Explore topic-wise InterviewSolutions in .

This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.

Discussion

4502.	Solve : Potential Malware Virus Problem?
Answer» Our computer has started to periodically freeze (after 30 minutes of Internet Explorer activity or if left on overnight with Internext Explorer open). The only way to fix the problem is to manually turn it off and reboot. The Task Manager doesn't work to end the Internet Explorer activity. We have Windows Vista and the Norton Internet Security Suite. Attached are the 3 requested logs. When I tried to use the Hijack This Process Tool on the log, it said that I didn't have an antivirus or firewall installed, but when I open Norton, it shows that everything is turned on and that scans have been run recently. Any suggestions are much appreciated! Thank you very much for your help. [Saving space, attachment deleted by admin]With 64 bit systems most of the normal tools we use don't work or don't work right. So you have to be careful in what they are telling you as it is often wrong. Right click HijackThis and choose Run as Administrator Next select Do a system scan only Place a check MARK next to the following entries: (if there) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan LogThe first time we ran the Virus scan it found two threats before the scan was finished and then the computer froze and I had to reboot (no log available). I ran the scan a second time and no threats were found so there was no log to print.Sounds like whatever it found was removed. If there are no more malware issues we can finish up now. Use the Secunia Software Inspector to check for out of date software. * Click Start Scanner * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are NEEDED. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly SUGGEST you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky WEBSITE. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain COOKIES from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Thank you very much for the help. Really appreciate it!Your welcome. Safe surfing..,

4502.

Solve : Potential Malware Virus Problem?

Answer»

Our computer has started to periodically freeze (after 30 minutes of Internet Explorer activity or if left on overnight with Internext Explorer open). The only way to fix the problem is to manually turn it off and reboot. The Task Manager doesn't work to end the Internet Explorer activity. We have Windows Vista and the Norton Internet Security Suite. Attached are the 3 requested logs. When I tried to use the Hijack This Process Tool on the log, it said that I didn't have an antivirus or firewall installed, but when I open Norton, it shows that everything is turned on and that scans have been run recently.

Any suggestions are much appreciated! Thank you very much for your help.

[Saving space, attachment deleted by admin]With 64 bit systems most of the normal tools we use don't work or don't work right. So you have to be careful in what they are telling you as it is often wrong.

Right click HijackThis and choose Run as Administrator

Next select Do a system scan only

Place a check MARK next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan LogThe first time we ran the Virus scan it found two threats before the scan was finished and then the computer froze and I had to reboot (no log available). I ran the scan a second time and no threats were found so there was no log to print.Sounds like whatever it found was removed.

If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are NEEDED.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly SUGGEST you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky WEBSITE. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain COOKIES from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Thank you very much for the help. Really appreciate it!Your welcome.

Safe surfing..,

Discussion

4503.	Solve : again: Application cannot be executed. The file ..... grmpfl?
Answer» Hello ! First i have to SAY i'm german, so my english isn't very fine. My Problem: Since this morning i always get the MESSAGE "Application cannot be executed. File xyz.exe is infected. Do you WANT to activate you antivirus software now?", WHENEVER i try to run a programme. As i read in the forum, the problem seems to be known quite well. I tried some steps the experts advised - without any success. So i start this new topic, hoping to find some answers to fix my system. so: PLEASE help me and guide me tep for step through this censored malware issue ! Thanks Clemens Welcome to CH Trommelochse. If you think you would be better off with a German speaking board here are a few very reliable malware removal forums with German speaking helpers. I would hate for things to be difficult for either one of us trying to translate some of the complicated fixes that this infection involves. If you want to stay here and give it a shot just let me know and we will continue. German Forums http://www.hijackthis-forum.de/forum.php http://www.trojaner-board.de/ Dutch Forums http://www.hijackthis.nl/ http://www.nucia.eu/forum/thanks for information evilfantasy ! Whn i restarted my pc n the evening, suddenly antivir was able to remove that censored. At least no symptomps anymore. Thanks for your help ClemensWe should make sure everything is indeed gone. If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix**

Discussion

4504.	Solve : "Application has been executed" problem.?
Answer» Cheetah-Anti-Rogue v1.3.9 by DragonMaster Jay Microsoft Windows XP [Version 5.1.2600] Date: 02/20/2010 - Time: 16:08:44 - Arch.: x86 -- Malware removal tools check -- Trend Micro HijackThis 2.0.2 -- Known infection -- Extra message: Detection only. EOF Now, how is your computer running?It's running very slow. And now McAfee is SAYING I'm not FULLY protected. The exact quote READS "The detection signature file is between 8 and 29 days old." I click fix but it still says unprotected.?Download OTL to your Desktop Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. Under the Custom Scan box paste this in netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %SYSTEMDRIVE%\.exe %systemroot%\system32\eventlog.dll %systemroot%\system32\scecli.dll %systemroot%\netlogon.dll %systemroot%\system32\cngaudit.dll %systemroot%\system32\sceclt.dll %systemroot%\ntelogon.dll %systemroot%\system32\logevent.dll %systemroot%\system32\drivers\iaStor.sys %systemroot%\System32\drivers\nvstor.sys %systemroot%\system32\drivers\atapi.sys Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two NOTEPAD windows. OTL.Txt* and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

4504.

Solve : "Application has been executed" problem.?

Answer»

Cheetah-Anti-Rogue v1.3.9
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 02/20/2010 - Time: 16:08:44 - Arch.: x86

-- Malware removal tools check --
Trend Micro HijackThis 2.0.2

-- Known infection --

Extra message: Detection only.

EOF
Now, how is your computer running?It's running very slow. And now McAfee is SAYING I'm not FULLY protected. The exact quote READS "The detection signature file is between 8 and 29 days old." I click fix but it still says unprotected.?Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll
%systemroot%\system32\drivers\iaStor.sys
%systemroot%\System32\drivers\nvstor.sys
%systemroot%\system32\drivers\atapi.sys

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two NOTEPAD windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

Discussion

4505.	Solve : My computer's security??
Answer» I currently have Avast Free 5 installed, along with Malwarebytes, Windows Firewall, and WOT for web browsing safety. Is that good enough? Or should I add something to the mix? I mostly browse the web, and sometimes download torrents from uTorrent. I don't want to spend any money. Quote Is that good enough? Yes, although I'd recommend using a different firewall. TRY Online Armor, Comodo, ZoneAlarm, or PCTools (recommended in that ORDER) but remember to only use one! Quote and sometimes download torrents from uTorrent. Not recommended....Window's built in firewall is just fine and so is your setup. If you insist on downloading torrents make sure to scan them after downloading. But one day that will still get you in trouble. Remember where you heard it first.Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors. Remember only install ONE firewall 1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one) 2) Online Armor 3) Agnitum Outpost 4) PC Tools Firewall Plus If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone HOME" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.Windows built in firewall is EXCELLENT at stopping incoming threats. The likelihood of anything outgoing being a problem is slim to say the least.Quote The likelihood of anything outgoing being a problem is slim to say the least. Why?Quote from: kpac on February 17, 2010, 04:48:37 PM Why? Sorry - it doesn't work like that. You've been waiting around for someone to agree with you because you had no argument you could post to my response above. You don't ask someone to prove a negative - if you have some proof of outgoing threats being a problem, feel free to post them. I'm not a fan of 3rd party firewalls for the average home user. If you use a good anti virus, scan for malware on a regular basis, and practice smart computing you are fine. And of course if you use a router (most of which have a built in NAT) you've got additional protection without doing anything else.Quote from: Allan on February 17, 2010, 04:47:46 PM Windows built in firewall is EXCELLENT at stopping incoming threats. Vista and Windows 7 Firewall is. XP not so much. Microsoft even acknowledges it. Windows XP - Why would I consider a third party firewall? They are using Vista, so....I agree that the XP firewall isn't very good, but the Vista and 7 is great. Well anyway, my laptop has: Norton 360 v3 (with firewall). Windows Defender Malwarebytes Anti-Malware (free edition, no real-time protection) Is this also good? Or should I add an extra anti-spyware program to the mix? By the way, I'm GETTING Norton 360 completely free, with my Comcast high speed internet subscription. Is Windows Defender conflict-free with Norton 360? Please make sure the programs you suggest have no conflicts with Norton as well. Norton isn't SLOWING my comp. at all by the way, so please don't suggest to remove to because it's a "resource hog". Quote Sorry - it doesn't work like that. You've been waiting around for someone to agree with you because you had no argument you could post to my response above. You don't ask someone to prove a negative - if you have some proof of outgoing threats being a problem, feel free to post them. Oh, I'm sorry. I didn't realise I had to post in a particular way for you. Quote from: kzahid06 on February 17, 2010, 05:40:47 PM I agree that the XP firewall isn't very good, but the Vista and 7 is great. Well anyway, my laptop has: Norton 360 v3 (with firewall). Windows Defender Malwarebytes Anti-Malware (free edition, no real-time protection) Is this also good? Or should I add an extra anti-spyware program to the mix? By the way, I'm getting Norton 360 completely free, with my Comcast high speed internet subscription. Is Windows Defender conflict-free with Norton 360? Please make sure the programs you suggest have no conflicts with Norton as well. Norton isn't slowing my comp. at all by the way, so please don't suggest to remove to because it's a "resource hog". There are a lot of "Norton bashers". I'm not one of them. It's not the same product it was when Peter Norton was at the helm, but in my opinion it's still among the best. Windows Defender does not conflict with any Anti-Virus utilities, so you're good there. And if you scan with MalwareBytes on a fairly regular basis you're fine. For additional passive protection, SpywareBlaster will keep your hosts file up to date. Just download the free version and remember to update it weekly and then click on ENABLE ALL PROTECTION each time after the update.Having a anti-malware is necessary right? I have win 7 and avast Free as an antivirus, I have the firewall working on my computer what else do I need to keep my computer really secured? Quote from: jzown on February 18, 2010, 07:15:55 AM Having a anti-malware is necessary right? I have win 7 and avast Free as an antivirus, I have the firewall working on my computer what else do I need to keep my computer really secured? 1) You should start your own thread (it's considered rude to "hijack" someone else's thread), but 2) Your questions are answered in the posts abovesorry about that... posted the question here cause it's of the same topic... been so long since I came here so I forgot...

