up if we use File>Open on the AOL taskbar but in ORDER to get the emails back into AOL each one has to be opened and saved to pfc on the computer. There are HUNDREDS of emails!

I know these are two different problems but the latter would not be in effect without symptoms of the former.

Please, please, any thoughts to fix either are appreciated.
Reset IE's default settings: http://support.microsoft.com/kb/923737Thanks, passed the link on to the user. I will let you know how it goes.
No luck on resetting IE, it was reset but the problem with opening up multiple tabs of the same page on AOL internet closing is still happening. Very VERY annoying.Ok, fixed the file cabinet problem. The IE problem is still rearing it's ugly head. Now 2 WINDOWS open up, each with multiple tabs of the same page that was closed when using AOL to get on the internet. The only way to close the windows is to use the task manager and close AOL and then the IE windows.

I advised that she should use AOL just for her email and to use Firefox for the internet. More complicated than she wants but it should work.

And as another cherry on this sundae of busted, we can not restore to a restore point of 2 months ago. The computer goes through the motions and RESTARTS, but gives the message that it can not be restored to the date chosen. We tried May 1 and May 15 and got the same message.ok, new developments. The user was having problems with IE opening up after closing the AOL so decided to download IE8. Now the computer appears to be bricked, when the power button is pressed the fan starts, the cd and dvd drives blink but nothing else happens. Tomorrow I am heading there to either get it running or roll back to IE7.

My friend has a computer that runs ultra slow.

*****
32-bit computer
HP PAVILION dv6700 Notebook PC, 1.0 GHZ, 4 Gigs of RAM, AMD Athlon 64 X2 Dual-Core Processor TK-57
Vista SP2
Anti-Virus: Norton 360 Premiere Edition
Spyware: Super AntiSpyware
*****
Boot up takes about 5 minutes or longer and general browsing on the computer is like we were using an old 486.

I followed the steps posted in the "Malware Removal GUIDE" thread. Attached are the logs required. Please help! THANK you!


[attachment deleted by admin]

OK I think we finally got all of that.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Can you please check through this log to see if there is anything bad on ym system? thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:09, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows LIVE\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\BurnAware Free\nmsaccessu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spotify\spotify.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\IObit\IObit Security 360\IObit Security 360.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237311651968
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://www.utvinternet.com/Residential/ClicksilverBroadband/PCHC/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper FLAGS Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: GOOGLE Update Service (gupdate1c9d95539169a80) (gupdate1c9d95539169a80) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\BurnAware Free\nmsaccessu.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7997 bytes

Ok, I got the laptop and sure enough the application for IE was missing from c:\program files\Internet Explorer. I tried to load IE6 but got a message that a later VERSION was already loaded. I tried to load IE7 but for some strange reason got a Proxy timeout from the DOE. I tried to load IE8, but part of the install process is updating, and with no working IE that failed. Finally installed the latest Firefox and made that default, now the laptop can get online.

Installed the programs and the SCANS are below:

Superantispyware - first scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 09:01 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 00:42:14

Memory items scanned : 769
Memory threats detected : 0
Registry items scanned : 5963
Registry threats detected : 0
File items scanned : 22124
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected]roll[1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][2].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected][1].txt
C:\Documents and Settings\admin\Cookies\[emailprotected]live[2].txt

second scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 10:08 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 00:51:39

Memory items scanned : 753
Memory threats detected : 0
Registry items scanned : 5962
Registry threats detected : 0
File items scanned : 22181
File threats detected : 0

Malwarebytes scan

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

7/1/2009 8:04:23 PM
mbam-log-2009-07-01 (20-04-23).txt

Scan type: Quick Scan
Objects scanned: 61857
Time elapsed: 12 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijackthis scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:21 PM, on 7/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Microsoft SHARED Computer Toolkit\bin\SRVANY.EXE
C:\Program Files\Microsoft Shared Computer Toolkit\bin\SCTThresholdMonitor.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Apoint\HidFind.exe
c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://schools.nyc.gov/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.nycboe.org/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8002
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DIR] Dir /w
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [KADxMain] c:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Check Windows Disk Protection.lnk = C:\Program Files\Microsoft Shared Computer Toolkit\CheckWDP.hta (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Check Windows Disk Protection.lnk = C:\Program Files\Microsoft Shared Computer Toolkit\CheckWDP.hta (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.cybershift.net
O15 - Trusted Zone: http://*.nycboe.net
O15 - Trusted Zone: http://*.nycenet.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189458741687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189458561375
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: DataSvr2 - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SCTThresholdMonitor (SCTThresholdMon) - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\system32\drivers\trcboot.exe
O23 - Service: WDPOperations - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 1: (no name) - http://www.childrenfirstintensive.com/laptop

--
End of file - 14473 bytes


In addition I ran ccleaner and removed almost 1gb of junk, ran spybot and FOUND nothing.

What do you think? Thanks

I have RESTARTED and run MBAM and HJT a few more times and seem to have gotten the last of the evidence of the INFECTION... THANKS for your HELP, we're very very busy right now so DEALING with a stubborn computer problem was not high on my list...

Thanks again!

Hello,

I have read the thread and I seem to have the same problem.