4505.

Solve : My computer's security??

Answer»

I currently have Avast Free 5 installed, along with Malwarebytes, Windows Firewall, and WOT for web browsing safety.

Is that good enough? Or should I add something to the mix?

I mostly browse the web, and sometimes download torrents from uTorrent.

I don't want to spend any money.

Quote

Is that good enough?

Yes, although I'd recommend using a different firewall. TRY Online Armor, Comodo, ZoneAlarm, or PCTools (recommended in that ORDER) but remember to only use one!

Quote

and sometimes download torrents from uTorrent.

Not recommended....Window's built in firewall is just fine and so is your setup. If you insist on downloading torrents make sure to scan them after downloading. But one day that will still get you in trouble. Remember where you heard it first.Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone HOME" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.Windows built in firewall is EXCELLENT at stopping incoming threats. The likelihood of anything outgoing being a problem is slim to say the least.Quote

The likelihood of anything outgoing being a problem is slim to say the least.

Why?Quote from: kpac on February 17, 2010, 04:48:37 PM

Why?

Sorry - it doesn't work like that. You've been waiting around for someone to agree with you because you had no argument you could post to my response above. You don't ask someone to prove a negative - if you have some proof of outgoing threats being a problem, feel free to post them. I'm not a fan of 3rd party firewalls for the average home user. If you use a good anti virus, scan for malware on a regular basis, and practice smart computing you are fine. And of course if you use a router (most of which have a built in NAT) you've got additional protection without doing anything else.Quote from: Allan on February 17, 2010, 04:47:46 PM

Windows built in firewall is EXCELLENT at stopping incoming threats.

Vista and Windows 7 Firewall is. XP not so much. Microsoft even acknowledges it. Windows XP - Why would I consider a third party firewall?

They are using Vista, so....I agree that the XP firewall isn't very good, but the Vista and 7 is great.

Well anyway,

my laptop has:

Norton 360 v3 (with firewall).
Windows Defender
Malwarebytes Anti-Malware (free edition, no real-time protection)

Is this also good? Or should I add an extra anti-spyware program to the mix? By the way, I'm GETTING Norton 360 completely free, with my Comcast high speed internet subscription.

Is Windows Defender conflict-free with Norton 360?

Please make sure the programs you suggest have no conflicts with Norton as well.

Norton isn't SLOWING my comp. at all by the way, so please don't suggest to remove to because it's a "resource hog".
Quote

Sorry - it doesn't work like that. You've been waiting around for someone to agree with you because you had no argument you could post to my response above. You don't ask someone to prove a negative - if you have some proof of outgoing threats being a problem, feel free to post them.

Oh, I'm sorry. I didn't realise I had to post in a particular way for you. Quote from: kzahid06 on February 17, 2010, 05:40:47 PM

I agree that the XP firewall isn't very good, but the Vista and 7 is great.

Well anyway,

my laptop has:

Norton 360 v3 (with firewall).
Windows Defender
Malwarebytes Anti-Malware (free edition, no real-time protection)

Is this also good? Or should I add an extra anti-spyware program to the mix? By the way, I'm getting Norton 360 completely free, with my Comcast high speed internet subscription.

Is Windows Defender conflict-free with Norton 360?

Please make sure the programs you suggest have no conflicts with Norton as well.

Norton isn't slowing my comp. at all by the way, so please don't suggest to remove to because it's a "resource hog".

There are a lot of "Norton bashers". I'm not one of them. It's not the same product it was when Peter Norton was at the helm, but in my opinion it's still among the best. Windows Defender does not conflict with any Anti-Virus utilities, so you're good there. And if you scan with MalwareBytes on a fairly regular basis you're fine. For additional passive protection, SpywareBlaster will keep your hosts file up to date. Just download the free version and remember to update it weekly and then click on ENABLE ALL PROTECTION each time after the update.Having a anti-malware is necessary right?

I have win 7 and avast Free as an antivirus, I have the firewall working on my computer what else do I need to keep my computer really secured?

Quote from: jzown on February 18, 2010, 07:15:55 AM

Having a anti-malware is necessary right?

I have win 7 and avast Free as an antivirus, I have the firewall working on my computer what else do I need to keep my computer really secured?

1) You should start your own thread (it's considered rude to "hijack" someone else's thread), but
2) Your questions are answered in the posts abovesorry about that... posted the question here cause it's of the same topic... been so long since I came here so I forgot...