I dont know if the same solution would apply in my case so I start again giving the DDS logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Guillaume at 1:05:58.93 on 02-07-2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.91.1033.18.3069.1944 [GMT 2:00]

SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\vfsFPService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Guillaume\Desktop\gmer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Users\Guillaume\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.HP.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ares] "c:\program files\ares\Ares.exe" -h
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 85.255.112.68,85.255.112.66
TCP: {0ECBD136-23E9-41FE-8373-11C4F97608E6} = 85.255.112.68,85.255.112.66
TCP: {9737D2AB-68FA-4999-B25B-0AF3DAF71C2D} = 85.255.112.68,85.255.112.66
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli DPPWDFLT

================= FIREFOX ===================

FF - ProfilePath - c:\users\guilla~1\appdata\roaming\mozilla\firefox\profiles\7epg4avp.default\
FF - component: c:\program files\digitalpersona\bin\firefoxext\components\dpffcli.dll
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\guillaume\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-1 64160]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/01/21 03:06:23];c:\program files\hewlett-packard\media\dvd\000.fcl [2008-11-29 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_805f33de\AEstSrv.exe [2009-1-21 77824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-19 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-11-27 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-11-27 116096]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-11-18 599344]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-1-21 22072]
S2 gupdate1c9e16bff8dc080;Google Update Service (gupdate1c9e16bff8dc080);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-19 222512]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-18 33176]
S3 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 19456]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-10-23 107360]

=============== Created Last 30 ================

2009-07-02 00:30--d-----c:\program files\common files\Wise Installation Wizard
2009-07-02 00:17--d-----c:\program files\Trend Micro
2009-07-02 00:16206,178,511a-------c:\windows\MEMORY.DMP
2009-07-01 23:5815,688a-------c:\windows\system32\lsdelete.exe
2009-07-01 21:1764,160a-------c:\windows\system32\drivers\Lbd.sys
2009-07-01 21:17-cd-h---c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-07-01 21:17-cd-h---c:\progra~2\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-07-01 21:17--d-----c:\program files\Lavasoft
2009-07-01 13:42--d-----c:\users\guilla~1\appdata\roaming\.clamwin
2009-07-01 13:41--d-----c:\programdata\.clamwin
2009-07-01 13:41--d-----c:\program files\ClamWin
2009-07-01 13:41--d-----c:\progra~2\.clamwin
2009-06-30 14:57107,368a-------c:\windows\system32\GEARAspi.dll
2009-06-30 14:5715,464a-------c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-30 14:57--d-----c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-06-30 14:57--d-----c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-06-30 12:57--d-----c:\users\guilla~1\appdata\roaming\Symantec
2009-06-30 12:49--d-----c:\program files\common files\Symantec Shared
2009-06-25 17:15--d-----c:\programdata\AVS4YOU
2009-06-25 17:15--d-----c:\progra~2\AVS4YOU
2009-06-25 17:15--d-----c:\users\guilla~1\appdata\roaming\AVS4YOU
2009-06-25 17:12974,848a-------c:\windows\system32\mfc70.dll
2009-06-25 17:12487,424a-------c:\windows\system32\msvcp70.dll
2009-06-25 17:12344,064a-------c:\windows\system32\msvcr70.dll
2009-06-25 17:12--d-----c:\program files\common files\AVSMedia
2009-06-25 17:121,700,352a-------c:\windows\system32\GdiPlus.dll
2009-06-25 17:1224,576a-------c:\windows\system32\msxml3a.dll
2009-06-25 17:12--d-----c:\program files\AVS4YOU
2009-06-24 10:36--d-----c:\users\guillaume\group
2009-06-21 16:43--d-----C:\mwdumper
2009-06-21 01:382,412,042a-------C:\mwdumper.jar
2009-06-17 22:34--d-----c:\users\guilla~1\appdata\roaming\Mozilla Embedded Browser
2009-06-17 18:12--d-----C:\Downloads
2009-06-14 13:5986,096a-------c:\windows\system32\php_mysqli.dll
2009-06-14 13:5945,135a-------c:\windows\system32\php_mysql.dll
2009-06-09 16:01--d-----C:\php5
2009-06-08 23:00--d-----c:\program files\Microsoft Visual Studio 8
2009-06-07 16:38--d-----c:\programdata\Lavasoft
2009-06-07 13:48--d-----c:\users\guillaume\Grupo
2009-06-06 11:23--d-----c:\users\guilla~1\appdata\roaming\Software
2009-06-06 11:23--d-----c:\program files\Quest Software
2009-06-06 11:23--d-----c:\program files\common files\Quest Shared
2009-06-05 20:43--d-----C:\wamp
2009-06-04 11:52--d-----c:\programdata\muvee Technologies
2009-06-02 15:09--d-----c:\users\guillaume\Divers
2009-06-02 11:54--d-----c:\users\guilla~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-02 10:46--d-----c:\users\guilla~1\appdata\roaming\SolidDocuments
2009-06-02 10:4513,560a-------c:\windows\system32\solidlocalui.dll
2009-06-02 10:4521,240a-------c:\windows\system32\solidlocalmon.dll
2009-06-02 10:44--d-----c:\programdata\SolidDocuments
2009-06-02 10:44--d-----c:\progra~2\SolidDocuments

==================== Find3M ====================

2009-07-01 12:1786,016a-------c:\windows\inf\infstrng.dat
2009-07-01 12:1786,016a-------c:\windows\inf\infstor.dat
2009-07-01 12:1751,200a-------c:\windows\inf\infpub.dat
2009-05-18 14:182,076,672a-------c:\windows\system32\libmysql.dll
2009-05-16 10:2598,304a-------c:\windows\system32\CmdLineExt.dll
2009-05-14 04:160a--SHR--c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv5 Notebook PC_Y5335KV_0U_QCNF9143YJF_E517901-371_4A_I3600_SHP_V98.32_F.23_T090105_WV3-1_L409_M3069_J320_
7AMD_8F31_92.20_#090121_N10EC8168;168C001C_(NU324PA#ACJ)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-05-01 20:303,366,912a-------c:\windows\system32\GPhotos.scr
2009-03-25 14:137,100,928a-------c:\program files\PocketDivXEncoder_0.3.96.exe
2009-01-21 13:00665,600a-------c:\windows\inf\drvindex.dat
2008-01-21 04:43174a--sh---c:\program files\desktop.ini
2006-11-02 14:42287,440a-------c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 14:42287,440a-------c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 14:4230,674a-------c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 14:4230,674a-------c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 11:20287,440a-------c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 11:20287,440a-------c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 11:2030,674a-------c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 11:2030,674a-------c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 1:06:30.45 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 21-01-2009 11:19:10
System Uptime: 07-02-2009 00:41:30 (3481 hours ago)

Motherboard: HP | | 3600
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-74 | Socket M2/S1G1 | 2200/1800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 287 GiB total, 86.189 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.857 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP26: 18-05-2009 16:52:24 - Installed MySQL Server 5.1
RP27: 18-05-2009 17:18:17 - Removed MySQL Server 5.1
RP28: 18-05-2009 19:05:39 - Installed MySQL Server 5.1
RP29: 18-05-2009 19:08:52 - Removed MySQL Server 5.1
RP30: 18-05-2009 21:23:52 - Windows Update
RP31: 19-05-2009 21:18:33 - Installed AVG Free 8.5
RP36: 20-05-2009 15:11:18 - Windows Update
RP37: 20-05-2009 22:26:05 - Installed MySQL Server 5.1
RP38: 20-05-2009 22:30:12 - Removed MySQL Server 5.1
RP39: 21-05-2009 08:58:04 - Windows Update
RP40: 24-05-2009 15:41:14 - Scheduled Checkpoint
RP41: 25-05-2009 19:53:23 - Windows Update
RP42: 26-05-2009 11:12:03 - Installed Opera 9.64
RP43: 26-05-2009 12:03:07 - Installed MySQL Server 5.1
RP44: 28-05-2009 16:07:30 - Windows Update
RP45: 28-05-2009 16:23:53 - Windows Update
RP48: 29-05-2009 11:21:15 - Installed Apache HTTP Server 2.0.63
RP49: 30-05-2009 15:04:57 - Scheduled Checkpoint
RP50: 01-06-2009 12:54:18 - Scheduled Checkpoint
RP51: 02-06-2009 09:59:08 - Windows Update
RP52: 02-06-2009 11:57:34 - Removed Solid Converter PDF v4
RP53: 02-06-2009 12:03:56 - Removed Adobe Reader 9.
RP54: 02-06-2009 12:09:10 - Installed Adobe Reader 8.1.0
RP55: 02-06-2009 12:19:45 - Removed Adobe Reader 8.1.0
RP56: 02-06-2009 12:26:42 - Removed Acrobat.com
RP127: 02-07-2009 00:40:23 - Restore Operation

==== Installed Programs ======================

Acrobat.com
ActiveCheck component for HP Active Support Library
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Adobe Shockwave Player
Agere Systems HDA Modem
AMD USB Audio Driver Filter
Atheros Driver Installation Program
ATI Catalyst Install Manager
Caesar IV
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
ClamWin Free Antivirus 0.95.2
CyberLink DVD Suite
DigitalPersona Personal 4.0
ESU for Microsoft Vista
FileZilla CLIENT 3.2.4.1
GearDrvs
Google Chrome
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Common Access Service Library
HP Customer Experience Enhancements
HP Doc Viewer
HP Help and Support
HP Integrated Module with Bluetooth wireless technology 6.0.1.6204
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP MediaSmart SmartMenu
HP MediaSmart TV
HP MediaSmart Webcam
HP MULTIPLE MODEM INSTALLER for VISTA
HP Quick Launch Buttons 6.40 L1
HP Total Care Advisor
HP Total Care Setup
HP Update
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
IDT Audio
Java(TM) 6 Update 7
JMicron JMB38X Flash Media Controller Driver
LabelPrint
LightScribe System Software 1.14.17.1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
My HP Games
MySQL Server 5.1
Norton Internet Security
Nvu 1.0PR
Opera 9.64
PHP 5.2.9-2
Picasa 3
Power2Go
PowerDirector
ProtectSmart Hard Drive Protection
Quest Software Toad for MySQL Freeware 4.1
Realtek 8169 8168 8101E 8102E Ethernet Driver
Skins
Skype™ 4.0
Synaptics Pointing Device Driver
Validity Sensors software
VLC media player 0.9.9
WampServer 2.0
Windows Driver Package - ENE (enecir) HIDClass (09/04/2008 2.6.0.0)
WinRAR archiver