Discussion

4506.	Solve : PAGE REDIRECT VIRUS????
Answer» DOWNLOAD this << file >> & extract TDSSKiller.exe onto your Desktop Then create this batch file to be placed next to TDSSKiller ===== Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code: [Select]@ECHO OFF START /WAIT TDSSKILLER.exe -l Logit.txt -v START Logit.txt del %0Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it saysThanks DMJ for getting back to me I know your a busy guy, I have the log it appears to have found something and I'm sending a SCREEN SHOT of what it did before I had to rebbot my comp. I haven't checked to see if the problem presist(try any search engine), I'll wait till you tell me. MODIFIED:On second thought I tried my search engines and they are working and alot faster, so I'll just wait till you tell me my next scan and clean-up options. ------------------------------------------------------------------------------------------------------------- 23:31:37:467 3088TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00 23:31:37:467 3088================================================================================ 23:31:37:467 3088SystemInfo: 23:31:37:467 3088OS Version: 6.0.6002 ServicePack: 2.0 23:31:37:467 3088Product type: Workstation 23:31:37:467 3088ComputerName: J-BIRD-PC 23:31:37:468 3088UserName: J-BIRD 23:31:37:468 3088Windows directory: C:\Windows 23:31:37:468 3088Processor architecture: Intel x86 23:31:37:468 3088Number of processors: 2 23:31:37:468 3088Page size: 0x1000 23:31:37:471 3088Boot type: Normal boot 23:31:37:471 3088================================================================================ 23:31:37:475 3088ForceUnloadDriverW: Old driver(klmd21) unloaded successfully 23:31:38:098 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000 23:31:38:109 3088UtilityInit: KLMD drop and load success 23:31:38:109 3088KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010) 23:31:38:109 3088UtilityInit: KLMD open success 23:31:38:109 3088UtilityInit: Initialize success 23:31:38:109 3088 23:31:38:110 3088ScanningServices ... 23:31:38:110 3088CreateRegParser: Registry parser init started 23:31:38:110 3088CreateRegParser: DisableWow64Redirection error 23:31:38:110 3088wfopen_ex: Trying to open file C:\Windows\system32\config\system 23:31:38:110 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043 23:31:38:110 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043) 23:31:38:110 3088wfopen_ex: Trying to KLMD file open 23:31:38:111 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system 23:31:38:111 3088wfopen_ex: File opened ok (Flags 2) 23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1BA1290 23:31:38:134 3088wfopen_ex: Trying to open file C:\Windows\system32\config\software 23:31:38:134 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043 23:31:38:134 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043) 23:31:38:134 3088wfopen_ex: Trying to KLMD file open 23:31:38:134 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software 23:31:38:134 3088wfopen_ex: File opened ok (Flags 2) 23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1BA12B8 23:31:38:134 3088CreateRegParser: EnableWow64Redirection error 23:31:38:135 3088CreateRegParser: RegParser init completed 23:31:39:136 3088GetAdvancedServicesInfo: Raw services enum returned 436 services 23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\system 23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\software 23:31:39:280 3088 23:31:39:281 3088ScanningKernel memory ... 23:31:39:281 3088KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 23:31:39:281 3088DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84FDDB00 23:31:39:281 3088DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects 23:31:39:281 3088 23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB467A8 23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB467A8 23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB302E8 23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB302E8 23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x8DB302E8[0x38] 23:31:39:281 3088DetectCureTDL3: DRIVER_OBJECT: 85AA2F38 23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x85AA2F38[0xA8] 23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x85AB2E48[0x1C] 23:31:39:282 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\RTSTOR, Driver Name: RTSTOR 23:31:39:282 3088DetectCureTDL3: IrpHandler (0) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (1) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (2) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (3) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (4) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (5) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (6) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (7) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler ( addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (9) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (10) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (11) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (12) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (13) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (14) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (15) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (16) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (17) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (18) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (19) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (20) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (21) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (22) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (23) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (24) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (25) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (26) addr: 81C409D2 23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x8ACD9C94[0x400] 23:31:39:283 3088TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 23:31:39:283 3088TDL3_FileDetect: Processing driver: RTSTOR 23:31:39:283 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\RTSTOR.SYS 23:31:39:283 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\RTSTOR.SYS 23:31:39:308 3088TDL3_FileDetect: C:\Windows\system32\drivers\RTSTOR.SYS - Verdict: Clean 23:31:39:309 3088 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 844B0AC8 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 844B0AC8 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 843AA918 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 843AA918 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 8398F528 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8398F528 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8398F528[0x38] 23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT: 8432FBB8 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8432FBB8[0xA8] 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x839ABC20[0x1A] 23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 23:31:39:309 3088DetectCureTDL3: IrpHandler (0) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (1) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (2) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (3) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (4) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (5) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (6) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (7) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler ( addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (9) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (10) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (11) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (12) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (13) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (14) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (15) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (16) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (17) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (18) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (19) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (20) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (21) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (22) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (23) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (24) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (25) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (26) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: All IRP handlers pointed to one addr: 807209B0 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x807209B0[0x400] 23:31:39:310 3088TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4] 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x8432F58C[0x4] 23:31:39:310 3088TDL3_IrpHookDetect: New IrpHandler addr: 857988C8 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x857988C8[0x400] 23:31:39:310 3088TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120 23:31:39:310 3088Driver "atapi" Irp handler infected by TDSS rootkit ... 23:31:39:311 3088KLMD_WriteMem: Trying to WriteMemory 0x8579894E[0xD] 23:31:39:311 3088cured 23:31:39:311 3088TDL3_FileDetect: Processing driver: atapi 23:31:39:312 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys 23:31:39:312 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys 23:31:39:323 3088TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected 23:31:39:323 3088File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:31:39:323 3088TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys 23:31:42:589 3088FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking.. 23:31:42:596 3088ValidateDriverFile: Stage 1 passed 23:31:42:598 3088ValidateDriverFile: Stage 2 passed 23:31:42:779 3088DigitalSignVerifyByHandle: Embedded DS result: 00000000 23:31:42:779 3088ValidateDriverFile: Stage 3 passed 23:31:42:779 3088FileCallback: File validated successfully, restore information prepared 23:31:46:346 3088FindDriverFileBackup: Backup copy found in DriverStore 23:31:46:346 3088TDL3_FileCure: Backup copy found, using it.. 23:31:46:347 3088TDL3_FileCure: Dumping CURED buffer to file C:\Windows\system32\drivers\tsk2FAC.tmp 23:31:46:495 3088TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2FAC.tmp, system32\drivers\atapi.sys) 23:31:46:495 3088TDL3_FileCure: KLMD jobs schedule success 23:31:46:495 3088will be cured on next reboot 23:31:46:496 3088UtilityBootReinit: Reboot required for cure complete.. 23:31:46:496 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000 23:31:46:579 3088UtilityBootReinit: KLMD drop success 23:31:46:586 3088KLMD_ApplyPendList: Pending buffer(5009_66A6, 616) dropped successfully 23:31:46:586 3088UtilityBootReinit: Cure on reboot scheduled successfully 23:31:46:586 3088 23:31:46:587 3088Completed 23:31:46:587 3088 23:31:46:587 3088Results: 23:31:46:588 3088Memory objects infected / cured / cured on reboot:1 / 1 / 0 23:31:46:588 3088Registry objects infected / cured / cured on reboot:0 / 0 / 0 23:31:46:588 3088File objects infected / cured / cured on reboot:1 / 0 / 1 23:31:46:589 3088 23:31:46:589 3088UnloadDriverW: NtUnloadDriver error 1 23:31:46:589 3088KLMD_Unload: UnloadDriverW(klmd21) error 1 23:31:46:590 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000 23:31:46:590 3088UtilityDeinit: KLMD(ARK) unloaded successfully [Saving space, attachment deleted by admin] Please download Rooter and Save it to your desktop Double click it to start the tool. Click Scan. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply. [/list]Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows Vista Home Edition (6.0.6002) Service Pack 2 [32_bits] - x86 Family 15 Model 104 Stepping 1, AuthenticAMD . [wscsvc] (Security Center) RUNNING (state:4) [MpsSvc] RUNNING (state:4) Windows Firewall -> Enabled Windows Defender -> Enabled User Account Control (UAC) -> Disabled ! . Internet Explorer 8.0.6001.18882 . C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:156 Go ) D:\ [CD_Rom] F:\ [Removable] . Scan : 00:06.22 Path : C:\Users\J-BIRD\Desktop\Rooter.exe User : J-BIRD ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) Locked System (4) ______ \SystemRoot\System32\smss.exe (400) ______ C:\Windows\system32\csrss.exe (540) ______ C:\Windows\system32\wininit.exe (604) ______ C:\Windows\system32\csrss.exe (616) ______ C:\Windows\system32\services.exe (648) ______ C:\Windows\system32\lsass.exe (660) ______ C:\Windows\system32\lsm.exe (668) ______ C:\Windows\system32\winlogon.exe (764) ______ C:\Windows\system32\svchost.exe (864) ______ C:\Windows\system32\svchost.exe (924) ______ C:\Windows\system32\Ati2evxx.exe (960) ______ C:\Windows\System32\svchost.exe (1036) ______ C:\Windows\System32\svchost.exe (1120) ______ C:\Windows\system32\svchost.exe (1140) Locked audiodg.exe (1220) ______ C:\Windows\system32\svchost.exe (1248) ______ C:\Windows\system32\SLsvc.exe (1272) ______ C:\Windows\system32\svchost.exe (1364) ______ C:\Windows\system32\Ati2evxx.exe (1452) ______ C:\Windows\system32\svchost.exe (1584) ______ C:\Windows\System32\spoolsv.exe (1812) ______ C:\Windows\system32\svchost.exe (1836) ______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (320) ______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (508) ______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (1176) ______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (1580) ______ C:\Program Files\McAfee\MPF\MPFSrv.exe (736) ______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (1284) ______ C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe (496) ______ C:\Windows\system32\svchost.exe (2120) ______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (2172) ______ C:\Program Files\IDT\WDM\STacSV.exe (2204) ______ C:\Windows\system32\svchost.exe (2252) ______ C:\Windows\System32\svchost.exe (2296) ______ C:\Windows\system32\SearchIndexer.exe (2320) ______ C:\Windows\system32\WUDFHost.exe (2452) ______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (2976) ______ C:\Windows\system32\taskeng.exe (3008) ______ C:\Windows\system32\taskeng.exe (3700) ______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (3760) ______ C:\Windows\system32\Dwm.exe (3840) ______ C:\Windows\Explorer.EXE (3900) ______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2088) ______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (712) ______ C:\Windows\sttray.exe (2828) ______ C:\Windows\ehome\ehtray.exe (1916) ______ C:\Windows\ehome\ehmsas.exe (2380) ______ C:\Program Files\Windows Media Player\wmpnscfg.exe (3468) ______ C:\Program Files\Windows Media Player\wmpnetwk.exe (3920) ______ C:\Windows\system32\wbem\unsecapp.exe (1024) ______ C:\Windows\system32\wbem\wmiprvse.exe (720) ______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2660) ______ C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (2532) ______ C:\Windows\system32\taskeng.exe (4576) ______ C:\Windows\system32\SearchProtocolHost.exe (6052) ______ C:\Windows\system32\SearchFilterHost.exe (6068) ______ C:\Windows\system32\SearchProtocolHost.exe (3276) ______ C:\Users\J-BIRD\Desktop\Rooter.exe (5384) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 \| Length:250057064448) . ----------------------\\ Scheduled Tasks . C:\Windows\Tasks\McDefragTask.job C:\Windows\Tasks\McQcTask.job C:\Windows\Tasks\SA.DAT C:\Windows\Tasks\SCHEDLGU.TXT C:\Windows\Tasks\User_Feed_Synchronization-{7B7886CB-F69B-46D3-802C-6198EA461B1C}.job . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 00:06.30 . C:\Rooter$\Rooter_1.txt - (15/02/2010 \| 00:06.30) Last rootkit check. Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop. Double-click mbr.exe to start the program. When done scanning, it will save a log on the Desktop called mbr.log. Please post the contents of that log in your next reply. Here ya go I also have a question on a service not running and I cant find it I'll sen two screenshots of it I cant find this file when I search and I have show hidden folder options on. I put it into google before I posted it here and the result was 1 this topic here. --------------------------------------------------------------------------------------------------------- Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK [Saving space, attachment deleted by admin]Atapi.sys is a core system file that got infected by the TDSS rootkit, a very serious infection. It was disinfected by TDSSkiller. What other Windows Service were you talking about?IT is these 3 services I dont know what they are they are stopped in my service list SRV - File not found [On_Demand \| Stopped] -- -- (URRB) SRV - File not found [On_Demand \| Stopped] -- -- (NZSCXJXN) SRV - File not found [On_Demand \| Stopped] -- -- (KEA) this came from the first OTL Log you requested. I was just wondering if they are harmful . they are unknown services with no description of what they do. When I go to the highlighted folder destination it doesnt exist, but the service is still on the list [stopped] just wondering if I even need to worry about it, EVERYTHING SEEMS TO BE RUNNING WONDERFULLY, I can't thank you enough there should be a donate button in the forum somewhere [Saving space, attachment deleted by admin]Didnt mean to bump, but I removed the 3 services through the registry from the services list. I don't see em anymore and I have more peace of mind. I just didnt like seeing them there To manually create a new Restore Point Go to Control Panel and select System and Maintenance Select System On the left select Advance System Settings and accept the warning if you get one Select System Protection Tab Select Create at the bottom Type in a name i.e. Clean Select Create Now we can purge the infected ones Go back to the System and Maintenance page Select Performance Information and Tools On the left select Open Disk Cleanup Select Files from all users and accept the warning if you get one In the drop down box select your main drive i.e. C For a few moments the system will make some calculations Select the More Options tab In the System Restore and Shadow Backups select Clean up Select Delete on the POP up Select OK Select Delete You are now done To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. == Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. == Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr. Save it to your Desktop. Double click SecurityCheck.exe and follow the ONSCREEN instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document. Heres the log dude it looks good to me and I want to thank you very much for help you saved my bacon. I'm gonna keep SAS and Malbytes. Will running SAS with Mcaffe be problem I noticed it takes a little longer to boot up, but I can live with that. ----------------------------------------------------------------------------------------------------------- Results of screen317's Security Check version 0.99.1 Windows Vista Service Pack 2 (UAC is disabled!) `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 McAfee SecurityCenter WMIC entry does not exist for antivirus; attempting automatic update. `````````````````````````````` Anti-malware/Other Utilities Check: SUPERAntiSpyware Free Edition HijackThis 2.0.2 Java(TM) 6 Update 18 Java AUTO Updater Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9.3 `````````````````````````````` Process Check: objlist.exe by Laurent McAfee VIRUSS~1 mcshield.exe McAfee VIRUSS~1 mcsysmon.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````Seems fine to me to run them. Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection. Software recommendations AntiSpyware SpywareBlaster SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here. Spybot - Search & Destroy. Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot). NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. Resident Protection help A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them. Rogue programs help There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Securing your computer Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future. Please consider using an alternate browser Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option. If you are interested: Firefox may be downloaded from here: http://www.getfirefox.com Opera is available here: http://www.opera.com/download/ Sounds good and thanks for the help again YOU THE MAN;D

4506.