==== Event Viewer Messages From Past Week ========

30-06-2009 21:16:57, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LiveUpdate Notice service.
30-06-2009 21:16:27, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CLTNetCnService service.
30-06-2009 21:15:57, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ccSetMgr service.
30-06-2009 21:15:27, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ccEvtMgr service.
30-06-2009 14:33:19, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer hp psc 1300 series with shared resource name hp psc 1300 series. Error 2114. The printer cannot be used by others on the network.
30-06-2009 14:33:07, Error: Service Control Manager [7022] - The IPsec Policy Agent service hung on starting.
30-06-2009 14:30:21, Error: EventLog [6008] - The previous system shutdown at 14:21:55 on 30-06-2009 was unexpected.
29-06-2009 23:05:02, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
29-06-2009 10:44:45, Error: Service Control Manager [7000] - The AVG Free On-access Scanner Minifilter Driver x86 service failed to start due to the following error: The system cannot find message text for message number 0xAVG Free On-access Scanner Minifilter Driver x86 in the message file for The system cannot find message text for message number 0x%1 in the message file for %2..
29-06-2009 10:44:43, Error: Service Control Manager [7000] - The AVG Free AVI Loader Driver x86 service failed to start due to the following error: The system cannot find message text for message number 0xAVG Free AVI Loader Driver x86 in the message file for The system cannot find message text for message number 0x%1 in the message file for %2..
27-06-2009 22:17:05, Error: EventLog [6008] - The previous system shutdown at 22:10:26 on 27-06-2009 was unexpected.
26-06-2009 10:38:11, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.34 for the Network Card with network address 00242C2F27B4 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
25-06-2009 22:35:15, Error: EventLog [6008] - The previous system shutdown at 22:29:40 on 25-06-2009 was unexpected.
25-06-2009 12:52:30, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
25-06-2009 12:52:28, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 00242C2F27B4 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
25-06-2009 09:47:17, Error: PlugPlayManager [12] - The device 'JMB38X xD Host Controller' (PCI\VEN_197B&DEV_2384&SUBSYS_3600103C&REV_00\4&2c5d624a&0&0450) disappeared from the system without first being prepared for removal.
25-06-2009 09:47:17, Error: PlugPlayManager [12] - The device 'JMB38X SD/MMC Host Controller' (PCI\VEN_197B&DEV_2382&SUBSYS_3600103C&REV_00\4&2c5d624a&0&0150) disappeared from the system without first being prepared for removal.
25-06-2009 09:47:17, Error: PlugPlayManager [12] - The device 'JMB38X SD Host Controller' (PCI\VEN_197B&DEV_2381&SUBSYS_3600103C&REV_00\4&2c5d624a&0&0250) disappeared from the system without first being prepared for removal.
25-06-2009 09:47:17, Error: PlugPlayManager [12] - The device 'JMB38X MS Host Controller' (PCI\VEN_197B&DEV_2383&SUBSYS_3600103C&REV_00\4&2c5d624a&0&0350) disappeared from the system without first being prepared for removal.
25-06-2009 09:47:05, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
02-07-2009 00:34:16, Error: EventLog [6008] - The previous system shutdown at 00:32:57 on 02-07-2009 was unexpected.
02-07-2009 00:32:30, Error: EventLog [6008] - The previous system shutdown at 00:30:20 on 02-07-2009 was unexpected.
02-07-2009 00:21:29, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
02-07-2009 00:17:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
02-07-2009 00:17:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
02-07-2009 00:17:15, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
02-07-2009 00:17:15, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
02-07-2009 00:17:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
02-07-2009 00:17:13, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
02-07-2009 00:17:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
02-07-2009 00:16:48, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
02-07-2009 00:16:48, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
02-07-2009 00:16:42, Error: EventLog [6008] - The previous system shutdown at 00:14:15 on 02-07-2009 was unexpected.
01-07-2009 21:17:31, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
01-07-2009 13:32:19, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The RPC server is unavailable.
01-07-2009 13:32:19, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The RPC server is unavailable.
01-07-2009 12:16:04, Error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
01-07-2009 12:16:04, Error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.

==== End Of File ===========================


Thanks in advance for helping me out here.Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

DDS::
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
mURLSearchHooks: H - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TCP: NameServer = 85.255.112.68,85.255.112.66
TCP: {0ECBD136-23E9-41FE-8373-11C4F97608E6} = 85.255.112.68,85.255.112.66
TCP: {9737D2AB-68FA-4999-B25B-0AF3DAF71C2D} = 85.255.112.68,85.255.112.66

Folder::
c:\program files\avg

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
Sorry, forgot this.

Download Security Check from one of the following links and save it to your Desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.[/list]

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

----------

Also let me know what antivirus you prefer to use. I see ClamWin and Norton but it looks like Norton isn't running.Hi,


Thanks for the quick reply.

I am using ClamWin now.

The log after running ComboFIx is here:


ComboFix 09-07-01.01 - Guillaume 02-07-2009 1:58.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.91.1033.18.3069.2062 [GMT 2:00]
Running from: c:\users\Guillaume\Desktop\ComboFix1.exe
Command switches used :: c:\users\Guillaume\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcoxyqisirdbgrshqltjfqpnppynxitbow.sys
c:\windows\system32\gxvxccount
c:\windows\system32\gxvxckvcnewtfoyxnwodiwnsxjpnofqpdpnuw.dll
c:\windows\system32\gxvxcxtsvyvnqvjtubxrlrdhegupcxbdluvhf.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-07-02 00:18 . 2009-07-02 00:18--------d-----w-c:\users\Guillaume\AppData\Local\temp
2009-07-01 23:41 . 2009-07-01 23:41410984----a-w-c:\windows\system32\deploytk.dll
2009-07-01 22:30 . 2009-07-01 22:30--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-07-01 22:17 . 2009-07-01 22:17--------d-----w-c:\program files\Trend Micro
2009-07-01 21:58 . 2009-01-18 21:3515688----a-w-c:\windows\system32\lsdelete.exe
2009-07-01 19:17 . 2009-01-18 21:3064160----a-w-c:\windows\system32\drivers\Lbd.sys
2009-07-01 19:17 . 2009-07-01 19:17--------dc-h--w-c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-07-01 19:17 . 2009-01-18 21:432892112-c--a-w-c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
2009-07-01 19:17 . 2009-07-01 19:17--------d-----w-c:\program files\Lavasoft
2009-07-01 11:42 . 2009-07-01 11:48--------d-----w-c:\users\Guillaume\AppData\Roaming\.clamwin
2009-07-01 11:41 . 2009-07-01 11:41--------d-----w-c:\programdata\.clamwin
2009-07-01 11:41 . 2009-07-01 11:41--------d-----w-c:\program files\ClamWin
2009-06-30 12:57 . 2008-04-17 11:1215464----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-30 12:57 . 2008-04-17 11:12107368----a-w-c:\windows\system32\GEARAspi.dll
2009-06-30 12:57 . 2009-06-30 12:57--------d-----w-c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-06-30 10:57 . 2009-07-01 07:40--------d-----w-c:\users\Guillaume\AppData\Roaming\Symantec
2009-06-30 10:49 . 2009-07-01 11:31--------d-----w-c:\program files\Common Files\Symantec Shared
2009-06-30 09:08 . 2009-06-30 09:08--------d-----w-c:\users\Public\InOut
2009-06-29 21:20 . 2009-06-29 21:20680----a-w-c:\users\Guillaume\AppData\Local\d3d9caps.dat
2009-06-25 15:15 . 2009-06-25 15:15--------d-----w-c:\programdata\AVS4YOU
2009-06-25 15:15 . 2009-06-25 15:15--------d-----w-c:\users\Guillaume\AppData\Roaming\AVS4YOU
2009-06-25 15:12 . 2009-07-01 19:11--------d-----w-c:\program files\Common Files\AVSMedia
2009-06-25 15:12 . 2003-05-21 21:50344064----a-w-c:\windows\system32\msvcr70.dll
2009-06-25 15:12 . 2002-01-05 12:48974848----a-w-c:\windows\system32\mfc70.dll
2009-06-25 15:12 . 2002-01-05 11:40487424----a-w-c:\windows\system32\msvcp70.dll
2009-06-25 15:12 . 2009-07-01 19:11--------d-----w-c:\program files\AVS4YOU
2009-06-25 15:12 . 2008-07-11 09:521700352----a-w-c:\windows\system32\GdiPlus.dll
2009-06-25 15:12 . 2003-05-21 21:5024576----a-w-c:\windows\system32\msxml3a.dll
2009-06-24 08:36 . 2009-06-25 11:14--------d-----w-c:\users\Guillaume\group
2009-06-21 14:43 . 2009-06-21 14:43--------d-----w-C:\mwdumper
2009-06-17 20:34 . 2009-06-22 17:55--------d-----w-c:\users\Guillaume\AppData\Roaming\Mozilla Embedded Browser
2009-06-17 16:12 . 2009-06-24 15:20--------d-----w-C:\Downloads
2009-06-15 12:58 . 2009-06-15 12:58--------d-----w-c:\users\Guillaume\AppData\Local\Quest Software
2009-06-14 11:59 . 2009-04-09 06:2586096----a-w-c:\windows\system32\php_mysqli.dll
2009-06-14 11:59 . 2009-04-09 06:2545135----a-w-c:\windows\system32\php_mysql.dll
2009-06-09 14:01 . 2009-06-09 14:01--------d-----w-C:\php5
2009-06-08 21:03 . 2009-06-08 21:03--------d-----w-c:\program files\Microsoft Works
2009-06-08 21:00 . 2009-06-08 21:00--------d-----w-c:\program files\Microsoft Visual Studio 8
2009-06-08 20:59 . 2009-06-08 20:59--------d-----w-c:\users\Guillaume\AppData\Local\Microsoft Help
2009-06-08 20:58 . 2009-06-08 20:58--------d--h--r-C:\MSOCache
2009-06-08 20:39 . 2009-06-08 20:39--------d-----w-c:\users\Guillaume\AppData\Local\Seven Zip
2009-06-07 14:38 . 2009-07-01 19:17--------d-----w-c:\programdata\Lavasoft
2009-06-07 14:32 . 2009-06-07 14:32--------d-----w-c:\windows\Sun
2009-06-07 11:48 . 2009-06-07 11:53--------d-----w-c:\users\Guillaume\Grupo
2009-06-06 09:23 . 2009-06-06 09:233584----a-r-c:\users\Guillaume\AppData\Roaming\Microsoft\Installer\{D58340FF-57D2-4AF3-81DB-073DDD4FAEA9}\IconTmpl7.15B59236_99D3_4DBB_BC63_B5BF7D73F468.exe
2009-06-06 09:23 . 2009-06-06 09:23244224----a-r-c:\users\Guillaume\AppData\Roaming\Microsoft\Installer\{D58340FF-57D2-4AF3-81DB-073DDD4FAEA9}\Icon8EEA8E04.exe
2009-06-06 09:23 . 2009-06-06 09:23--------d-----w-c:\users\Guillaume\AppData\Roaming\Software
2009-06-06 09:23 . 2009-06-06 09:23--------d-----w-c:\program files\Common Files\Quest Shared
2009-06-06 09:23 . 2009-06-06 09:23--------d-----w-c:\program files\Quest Software
2009-06-05 18:43 . 2009-06-09 15:50--------d-----w-C:\wamp
2009-06-04 09:52 . 2009-06-04 09:52--------d-----w-c:\programdata\muvee Technologies
2009-06-04 09:51 . 2009-06-04 09:52--------d-----w-c:\users\Guillaume\AppData\Roaming\muvee Technologies
2009-06-02 13:09 . 2009-06-29 11:41--------d-----w-c:\users\Guillaume\Divers
2009-06-02 11:38 . 2009-06-02 11:38--------d-----w-c:\program files\Common Files\Adobe AIR
2009-06-02 10:09 . 2009-06-02 11:37--------d-----w-c:\program files\Common Files\Adobe
2009-06-02 09:54 . 2009-06-02 09:54--------d-----w-c:\users\Guillaume\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-02 08:46 . 2009-06-02 08:50--------d-----w-c:\users\Guillaume\AppData\Roaming\SolidDocuments
2009-06-02 08:45 . 2008-08-01 16:3213560----a-w-c:\windows\system32\solidlocalui.dll
2009-06-02 08:45 . 2008-08-01 16:3221240----a-w-c:\windows\system32\solidlocalmon.dll
2009-06-02 08:44 . 2009-06-02 08:44--------d-----w-c:\programdata\SolidDocuments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 23:57 . 2009-01-21 10:1812----a-w-c:\windows\bthservsdp.dat
2009-07-01 23:41 . 2009-02-19 11:40--------d-----w-c:\program files\Java
2009-07-01 11:31 . 2009-02-19 09:35--------d-----w-c:\programdata\Symantec
2009-06-29 22:28 . 2009-02-19 10:26--------d-----w-c:\program files\Microsoft SQL Server
2009-06-29 22:24 . 2009-02-19 10:23--------d-----w-c:\program files\Microsoft.NET
2009-06-29 22:12 . 2009-05-26 17:09--------d-----w-c:\users\Guillaume\AppData\Roaming\NuSphere
2009-06-29 22:09 . 2009-02-19 10:02--------d-----w-c:\programdata\WildTangent
2009-06-29 22:09 . 2009-02-19 10:02--------d-----w-c:\program files\HP Games
2009-06-23 16:00 . 2009-05-22 11:29--------d-----w-c:\users\Guillaume\AppData\Roaming\CyberLink
2009-06-20 18:12 . 2009-05-26 11:00--------d-----w-c:\users\Guillaume\AppData\Roaming\DBDesigner4
2009-06-19 13:00 . 2009-05-18 12:02--------d-----w-c:\program files\PHP
2009-06-17 19:54 . 2009-06-01 08:32--------d-----w-c:\users\Guillaume\AppData\Roaming\Skype
2009-06-17 19:40 . 2009-06-01 08:45--------d-----w-c:\users\Guillaume\AppData\Roaming\skypePM
2009-06-08 21:45 . 2009-05-14 02:20104560----a-w-c:\users\Guillaume\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-08 21:06 . 2009-02-19 10:21--------d-----w-c:\programdata\Microsoft Help
2009-06-08 21:03 . 2006-11-02 12:37--------d-----w-c:\program files\MSBuild
2009-06-08 08:26 . 2009-05-14 02:52--------d-----w-c:\users\Guillaume\AppData\Roaming\Hewlett-Packard
2009-06-08 08:25 . 2009-02-19 09:33--------d-----w-c:\programdata\Hewlett-Packard
2009-06-07 17:07 . 2009-05-31 20:18--------d-----w-c:\users\Guillaume\AppData\Roaming\FileZilla
2009-06-03 13:47 . 2009-02-19 09:32--------d--h--w-c:\program files\InstallShield Installation Information
2009-06-02 10:25 . 2009-05-19 19:41--------d-----w-c:\program files\File Recover
2009-06-01 08:45 . 2009-06-01 08:4556---ha-w-c:\windows\system32\ezsidmv.dat
2009-06-01 08:32 . 2009-06-01 08:32--------d-----w-c:\program files\Common Files\Skype