Solve : PAGE REDIRECT VIRUS????

Answer» DOWNLOAD this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code: [Select]@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it saysThanks DMJ for getting back to me I know your a busy guy, I have the log it appears to have found something and I'm sending a SCREEN SHOT of what it did before I had to rebbot my comp. I haven't checked to see if the problem presist(try any search engine), I'll wait till you tell me.

MODIFIED:On second thought I tried my search engines and they are working and alot faster, so I'll just wait till you tell me my next scan and clean-up options.

-------------------------------------------------------------------------------------------------------------

23:31:37:467 3088TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
23:31:37:467 3088================================================================================
23:31:37:467 3088SystemInfo:

23:31:37:467 3088OS Version: 6.0.6002 ServicePack: 2.0
23:31:37:467 3088Product type: Workstation
23:31:37:467 3088ComputerName: J-BIRD-PC
23:31:37:468 3088UserName: J-BIRD
23:31:37:468 3088Windows directory: C:\Windows
23:31:37:468 3088Processor architecture: Intel x86
23:31:37:468 3088Number of processors: 2
23:31:37:468 3088Page size: 0x1000
23:31:37:471 3088Boot type: Normal boot
23:31:37:471 3088================================================================================
23:31:37:475 3088ForceUnloadDriverW: Old driver(klmd21) unloaded successfully
23:31:38:098 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:31:38:109 3088UtilityInit: KLMD drop and load success
23:31:38:109 3088KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
23:31:38:109 3088UtilityInit: KLMD open success
23:31:38:109 3088UtilityInit: Initialize success
23:31:38:109 3088
23:31:38:110 3088ScanningServices ...
23:31:38:110 3088CreateRegParser: Registry parser init started
23:31:38:110 3088CreateRegParser: DisableWow64Redirection error
23:31:38:110 3088wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:31:38:110 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
23:31:38:110 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:38:110 3088wfopen_ex: Trying to KLMD file open
23:31:38:111 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
23:31:38:111 3088wfopen_ex: File opened ok (Flags 2)
23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1BA1290
23:31:38:134 3088wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:31:38:134 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
23:31:38:134 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:38:134 3088wfopen_ex: Trying to KLMD file open
23:31:38:134 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
23:31:38:134 3088wfopen_ex: File opened ok (Flags 2)
23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1BA12B8
23:31:38:134 3088CreateRegParser: EnableWow64Redirection error
23:31:38:135 3088CreateRegParser: RegParser init completed
23:31:39:136 3088GetAdvancedServicesInfo: Raw services enum returned 436 services
23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\system
23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\software
23:31:39:280 3088
23:31:39:281 3088ScanningKernel memory ...
23:31:39:281 3088KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:31:39:281 3088DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84FDDB00
23:31:39:281 3088DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
23:31:39:281 3088
23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB467A8
23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB467A8
23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB302E8
23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB302E8
23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x8DB302E8[0x38]
23:31:39:281 3088DetectCureTDL3: DRIVER_OBJECT: 85AA2F38
23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x85AA2F38[0xA8]
23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x85AB2E48[0x1C]
23:31:39:282 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\RTSTOR, Driver Name: RTSTOR
23:31:39:282 3088DetectCureTDL3: IrpHandler (0) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (1) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (2) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (3) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (4) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (5) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (6) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (7) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler ( addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (9) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (10) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (11) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (12) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (13) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (14) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (15) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (16) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (17) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (18) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (19) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (20) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (21) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (22) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (23) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (24) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (25) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (26) addr: 81C409D2
23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x8ACD9C94[0x400]
23:31:39:283 3088TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
23:31:39:283 3088TDL3_FileDetect: Processing driver: RTSTOR
23:31:39:283 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\RTSTOR.SYS
23:31:39:283 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\RTSTOR.SYS
23:31:39:308 3088TDL3_FileDetect: C:\Windows\system32\drivers\RTSTOR.SYS - Verdict: Clean
23:31:39:309 3088
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 844B0AC8
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 844B0AC8
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 843AA918
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 843AA918
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 8398F528
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8398F528
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8398F528[0x38]
23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT: 8432FBB8
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8432FBB8[0xA8]
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x839ABC20[0x1A]
23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:31:39:309 3088DetectCureTDL3: IrpHandler (0) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (1) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (2) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (3) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (4) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (5) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (6) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (7) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler ( addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (9) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (10) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (11) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (12) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (13) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (14) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (15) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (16) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (17) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (18) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (19) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (20) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (21) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (22) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (23) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (24) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (25) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (26) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: All IRP handlers pointed to one addr: 807209B0
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x807209B0[0x400]
23:31:39:310 3088TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x8432F58C[0x4]
23:31:39:310 3088TDL3_IrpHookDetect: New IrpHandler addr: 857988C8
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x857988C8[0x400]
23:31:39:310 3088TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
23:31:39:310 3088Driver "atapi" Irp handler infected by TDSS rootkit ... 23:31:39:311 3088KLMD_WriteMem: Trying to WriteMemory 0x8579894E[0xD]
23:31:39:311 3088cured
23:31:39:311 3088TDL3_FileDetect: Processing driver: atapi
23:31:39:312 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:31:39:312 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
23:31:39:323 3088TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
23:31:39:323 3088File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:31:39:323 3088TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:31:42:589 3088FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking..
23:31:42:596 3088ValidateDriverFile: Stage 1 passed
23:31:42:598 3088ValidateDriverFile: Stage 2 passed
23:31:42:779 3088DigitalSignVerifyByHandle: Embedded DS result: 00000000
23:31:42:779 3088ValidateDriverFile: Stage 3 passed
23:31:42:779 3088FileCallback: File validated successfully, restore information prepared
23:31:46:346 3088FindDriverFileBackup: Backup copy found in DriverStore
23:31:46:346 3088TDL3_FileCure: Backup copy found, using it..
23:31:46:347 3088TDL3_FileCure: Dumping CURED buffer to file C:\Windows\system32\drivers\tsk2FAC.tmp
23:31:46:495 3088TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2FAC.tmp, system32\drivers\atapi.sys)
23:31:46:495 3088TDL3_FileCure: KLMD jobs schedule success
23:31:46:495 3088will be cured on next reboot
23:31:46:496 3088UtilityBootReinit: Reboot required for cure complete..
23:31:46:496 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
23:31:46:579 3088UtilityBootReinit: KLMD drop success
23:31:46:586 3088KLMD_ApplyPendList: Pending buffer(5009_66A6, 616) dropped successfully
23:31:46:586 3088UtilityBootReinit: Cure on reboot scheduled successfully
23:31:46:586 3088
23:31:46:587 3088Completed
23:31:46:587 3088
23:31:46:587 3088Results:
23:31:46:588 3088Memory objects infected / cured / cured on reboot:1 / 1 / 0
23:31:46:588 3088Registry objects infected / cured / cured on reboot:0 / 0 / 0
23:31:46:588 3088File objects infected / cured / cured on reboot:1 / 0 / 1
23:31:46:589 3088
23:31:46:589 3088UnloadDriverW: NtUnloadDriver error 1
23:31:46:589 3088KLMD_Unload: UnloadDriverW(klmd21) error 1
23:31:46:590 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:31:46:590 3088UtilityDeinit: KLMD(ARK) unloaded successfully

[Saving space, attachment deleted by admin]

Please download Rooter and Save it to your desktop

Double click it to start the tool.
Click Scan.
Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

[/list]Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6002) Service Pack 2
[32_bits] - x86 Family 15 Model 104 Stepping 1, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.6001.18882
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:156 Go )
D:\ [CD_Rom]
F:\ [Removable]
.
Scan : 00:06.22
Path : C:\Users\J-BIRD\Desktop\Rooter.exe
User : J-BIRD ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (400)
______ C:\Windows\system32\csrss.exe (540)
______ C:\Windows\system32\wininit.exe (604)
______ C:\Windows\system32\csrss.exe (616)
______ C:\Windows\system32\services.exe (648)
______ C:\Windows\system32\lsass.exe (660)
______ C:\Windows\system32\lsm.exe (668)
______ C:\Windows\system32\winlogon.exe (764)
______ C:\Windows\system32\svchost.exe (864)
______ C:\Windows\system32\svchost.exe (924)
______ C:\Windows\system32\Ati2evxx.exe (960)
______ C:\Windows\System32\svchost.exe (1036)
______ C:\Windows\System32\svchost.exe (1120)
______ C:\Windows\system32\svchost.exe (1140)
Locked audiodg.exe (1220)
______ C:\Windows\system32\svchost.exe (1248)
______ C:\Windows\system32\SLsvc.exe (1272)
______ C:\Windows\system32\svchost.exe (1364)
______ C:\Windows\system32\Ati2evxx.exe (1452)
______ C:\Windows\system32\svchost.exe (1584)
______ C:\Windows\System32\spoolsv.exe (1812)
______ C:\Windows\system32\svchost.exe (1836)
______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (320)
______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (508)
______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (1176)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (1580)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (736)
______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (1284)
______ C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe (496)
______ C:\Windows\system32\svchost.exe (2120)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (2172)
______ C:\Program Files\IDT\WDM\STacSV.exe (2204)
______ C:\Windows\system32\svchost.exe (2252)
______ C:\Windows\System32\svchost.exe (2296)
______ C:\Windows\system32\SearchIndexer.exe (2320)
______ C:\Windows\system32\WUDFHost.exe (2452)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (2976)
______ C:\Windows\system32\taskeng.exe (3008)
______ C:\Windows\system32\taskeng.exe (3700)
______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (3760)
______ C:\Windows\system32\Dwm.exe (3840)
______ C:\Windows\Explorer.EXE (3900)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2088)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (712)
______ C:\Windows\sttray.exe (2828)
______ C:\Windows\ehome\ehtray.exe (1916)
______ C:\Windows\ehome\ehmsas.exe (2380)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (3468)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (3920)
______ C:\Windows\system32\wbem\unsecapp.exe (1024)
______ C:\Windows\system32\wbem\wmiprvse.exe (720)
______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2660)
______ C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (2532)
______ C:\Windows\system32\taskeng.exe (4576)
______ C:\Windows\system32\SearchProtocolHost.exe (6052)
______ C:\Windows\system32\SearchFilterHost.exe (6068)
______ C:\Windows\system32\SearchProtocolHost.exe (3276)
______ C:\Users\J-BIRD\Desktop\Rooter.exe (5384)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:250057064448)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\McDefragTask.job
C:\Windows\Tasks\McQcTask.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{7B7886CB-F69B-46D3-802C-6198EA461B1C}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 00:06.30
.
C:\Rooter$\Rooter_1.txt - (15/02/2010 | 00:06.30)
Last rootkit check.