2009-06-01 08:32 . 2009-06-01 08:32--------d-----r-c:\program files\Skype
2009-06-01 08:32 . 2009-06-01 08:32--------d-----w-c:\programdata\Skype
2009-05-31 20:18 . 2009-05-31 20:18--------d-----w-c:\program files\FileZilla FTP Client
2009-05-30 21:18 . 2009-05-15 03:52--------d-----w-c:\program files\Google
2009-05-28 20:00 . 2009-05-28 20:00--------d-----w-c:\program files\EASEUS
2009-05-28 18:02 . 2009-02-19 12:35--------d-----w-c:\program files\SMINST
2009-05-26 10:53 . 2009-05-26 10:53--------d-----w-c:\program files\Common Files\fabFORCE
2009-05-26 10:53 . 2009-05-26 10:53--------d-----w-c:\program files\fabFORCE
2009-05-26 10:03 . 2009-05-26 10:03--------d-----w-c:\programdata\MySQL
2009-05-26 09:12 . 2009-05-26 09:12--------d-----w-c:\program files\Opera
2009-05-25 23:40 . 2009-05-25 22:13--------d-----w-c:\users\Guillaume\AppData\Roaming\vlc
2009-05-25 22:12 . 2009-05-25 22:12--------d-----w-c:\program files\VideoLAN
2009-05-20 21:09 . 2009-02-19 09:35--------d-----w-c:\programdata\Norton
2009-05-19 19:34 . 2009-05-19 19:34--------d-----w-c:\programdata\ParetoLogic
2009-05-19 19:33 . 2009-05-19 19:33--------d-----w-c:\programdata\Cached Installations
2009-05-19 19:19 . 2009-05-19 19:19--------d-----w-c:\program files\AVG
2009-05-19 09:06 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2009-05-18 19:26 . 2009-05-18 19:26--------d-----w-c:\program files\MSXML 4.0
2009-05-18 17:49 . 2009-05-18 17:49--------d-----w-c:\programdata\NOS
2009-05-18 17:49 . 2009-05-18 17:49--------d-----w-c:\program files\NOS
2009-05-18 15:34 . 2009-05-18 15:34--------d-----w-c:\users\Guillaume\AppData\Roaming\Nvu
2009-05-18 15:34 . 2009-05-18 15:34--------d-----w-c:\program files\Nvu
2009-05-18 12:18 . 2009-05-29 10:152076672----a-w-c:\windows\system32\libmysql.dll
2009-05-17 06:24 . 2009-05-17 06:24--------d-----w-c:\program files\Western Digital Corporation
2009-05-16 15:39 . 2009-05-16 15:390----a-w-c:\windows\nsreg.dat
2009-05-16 08:25 . 2009-05-16 08:25--------d--h--r-c:\users\Guillaume\AppData\Roaming\SecuROM
2009-05-16 08:25 . 2009-05-16 08:2598304----a-w-c:\windows\system32\CmdLineExt.dll
2009-05-16 08:14 . 2009-05-16 08:14--------d-----w-c:\program files\Sierra
2009-05-16 08:11 . 2009-05-16 08:11--------d-----w-c:\users\Guillaume\AppData\Roaming\InstallShield
2009-05-15 03:53 . 2009-05-15 03:53--------d-----w-c:\program files\Common Files\PX Storage Engine
2009-05-14 02:55 . 2009-05-14 02:55--------d-----w-c:\users\Guillaume\AppData\Roaming\WildTangent
2009-05-14 02:52 . 2009-05-14 02:52--------d-----w-c:\users\Guillaume\AppData\Roaming\Macrovision
2009-05-14 02:52 . 2009-05-14 02:52--------d-----w-c:\users\Guillaume\AppData\Roaming\ATI
2009-05-14 02:51 . 2009-05-14 02:51--------d-----w-c:\users\Guillaume\AppData\Roaming\DigitalPersona
2009-05-14 02:18 . 2009-05-14 02:18--------d-----w-c:\users\Guillaume\AppData\Roaming\HP TCS
2009-05-14 02:18 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Sidebar
2009-05-14 02:16 . 2009-05-14 02:160--sha-r-c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv5 Notebook PC_Y5335KV_0U_QCNF9143YJF_E517901-371_4A_I3600_SHP_V98.32_F.23_T090105_WV3-1_L409_M3069_J320_7AMD_8F31_92.20_#090121_N10EC8168;168C001C_(NU324PA#ACJ)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-05-01 18:30 . 2009-05-01 18:303366912----a-w-c:\windows\system32\GPhotos.scr
2009-03-25 12:13 . 2009-05-15 03:357100928----a-w-c:\program files\PocketDivXEncoder_0.3.96.exe
2009-02-19 10:47 . 2009-02-19 10:338192--sha-w-c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-12-11 842816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-11 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-01 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6DB3961-07E4-45A0-AA3C-F3B3B7F4F9F7}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{353CF60D-E2AD-4F09-B76F-C1CDD3478789}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartMusic.exe:HP TouchSmart Music
"{4AA41B04-FF93-4B2D-A7A8-6DA731383642}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartPhoto.exe:HP TouchSmart Photo
"{3A5169F5-3859-4E6E-BB92-5B35B8C6911B}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartVideo.exe:HP TouchSmart Video
"{BC92971A-983D-4974-88A3-576F943534BC}"= c:\program files\Hewlett-Packard\Media\DVD\TSMAgent.exe:HP TouchSmart Media Resident Program
"{A7467990-D655-4E94-80E7-FA9E8BA1E3FA}"= c:\program files\Hewlett-Packard\Media\DVD\Kernel\CLML\CLMLSvc.exe:CyberLink Media Service
"{A00F1E0E-FBE5-4BB6-97FB-380E719F92E5}"= c:\program files\Hewlett-Packard\Media\DVD\HPDVDSmart.exe:HP MediaSmart DVD
"{6F13DC25-28CE-42DB-ABD0-5682B2024A79}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartMusic.exe:HP TouchSmart Music
"{67D587A5-DEB8-4A93-B3B1-3226CAB96983}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartPhoto.exe:HP TouchSmart Photo
"{94801C04-866B-4BF4-A902-F4195C37EA9B}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartVideo.exe:HP TouchSmart Video
"{8B4BBE2F-DFEB-4EA4-BCC8-2734E5E8A9FB}"= c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe:HP TouchSmart Media Resident Program
"{92E60A91-51C1-4153-914B-020EE33F6C60}"= c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe:CyberLink Media Service
"{535552D7-2F2E-457A-A653-B94E417C029B}"= c:\program files\Hewlett-Packard\Media\TV\QP.exe:Quick Play
"{445E2C51-CF0E-4F90-83EB-C1903B572927}"= c:\program files\Hewlett-Packard\Media\TV\QPService.exe:Quick Play Resident Program
"TCP Query User{6B46CD09-8566-434F-A3FF-CBDA4B0B7331}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{C11FEE4C-5B54-453A-83D4-25941667E24E}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{844E49C1-FDE0-4617-8D07-9CE36D1BF429}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{EB116974-69E3-4B3F-8A6A-A7CCDB2A6FCA}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"{8F9629FE-2EC6-4DB4-B73F-DE5398BD5FA1}"= UDP:c:\program files\nusphere\phped\Srv.exe:NuSphere PhpED SRV web server
"{809437AF-EDE8-42B0-AB49-89B0183A1352}"= TCP:c:\program files\nusphere\phped\Srv.exe:NuSphere PhpED SRV web server
"{9D1960D7-5A1C-451F-9530-A2A63A482EE7}"= UDP:c:\program files\nusphere\phped\debugger\DbgListener.exe:NuSphere PhpED Dbg Listener
"{125EECFC-463C-41F6-99FD-F26D456CF288}"= TCP:c:\program files\nusphere\phped\debugger\DbgListener.exe:NuSphere PhpED Dbg Listener
"{C420771C-6514-4124-9253-5143600D9699}"= UDP:c:\program files\nusphere\phped\phped.exe:NuSphere PhpED Embedded browser
"{4C5C4A73-C523-4639-AA30-079FF741791B}"= TCP:c:\program files\nusphere\phped\phped.exe:NuSphere PhpED Embedded browser
"{0858C917-6AE0-47FD-9220-529AC026C79A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{2ABB040C-C949-4C0A-99A1-698D45CF9014}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{0F855C04-E7EE-4B44-AE86-C5E8541D7566}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{640C01A5-F4AC-47DF-8372-C676D3CE567E}c:\\program files\\nusphere\\phped\\debugger\\dbglistener.exe"= UDP:c:\program files\nusphere\phped\debugger\dbglistener.exe:Listener for php debugger DBG
"UDP Query User{29EC753F-84F2-48F1-8170-B813D5537431}c:\\program files\\nusphere\\phped\\debugger\\dbglistener.exe"= TCP:c:\program files\nusphere\phped\debugger\dbglistener.exe:Listener for php debugger DBG
"TCP Query User{79D3A5C4-4E33-4AF6-BF9E-375EC79BEB93}c:\\program files\\nusphere\\phped\\srv.exe"= UDP:c:\program files\nusphere\phped\srv.exe:SRV Local WEB server
"UDP Query User{08869455-D764-4AAD-823E-A744B1FDA516}c:\\program files\\nusphere\\phped\\srv.exe"= TCP:c:\program files\nusphere\phped\srv.exe:SRV Local WEB server
"{1B779A5F-1F93-4A92-8729-18090A1ECBA2}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C16D5914-BA67-4BE6-B6E9-E7790E83F72C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6797A88C-F4AD-4568-A9B5-5B435E0C06E8}"= c:\program files\Skype\Phone\Skype.exe:Skype