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

Here ya go I also have a question on a service not running and I cant find it I'll sen two screenshots of it I cant find this file when I search and I have show hidden folder options on. I put it into google before I posted it here and the result was 1 this topic here.
---------------------------------------------------------------------------------------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[Saving space, attachment deleted by admin]Atapi.sys is a core system file that got infected by the TDSS rootkit, a very serious infection. It was disinfected by TDSSkiller.

What other Windows Service were you talking about?IT is these 3 services I dont know what they are they are stopped in my service list

SRV - File not found [On_Demand | Stopped] -- -- (URRB)
SRV - File not found [On_Demand | Stopped] -- -- (NZSCXJXN)
SRV - File not found [On_Demand | Stopped] -- -- (KEA)

this came from the first OTL Log you requested. I was just wondering if they are harmful . they are unknown services with no description of what they do. When I go to the highlighted folder destination it doesnt exist, but the service is still on the list [stopped] just wondering if I even need to worry about it, EVERYTHING SEEMS TO BE RUNNING WONDERFULLY, I can't thank you enough there should be a donate button in the forum somewhere

[Saving space, attachment deleted by admin]Didnt mean to bump, but I removed the 3 services through the registry from the services list. I don't see em anymore and I have more peace of mind. I just didnt like seeing them there To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the POP up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the ONSCREEN instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Heres the log dude it looks good to me and I want to thank you very much for help you saved my bacon. I'm gonna keep SAS and Malbytes. Will running SAS with Mcaffe be problem I noticed it takes a little longer to boot up, but I can live with that.
-----------------------------------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is disabled!)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
McAfee SecurityCenter
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 18
Java AUTO Updater
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````Seems fine to me to run them.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

Sounds good and thanks for the help again YOU THE MAN;D

Discussion

4507.	Solve : How do I completely remove virus??
Answer» After reading through the computer virus information page, I read there that computer viruses/viri are not completely or not actually removed by antivirus programs, and a friend also SAID likewise. So I am wondering if there are ways to completely remove viruses/viri from computers as I am very concerned about this and am pretty sure all computer users feel the same way too. I would really like to have more knowledge about this and am planning as well to join the malware tutorials if I'd have the time but as for now if there would be anyone who could give a quick INSIGHT about this that would be wonderful. I'll be thanking AHEAD to those who could give answers to this query. I see... Yeah... I guess reformatting would be the EASIEST way because having to remove viruses could be a tedious task and I find myself lost at times when dealing with them. Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster JayTopic closed due to SPAM. Original Poster: we will continue in your other topic.

Discussion

4508.	Solve : Another "application cannot be executed" infection?
Answer» Ok did that step: All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\ deleted successfully. ========== FILES ========== File/Folder C:\WINDOWS\system32\drivers\TDSSmhct.sys not found. File/Folder C:\WINDOWS\system32\drivers\TDSSoiqn.dll not found. File/Folder C:\WINDOWS\system32\TDSSrtqp.dll not found. File/Folder C:\WINDOWS\system32\TDSSlxwp.dll not found. File/Folder C:\WINDOWS\system32\TDSSxfum.dll not found. File/Folder C:\WINDOWS\system32\TDSSnmxh.log not found. File/Folder C:\WINDOWS\system32\TDSSsihc.dll not found. File/Folder C:\WINDOWS\system32\TDSSrhyp.log not found. File/Folder C:\WINDOWS\system32\TDSSkkbi.log not found. File/Folder C:\WINDOWS\system32\TDSSorvd.dat not found. File/Folder C:\WINDOWS\system32\TDSShrsr.dll not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Default User ->Temp folder emptied: 59964 bytes ->Temporary Internet Files folder emptied: 32768 bytes User: Kevin ->Temp folder emptied: 2472997 bytes ->Temporary Internet Files folder emptied: 988641 bytes ->Java cache emptied: 12666849 bytes ->FireFox cache emptied: 81933871 bytes User: LocalService ->Temp folder emptied: 65984 bytes ->Temporary Internet Files folder emptied: 82054 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 5315680 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 49901568 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 146.00 mb OTM by OldTimer - Version 3.1.9.0 log created on 02242010_131158 Files moved on Reboot... C:\Documents and Settings\Kevin\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully. C:\Documents and Settings\Kevin\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully. File move failed. C:\WINDOWS\SEEAF423F.tmp scheduled to be moved on reboot. Registry entries deleted on Reboot...* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online SCANNER button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the &LT;<Back button then click Finish. In your next reply please include the ESET Online Scan Log Okay, all done. [Saving space, attachment deleted by ADMIN]How is the computer running now?Its running pretty good, I'm still a little apprehensive about logging into any websites requiring me to enter a password other than this one though. Would you say its reasonably safe to do so at this point? Quote from: Crazywumbat on February 26, 2010, 01:27:00 PM Would you say its reasonably safe to do so at this point? From what I can tell everything is good to go now. Final suggestions. Use the Secunia Software Inspector to check for out of date software. * Click Start Scanner * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping SITES. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * GUIDE: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Okay, thanks so much, you've been a lifesaver.Your welcome. Safe surfing...

4508.

Solve : Another "application cannot be executed" infection?

Answer»

Ok did that step:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\ deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\drivers\TDSSmhct.sys not found.
File/Folder C:\WINDOWS\system32\drivers\TDSSoiqn.dll not found.
File/Folder C:\WINDOWS\system32\TDSSrtqp.dll not found.
File/Folder C:\WINDOWS\system32\TDSSlxwp.dll not found.
File/Folder C:\WINDOWS\system32\TDSSxfum.dll not found.
File/Folder C:\WINDOWS\system32\TDSSnmxh.log not found.
File/Folder C:\WINDOWS\system32\TDSSsihc.dll not found.
File/Folder C:\WINDOWS\system32\TDSSrhyp.log not found.
File/Folder C:\WINDOWS\system32\TDSSkkbi.log not found.
File/Folder C:\WINDOWS\system32\TDSSorvd.dat not found.
File/Folder C:\WINDOWS\system32\TDSShrsr.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 59964 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Kevin
->Temp folder emptied: 2472997 bytes
->Temporary Internet Files folder emptied: 988641 bytes
->Java cache emptied: 12666849 bytes
->FireFox cache emptied: 81933871 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 82054 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5315680 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49901568 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 146.00 mb

OTM by OldTimer - Version 3.1.9.0 log created on 02242010_131158

Files moved on Reboot...
C:\Documents and Settings\Kevin\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\Kevin\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.
File move failed. C:\WINDOWS\SEEAF423F.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online SCANNER button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the &LT;<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
Okay, all done.

[Saving space, attachment deleted by ADMIN]How is the computer running now?Its running pretty good, I'm still a little apprehensive about logging into any websites requiring me to enter a password other than this one though. Would you say its reasonably safe to do so at this point? Quote from: Crazywumbat on February 26, 2010, 01:27:00 PM

Would you say its reasonably safe to do so at this point?

From what I can tell everything is good to go now.

Final suggestions.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping SITES. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* GUIDE: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Okay, thanks so much, you've been a lifesaver.Your welcome.

Safe surfing...

Discussion

4509.	Solve : "application cannot be executed" virus/trojan? help please!?
Answer» hayho, I have the following PROBLEM: there's something on my computer that definitely shouldn't be there. I'm currently not using any antivurussoftware. since this Morning, i'm permanently getting alerts from windows: "infiltration alert: your computer is being attacked by an internet virus. it could be a password-stealing attack, a trojan - dropper or similar ... do you WANT to block this attack?" if I CLICK "yes" I'm just transferred to a WEBSITE where I can buy Antivirus Soft. also there's a window opening "application cannot be executed. the FILE ... is infected. do you want to activate your antivirus software now?" which averts the running of any programm [anything I try to open will not work, and I am not able to install anything.] besides, my Internet Explorer [usually I use Firefox] is opening porn sites like adult URL independently. what's going on there and what can I do against it? in hope for fast help, [sorry for my bad English, I'm German], the princessPlease visit this webpage for a tutorial on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix, and when done, post the log back here.

Discussion

4510.	Solve : '---' file is infected.?
Answer» Last night I was doping around in the net and I think I picked up something nasty. RECENTLY whenever my computer starts up it'll give me one or two error messages about how a few files cannot be found, since I was numb to what this meant, I simply BLEW it off. However, last night, I got sucked smack-dab into the middle of pop-up censored. I ran my scanners (McAfee and the like) and on a full scan it says I have only one file that's known to be infected, which I think is the root cause for all the trouble I'm having. On another note, whenever I stay on the computer for an extended period of time, a strange program for 'Virus Scans' will pop up, prompting me to purchase a full version for complete protection. That's in all honesty a little sketchy to me, so I thought that it could also be a part of the problem considering I never saw the censored thing before. I'm just a little bewildered, and the information on this sight helped me fix my hunk of junk previously. Any information on how to get started cleaning this mess up would be highly appreciated; if you need a more detailed description I'm also able to provide that for you. Thanks!Please visit this webpage for a tutorial on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix, and when done, post the log back here.I'm UNABLE to run Combofix because everytime I start the program the virus will give me a pop-up stating explorer is infected and will shut down Combofix.Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat Navigate to Start --> Run, and enter the following command exactly as shown: "%userprofile%\desktop\blackpudding.bat" /killall See if ComboFix will run now.When I click on the LINKS presented it doesn't give me the option to 'save as' the file, so as far as I know I can't change its name. If I forgot to mention earlier I'm running a 32bit system with Vista (premium, I believe) installed.Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). Then, please TRY again.