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [01-07-2009 21:17 64160]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/01/21 03:06];c:\program files\Hewlett-Packard\Media\DVD\000.fcl [29-11-2008 04:04 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\AEstSrv.exe [21-01-2009 12:29 77824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18-01-2009 23:34 921936]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [19-02-2009 14:35 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [27-11-2008 03:13 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [27-11-2008 03:13 116096]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\System32\vfsFPService.exe [18-11-2008 16:09 599344]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [04-09-2008 19:47 54784]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [21-01-2009 12:33 22072]
S2 gupdate1c9e16bff8dc080;Google Update Service (gupdate1c9e16bff8dc080);c:\program files\Google\Update\GoogleUpdate.exe [30-05-2009 23:17 133104]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [19-02-2009 11:49 222512]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [18-05-2009 19:49 33176]
S3 hpsrv;HP Service;c:\windows\System32\hpservice.exe [19-03-2008 02:24 19456]
S3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [23-10-2008 11:42 107360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcsREG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 21:16]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 21:16]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3809033370-1981303550-699846253-1003Core.job
- c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-29 21:16]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3809033370-1981303550-699846253-1003UA.job
- c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-29 21:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_in&c=91&bd=Pavilion&pf=cnnb
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Guillaume\AppData\Roaming\Mozilla\Firefox\Profiles\7epg4avp.default\
FF - component: c:\program files\DigitalPersona\Bin\firefoxext\components\dpffcli.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Guillaume\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 02:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld\" --defaults-file=\"c:\mysql\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3809033370-1981303550-699846253-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a5,c6,03,b0,fe,da,19,0e,13,6f,1d,be,81,54,7e,02,98,7a,e5,db,eb,9e,6e,
b8,0d,f4,3e,c1,a9,b2,25,b3,df,5f,35,0d,bb,d1,a9,20,18,46,31,f0,11,60,81,fe,\
"??"=hex:03,ed,aa,f5,c2,c1,45,25,6f,40,71,e2,b3,45,2f,79