Discussion

4511.	Solve : Malware attack?
Answer» Specs: Compaq Presario - Celeron M processor - 2.66 GHz - RAM unknown - Windows XP - Certainly SP2 - maybe SP3. Error: - "Application cannot be executed - the file wuauclt.exe is infected" - when this pops up, it asks to start AV SW. also opens Windows Security settings window - will not ALLOW any SW to be run. As a result of this attack, it is impossible to get to the Internet (at this time) General info: 1) This is a friend's computer. 2) I have a fully functional computer that I can use to download any necessary apps. 3) I have backed up all of the data onto a separate HD by using a DOS window and XCOPY. Interestingly, I have scanned that data using the latest version of Avast Internet Security and it showed no malware, viruses, etc. Obviously that is insufficient, but it seems as though the data is at least backed up... (I did not use the XCOPY /h to copy hidden folders and files.) 4) I know that she had Avast Antivirus on her computer - but it had expired. further - from poking through the data, it looks as though she has added Kaspersky, McAfee, and maybe even AVG antivirus. Question: Given the fact that UNDOING this malware attack could be time consuming, would it be better to just re-build the computer, that is, do a re-install of the OS? Or... if that is not the wisest course of action - how do I start to undo the damage? also - I have run a boot scan disk of Alvira antivir... I have looked at other posts that had similar attacks. Each of those posts MADE it clear that I should not try to use the advice contained there - but to start my own thread. Thanks for your help - scfoxsdgIt can probably be cleaned. Transfer this download from another computer and on to the infected one via flash drive or CD. Please download ComboFix from BleepingComputer.com Alternate link: GeeksToGo.com Alternate link: Forospyware.com *Rename ComboFix.exe to commy.exe* before you save it to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware REMOVAL. It will allow you to boot up into a special recovery/repair mode that will allow us to more EASILY help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt** in your next reply.

4511.

Solve : Malware attack?

Answer»

Specs: Compaq Presario - Celeron M processor - 2.66 GHz - RAM unknown - Windows XP - Certainly SP2 - maybe SP3.

Error: - "Application cannot be executed - the file wuauclt.exe is infected" - when this pops up, it asks to start AV SW. also opens Windows Security settings window - will not ALLOW any SW to be run. As a result of this attack, it is impossible to get to the Internet (at this time)

General info: 1) This is a friend's computer. 2) I have a fully functional computer that I can use to download any necessary apps. 3) I have backed up all of the data onto a separate HD by using a DOS window and XCOPY. Interestingly, I have scanned that data using the latest version of Avast Internet Security and it showed no malware, viruses, etc. Obviously that is insufficient, but it seems as though the data is at least backed up... (I did not use the XCOPY /h to copy hidden folders and files.) 4) I know that she had Avast Antivirus on her computer - but it had expired. further - from poking through the data, it looks as though she has added Kaspersky, McAfee, and maybe even AVG antivirus.

Question: Given the fact that UNDOING this malware attack could be time consuming, would it be better to just re-build the computer, that is, do a re-install of the OS? Or... if that is not the wisest course of action - how do I start to undo the damage?

also - I have run a boot scan disk of Alvira antivir...

I have looked at other posts that had similar attacks. Each of those posts MADE it clear that I should not try to use the advice contained there - but to start my own thread.

Thanks for your help - scfoxsdgIt can probably be cleaned.

Transfer this download from another computer and on to the infected one via flash drive or CD.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware REMOVAL. It will allow you to boot up into a special recovery/repair mode that will allow us to more EASILY help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Discussion

4512.	Solve : Application cannot be executed. The file ____.exe is infected.?
Answer» Hey, I was on Yahoo! sports the other day when I got a popup saying "Application cannot be exectued. The file ____.exe is infected. Do you want to activate your antivirus software now? Ive tried a couple different techniques but I cant OPEN any of them due to this. The only one i could open was SUPERantispyware, and that didnt FIX it. Any help would be appreciated.Sorry for the delay, if you still need help, please do the FOLLOWING: Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop. Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan. Double click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is NEEDED, the scan is running. Notepad will open with the results, click Yes to the Optional_Scan Please follow the instructions that pop up for posting the results. CLOSE the program window, and delete the program from your Desktop.

4512.

Solve : Application cannot be executed. The file ____.exe is infected.?

Answer»

Hey,

I was on Yahoo! sports the other day when I got a popup saying "Application cannot be exectued. The file ____.exe is infected. Do you want to activate your antivirus software now?

Ive tried a couple different techniques but I cant OPEN any of them due to this. The only one i could open was SUPERantispyware, and that didnt FIX it. Any help would be appreciated.Sorry for the delay, if you still need help, please do the FOLLOWING:

Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is NEEDED, the scan is running.
Notepad will open with the results, click Yes to the Optional_Scan
Please follow the instructions that pop up for posting the results.
CLOSE the program window, and delete the program from your Desktop.

Discussion

4513.	Solve : Help please! I cant get rid of this thing! Logs attached and updated in post?
Answer» Hi, So this all started when my web browser was first hijacked. Over the last few days, it has only grown worse, AVG was no help at all. Now I get Windows Host errors, and applications that are not "receiving commands" I have followed all the steps in your guide and will post the Logs here. Thanks a ton for any help! HiJack This Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:50:33 PM, on 2/9/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18882) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Sony\VAIO Care\VAIOCareService.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\Program Files\Saitek\SD6\Software\ProfilerU.exe C:\Program Files\Saitek\SD6\Software\SaiMfd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\AVG\AVG9\avgtray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\ActivIdentity\ActivClient\acsagent.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\CCP.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Sony\VAIO Care\VCsystray.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiToggletProxy.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiTogglet.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Sony Corporation\SmartWi Connection Utility\ActivationManager.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\PowerManager.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\ThirdPartyAppMgr.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\UIManager.exe C:\PROGRA~1\SONYCO~1\SMARTW~1\Phoenix.exe C:\Program Files\Sony\VAIO Care\listener.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWi.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wermgr.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\TOOLBAR,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe" O4 - HKLM\..\Run: [DRCU] "C:\Program Files\Sony\DRCU\DRCU.exe" O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1 O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" O4 - HKLM\..\Run: [SmartWiHelper] "C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe" O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe" O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe" O4 - HKLM\..\Run: [ProfilerU] "C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O13 - Gopher Prefix: O16 - DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} (Launch Control) - file:///E:/launch.ocx O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon NOTIFY: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\DreamControl.dll O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\deskscapes.dll O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe O23 - Service: Intel(R) Sample Collector (SampleCollector) - Intel Corporation - C:\Program Files\Sony\VAIO Care\collsvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - (no file) O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 15985 bytes ------------------------------------------------------------------------------------------------------------------------------------------- Super anti Spyware scan log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/09/2010 at 01:21 AM Application Version : 4.33.1000 Core Rules Database Version : 4568 Trace Rules Database Version: 2380 Scan type : Complete Scan Total Scan Time : 04:40:26 Memory ITEMS scanned : 951 Memory threats detected : 0 Registry items scanned : 9944 Registry threats detected : 0 File items scanned : 273926 File threats detected : 36 Adware.Tracking Cookie C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[emailprotected][2].txt C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][3].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][3].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt Unclassified.Unknown Origin C:\USERS\PUBLIC\DOWNLOADS\MICROSOFTOFFICE2007APPLICATIONSKEYGENMICROSOFT\KEYGEN.NFO Trojan.Downloader-Gen/SVCHost-Fake C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\QXSS.TMP\SVCHOST.EXE ------------------------------------------------------------------------------------------------------------------------------------------- MBAM Log Malwarebytes' Anti-Malware 1.44 Database version: 3717 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18882 2/9/2010 5:46:48 PM mbam-log-2010-02-09 (17-46-48).txt Scan type: Quick Scan Objects scanned: 124955 Time elapsed: 9 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\AppID\{fa8edcdd-efa2-477b-b00a-7f28f02cd37e} (Spyware.OnlineGames) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------------------------------------------------------------------------------- [Saving space, attachment deleted by admin]Sorry for the delay, if you still need help, please do the following: Please download DDS* by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop. Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan. Double click on the DDS icon, allow it to run. A small BOX will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results, click Yes to the Optional_Scan Please follow the instructions that pop up for posting the results. Close the program window, and delete the program from your Desktop.

4513.

Solve : Help please! I cant get rid of this thing! Logs attached and updated in post?

Answer»

Hi, So this all started when my web browser was first hijacked. Over the last few days, it has only grown worse, AVG was no help at all. Now I get Windows Host errors, and applications that are not "receiving commands" I have followed all the steps in your guide and will post the Logs here. Thanks a ton for any help!