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\DPPWDFLT.dll
.
Completion time: 2009-07-02 2:20
ComboFix-quarantined-files.txt 2009-07-02 00:20

Pre-Run: 92,222,681,088 bytes free
Post-Run: 92,724,477,952 bytes free

298--- E O F ---2009-06-02 07:59


and the checkup.txt :


Results of screen317's Security Check version 0.98.4
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
ClamWinFreeAntivirus0.95.2
NortonInternetSecurity
ECHO is off.
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Ad-Aware
Java(TM) 6 Update 14
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Scan took 3517 seconds.
`````````End of Log```````````




ClamWin is a good antivirus scanner but it offers no real-time blocking so you need to install an actual real-time antivirus ASAP.

Please do this while I am looking over the ComboFix log.

Go to Add or Remove Programs and uninstall: NortonInternetSecurity

Also make sure Java(TM) 6 Update 7 is NOT still there. If so please uninstall it also.

---

Next:

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC.
• Delete the 'Norton_Removal_Tool' from your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hello, not to sure of the reason for the error but having read some previous posts it seems like the right forum to post. Yesterday evening after turning on my computer I got a "DEP userinit login app" message on my computer, blank screen but for message and background image. I managed to get my browser up, searched the web for the message, and came to this site. Read some more and came to the sticky on malware removal help. I've downloaded all programs listed, my java is upto date, and I'm running AVG Free with an upto date database by 1 day.

However I have no desktop, location of saved files, and cannot bypass this by using the task managers RUN feature. Both task manager and explorer (win start button + E) come up as DEP Errors. So in short I cannot install or run anything other than the browser.

Went to bed grumpy, woke up this morning, ISSUE is still there, (faint hope this was a BAD dream).

Any help will be APPRECIATED.

(edit #1)
Managed to get desktop, INSTALLED and ran software in order EvilFantasy suggested. Log files are attached.

[attachment deleted by admin]