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:33 PM, on 2/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Care\VAIOCareService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\CCP.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Sony\VAIO Care\VCsystray.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiToggletProxy.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Sony Corporation\SmartWi Connection Utility\ActivationManager.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\PowerManager.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\ThirdPartyAppMgr.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\UIManager.exe
C:\PROGRA~1\SONYCO~1\SMARTW~1\Phoenix.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWi.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\TOOLBAR,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [DRCU] "C:\Program Files\Sony\DRCU\DRCU.exe"
O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [SmartWiHelper] "C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [ProfilerU] "C:\Program Files\Saitek\SD6\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\SD6\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} (Launch Control) - file:///E:/launch.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon NOTIFY: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\DreamControl.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\Object Desktop\DeskScapes\deskscapes.dll
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: Intel(R) Sample Collector (SampleCollector) - Intel Corporation - C:\Program Files\Sony\VAIO Care\collsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - (no file)
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15985 bytes
-------------------------------------------------------------------------------------------------------------------------------------------
Super anti Spyware scan log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2010 at 01:21 AM

Application Version : 4.33.1000

Core Rules Database Version : 4568
Trace Rules Database Version: 2380

Scan type : Complete Scan
Total Scan Time : 04:40:26

Memory ITEMS scanned : 951
Memory threats detected : 0
Registry items scanned : 9944
Registry threats detected : 0
File items scanned : 273926
File threats detected : 36

Adware.Tracking Cookie
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[emailprotected][2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][3].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][3].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt

Unclassified.Unknown Origin
C:\USERS\PUBLIC\DOWNLOADS\MICROSOFTOFFICE2007APPLICATIONSKEYGENMICROSOFT\KEYGEN.NFO

Trojan.Downloader-Gen/SVCHost-Fake
C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\QXSS.TMP\SVCHOST.EXE
-------------------------------------------------------------------------------------------------------------------------------------------
MBAM Log

Malwarebytes' Anti-Malware 1.44
Database version: 3717
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/9/2010 5:46:48 PM
mbam-log-2010-02-09 (17-46-48).txt

Scan type: Quick Scan
Objects scanned: 124955
Time elapsed: 9 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{fa8edcdd-efa2-477b-b00a-7f28f02cd37e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------------------------------------------------------------------------

[Saving space, attachment deleted by admin]Sorry for the delay, if you still need help, please do the following:

Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.

Double click on the DDS icon, allow it to run.
A small BOX will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results, click Yes to the Optional_Scan
Please follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your Desktop.

Discussion

4514.	Solve : trojan virus cleaned with instructions?
Answer» I had noticed that my computer would have random popups to some Chinese websites. I ran all the recommended spyware/antivirus/firewall programs in the guide. When I went to install Java, it kept stalling the computer. I'd go to Internet Explorer and everything would just freeze. I don't know what I did different, but it seems to have installed correctly now. I ran HiJackThis and just want to make sure that my computer is now free of viruses. [Saving space, attachment deleted by admin]Please go to Jotti's malware scan (If more than one file needs scanned they must be done separately and logs posted for each one) * Copy the file path in the below Code box: Code: [Select]C:\WINDOWS\system32\wdfmgr.exe* At the upload site, click once inside the window next to Browse. * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. * Next click Submit file * Your file will possibly be entered into a queue which normally takes less than a minute to clear. * This will perform a scan across multiple different virus scanning engines. * Important: Wait for all of the scanning engines to complete. * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply. ---------- Also scan these files and post the link to the results. Code: [Select]C:\DOCUME~1\JONSON~1\LOCALS~1\Temp\hpbinxst.exe Code: [Select]C:\WINDOWS\system32\CE1E54\DED0EC.EXE ---------- Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop.Here's the results of the scans: c:\windows\system\32\wdfmgr.exe http://virusscan.jotti.org/en/scanresult/e22de0692744b6190a27f847a590160d606a1b93/bdbcd5aa3c2a8424733cfd19086b9fb0f059a592 c:\docume~1\jonson~1\locals~1\temp\hpbinxst.exe http://virusscan.jotti.org/en/scanresult/f8560159e0eb2690088a0235583f713acf8673de c:\windows\system32\ce1e54\ded0ec.exe i can't find that file, not showing up on explorer. I also downloaded remove Windows Messenger and ran requested action. Any other reports that I should re-run & post logs for? RaphaelOpen HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) - O4 - HKLM\..\Run: [DED0EC] C:\WINDOWS\system32\CE1E54\DED0EC.EXE - O4 - Startup: DED0EC.lnk = C:\WINDOWS\system32\CE1E54\DED0EC.EXE Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixI ran HijackThis and it didn't find another instance of ded0ec.exe. Here's the log for combofix. [Saving space, attachment deleted by admin]1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Folder:: c:\program files\Viewpoint C:\WINDOWS\system32\CE1E54 DDS:: FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and DROP it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze*Here's the log from the second run of ComboFix. sorry, I hit send before adding the log! [Saving space, attachment deleted by admin] Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above PROCEDURE will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock SETTINGS. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan ARCHIVES. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan Log Here's the log from the ESET scan. [Saving space, attachment deleted by admin]Time to finish up. Use the Secunia Software Inspector to check for out of date software. * Click Start Scanner * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - SEARCH & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Thank you so much for the help! RaphaelYour welcome. Safe surfing...

Discussion

4515.	Solve : Redirected: C:\windows\system32\sshnas21.dll (trouble accessing and running?)?
Answer» Your welcome. Here are a few more suggestions. Use the Secunia Software Inspector to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are USING or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, VIRUSES and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain COOKIES from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the IMMUNIZE feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

4516.	Solve : "Application cannot be executed. The file ****** is infected"?
Answer» Looks like I am not the only one having this problem! I ran the scans it asks for in the before you post section, and attached the logs. The system is Windows Vista SP2, using AVG free Anti-Virus and the windows firewall. Thanks in advance! [Saving space, attachment deleted by admin]Please visit this webpage for a tutorial on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix, and when done, post the log back here.I followed the instructions on their web page, and it seems that Combofix (that version anyways) only works with Windows 2000 and XP. Is there an alternate version for Windows Vista?No, it should work. Unless you have a 64 bit machine.Oh sorry, I thought I mentioned that in the original post along with the OS information. I MEANT to but I was half asleep. Long story short, it's 64 bit.Oh ok. Please do these steps in order. 1. Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. 2. Please download Malwarebytes Anti-Malware from Malwarebytes.org. Alternate link: BleepingComputer.com. (Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!) Double Click mbam-setup.exe to install the application. (Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click CHECK for Updates, before doing the scan as instructed below!) Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to VIEW the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be PROMPTED to Restart. (See Extra Note) Please save the log to a location you will remember. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. 3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer: http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial Post the log from SUPERAntiSpyware when you've accomplished that. 4. Please run a free online scan with the ESET Online Scanner Tick the box next to YES, I accept the TERMS of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic 5. Post the following in your next reply: MBAM log SAS log ESET log And, please tell me how your computer is doing.

4516.

Solve : "Application cannot be executed. The file ****** is infected"?

Answer»

Looks like I am not the only one having this problem! I ran the scans it asks for in the before you post section, and attached the logs.

The system is Windows Vista SP2, using AVG free Anti-Virus and the windows firewall.

Thanks in advance!

[Saving space, attachment deleted by admin]Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.I followed the instructions on their web page, and it seems that Combofix (that version anyways) only works with Windows 2000 and XP. Is there an alternate version for Windows Vista?No, it should work. Unless you have a 64 bit machine.Oh sorry, I thought I mentioned that in the original post along with the OS information. I MEANT to but I was half asleep.

Long story short, it's 64 bit.Oh ok.

Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click CHECK for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to VIEW the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be PROMPTED to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the TERMS of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

MBAM log
SAS log
ESET log

And, please tell me how your computer is doing.

Discussion

4517.

Solve : computer slow...signing in internet is slow and hanging up.?

Answer»

I had this on a previous post but have not had a chance to put the right log in due to family emergency. System seems to be slow; when clicking on a site or page it will freeze up but within a few seconds it will unfreeze and go into the site...said there may some files and one time said there was a trojan...Would you check and see if the logs below are correct and see what problem there may be...thanks and yes I am very green to computer stuff.. sorry.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2010 at 09:37 PM

Application Version : 4.33.1000

Core Rules Database Version : 4589
Trace Rules Database Version: 2401

Scan type : Complete Scan
Total Scan Time : 00:20:31

Memory items scanned : 649
Memory threats detected : 0
Registry items scanned : 5150
Registry threats detected : 0
File items scanned : 36907
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Owner\COOKIES\[emailprotected][1].txt

Malwarebytes' Anti-Malware 1.44
Database version: 3744
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/15/2010 10:22:23 PM
mbam-log-2010-02-15 (22-22-23).txt

Scan type: Quick Scan
Objects scanned: 110841
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:18 AM, on 2/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21183)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Dorland\Anywhere\DorAny.exe
C:\Program Files\Common Files\AOL\1251835694\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DisCryptor Free\DisCryptor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OLYMPUS\DeviceDetector\DeviceDetector4.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Dorland Anywhere] "C:\Program Files\Dorland\Anywhere\DorAny.exe"
O4 - HKLM\..\Run: [hp 1000 firmware] "C:\Program Files\hp LaserJet 1000\fwdl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1251835694\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DisCryptor Free] "C:\Program Files\DisCryptor Free\DisCryptor.exe" -minimized -sysstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopularScreensaversWallpaper] "rundll32" C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Device Detector 4.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DeviceDetector4.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter HIJACK: text/html - {6256d11e-4609-4663-8dbe-5fe2f9b560eb} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Olympus DVR Service - OLYMPUS IMAGING CORP. - C:\Program Files\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10926 bytes

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKCU\..\Run: [PopularScreensaversWallpaper] \"rundll32\" C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O18 - Filter hijack: text/html - {6256d11e-4609-4663-8dbe-5fe2f9b560eb} - (no file)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
VISTA users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixok.. evilfantasy maybe i have done this right....i have not restarted spyware real time protection yet.

ComboFix 10-02-16.03 - Owner 02/17/2010 16:01:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1540 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Desktopicon
c:\documents and settings\Owner\Application Data\Desktopicon\eBay.ico
c:\documents and settings\Owner\Application Data\Desktopicon\uninst.exe
c:\program files\Mozilla Firefox\plc4.dll
c:\program files\Shared
c:\windows\system32\reboot.txt

.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-16 04:46 . 2010-02-16 04:46--------d-----w-c:\program files\Common Files\Java
2010-02-16 04:46 . 2010-02-16 04:46348160----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\msvcr71.dll
2010-02-16 04:46 . 2010-02-16 04:46503808----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\msvcp71.dll
2010-02-16 04:46 . 2010-02-16 04:46499712----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\jmc.dll
2010-02-16 04:45 . 2010-02-16 04:4561440----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c690e5-n\decora-sse.dll
2010-02-16 04:45 . 2010-02-16 04:4512800----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c690e5-n\decora-d3d.dll
2010-02-16 04:18 . 2010-01-07 22:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 04:18 . 2010-02-16 04:18--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-16 04:18 . 2010-01-07 22:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-16 03:12 . 2010-02-16 03:1252224----a-w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-16 03:12 . 2010-02-16 03:12117760----a-w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-16 02:46 . 2010-02-16 02:46--------d-----w-c:\program files\CCleaner
2010-02-14 04:13 . 2010-02-14 04:13--------d-----w-c:\windows\Sun
2010-02-10 21:09 . 2009-11-27 17:2317920-c----w-c:\windows\system32\dllcache\msyuv.dll
2010-02-10 21:09 . 2009-11-27 16:078704-c----w-c:\windows\system32\dllcache\tsbyuv.dll
2010-02-10 21:09 . 2009-11-27 16:0748128-c----w-c:\windows\system32\dllcache\iyuv_32.dll
2010-02-10 21:08 . 2009-12-04 17:25456832-c----w-c:\windows\system32\dllcache\mrxsmb.sys
2010-02-08 01:09 . 2010-02-11 18:42162512----a-w-c:\windows\system32\drivers\aswSP.sys
2010-02-08 01:09 . 2010-02-11 18:3819024----a-w-c:\windows\system32\drivers\aswFsBlk.sys
2010-02-08 01:09 . 2010-02-11 18:4246672----a-w-c:\windows\system32\drivers\aswTdi.sys
2010-02-08 01:09 . 2010-02-11 18:3923376----a-w-c:\windows\system32\drivers\aswRdr.sys
2010-02-08 01:09 . 2010-02-11 18:38100432----a-w-c:\windows\system32\drivers\aswmon2.sys
2010-02-08 01:09 . 2010-02-11 18:3894800----a-w-c:\windows\system32\drivers\aswmon.sys
2010-02-08 01:09 . 2010-02-11 18:3828880----a-w-c:\windows\system32\drivers\aavmker4.sys
2010-02-08 01:09 . 2010-02-11 18:5338848----a-w-c:\windows\system32\avastSS.scr
2010-02-08 01:09 . 2010-02-11 18:53153184----a-w-c:\windows\system32\aswBoot.exe
2010-02-08 01:09 . 2010-02-08 01:09--------d-----w-c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-07 23:39 . 2010-02-16 03:11--------d-----w-c:\program files\SUPERAntiSpyware
2010-02-07 06:00 . 2010-01-14 17:12181120------w-c:\windows\system32\MpSigStub.exe
2010-02-07 05:29 . 2010-02-07 05:29--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-06 19:40 . 2010-02-16 06:01--------d-----w-c:\program files\Trend Micro
2010-02-06 12:29 . 2010-02-06 20:08--------d-----w-c:\documents and settings\All Users\Application Data\Systweak
2010-02-06 12:25 . 2010-02-06 20:08--------d-----w-c:\documents and settings\Owner\Application Data\Systweak
2010-02-06 12:19 . 2010-02-06 19:110----a-w-c:\windows\IntIgn0xF28456.dat
2010-02-02 14:15 . 2009-12-17 06:0949241----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_BunkerHill.dll
2010-02-02 14:15 . 2009-12-16 13:07136528----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\Vercopy.exe
2010-02-02 14:15 . 2009-12-15 12:33120144----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\SBFix.exe
2010-02-02 14:15 . 2009-12-15 12:1495568----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\RunOnce.exe
2010-02-02 14:15 . 2009-12-15 10:35106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Raga_Refresh.dll
2010-02-02 14:15 . 2009-12-14 22:00106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Almaak.dll
2010-02-02 14:15 . 2009-12-14 20:06106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Thailand.dll
2010-02-02 14:15 . 2009-12-14 20:03106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Strauss.dll
2010-01-29 12:51 . 2010-01-29 12:51--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-01-29 12:51 . 2010-01-29 12:51--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-26 00:26 . 2010-02-16 02:35--------d-----w-c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 20:57 . 2009-08-06 06:25720----a-w-c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-17 09:17 . 2009-06-03 20:59--------d-----w-c:\program files\Defraggler
2010-02-16 04:45 . 2009-11-19 06:15--------d-----w-c:\program files\Java
2010-02-16 03:11 . 2009-08-14 03:44--------d-----w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-16 03:11 . 2009-12-22 23:15--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-02-08 01:09 . 2009-06-03 20:58--------d-----w-c:\program files\Alwil Software
2010-02-07 05:41 . 2009-09-12 18:10--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 16:06 . 2009-09-01 20:10--------d-----w-c:\documents and settings\Owner\Application Data\AOL
2010-02-02 14:15 . 2009-09-01 20:03--------d-----w-c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\documents and settings\Owner\Application Data\Yahoo!
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\program files\Yahoo!
2010-01-17 13:12 . 2009-11-19 06:30--------d-----w-c:\program files\Common Files\AVSMedia
2010-01-17 13:11 . 2009-11-19 06:29--------d-----w-c:\program files\AVS4YOU
2010-01-17 03:00 . 2009-06-04 14:0767880----a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 02:56 . 2010-01-16 02:26--------d-----w-c:\program files\Roxio
2010-01-17 02:56 . 2010-01-16 02:25--------d-----w-c:\program files\Common Files\Roxio Shared
2010-01-17 02:55 . 2010-01-16 02:26--------d-----w-c:\documents and settings\All Users\Application Data\Roxio
2010-01-16 02:37 . 2010-01-16 02:34--------d-----w-c:\documents and settings\Owner\Application Data\Roxio
2010-01-16 02:35 . 2010-01-16 02:35--------d-----w-c:\documents and settings\LocalService\Application Data\Roxio
2010-01-16 02:30 . 2010-01-16 02:30--------d-----w-c:\documents and settings\All Users\Application Data\InstallShield
2010-01-16 02:29 . 2010-01-16 02:29--------d-----w-c:\documents and settings\All Users\Application Data\Sonic
2010-01-16 02:27 . 2009-06-10 17:29--------d-----w-c:\program files\Common Files\InstallShield
2010-01-16 02:25 . 2010-01-16 02:25--------d-----w-c:\program files\DivX
2010-01-15 21:17 . 2010-01-15 21:17--------d-----w-c:\program files\Windows Media Connect 2
2010-01-13 19:53 . 2010-01-13 19:53--------d-----w-c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-12 00:42 . 2010-01-12 00:39164----a-w-c:\windows\install.dat
2010-01-05 09:57 . 2008-10-16 19:24841216----a-w-c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2007-08-13 15:4578336----a-w-c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2007-01-08 16:0117408----a-w-c:\windows\system32\corpol.dll
2010-01-01 07:58 . 2008-09-08 10:37353792----a-w-c:\windows\system32\drivers\srv.sys
2009-12-22 23:15 . 2009-12-22 23:12--------d-----w-c:\program files\LeapFrog
2009-12-22 23:14 . 2009-12-22 23:1428696928----a-w-c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-22 23:13 . 2009-12-22 23:134852064----a-w-c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\Leapster2Plugin.exe
2009-12-22 23:12 . 2009-12-22 23:12--------d-----w-c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-17 23:14 . 2009-11-19 06:15411368----a-w-c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-06-03 20:44343040----a-w-c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 10:4133280----a-w-c:\windows\system32\csrsrv.dll
2009-12-08 18:20 . 2008-08-14 09:392145280----a-w-c:\windows\system32\ntoskrnl.exe
2009-12-08 17:40 . 2008-08-14 04:092023936----a-w-c:\windows\system32\ntkrnlpa.exe
2009-12-04 17:25 . 2008-10-24 10:41456832----a-w-c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:23 . 2008-05-07 04:041291776----a-w-c:\windows\system32\quartz.dll
2009-11-27 17:23 . 2008-04-14 05:4217920----a-w-c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-02-28 11:0028672----a-w-c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:368704----a-w-c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 10:4211264----a-w-c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 10:4184992----a-w-c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 05:4148128----a-w-c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2008-04-14 10:41471552----a-w-c:\windows\AppPatch\aclayers.dll
2009-07-11 13:53 . 2009-07-11 13:5336122624----a-w-c:\program files\ess_nt32_enu.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DisCryptor Free"="c:\program files\DisCryptor Free\DisCryptor.exe" [2009-02-01 1671168]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-12 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-12 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-12 141336]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Dorland Anywhere"="c:\program files\Dorland\Anywhere\DorAny.exe" [2008-01-23 409600]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HostManager"="c:\program files\Common Files\AOL\1251835694\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 4.lnk - c:\program files\OLYMPUS\DeviceDetector\DeviceDetector4.exe [2008-8-5 397312]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1251835694\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\OLYMPUS\\DSSPlayerStandard\\TranscriptionModule.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/7/2010 7:09 PM 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/7/2010 7:09 PM 19024]
R3 Olympus DVR Service;Olympus DVR Service;c:\program files\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [8/5/2008 2:58 PM 167936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
R4 discryptor;discryptor;c:\program files\DisCryptor Free\discryptor.sys [2/1/2009 3:55 PM 265984]
S3 ADASPROT;SYSTWEAKASO;\??\c:\program files\Advanced System Optimizer 3\adasprot32.sys --> c:\program files\Advanced System Optimizer 3\adasprot32.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\User_Feed_Synchronization-{8E86AB1F-EB25-48A4-AFD3-B0077CB92854}.job
- c:\windows\system32\msfeedssync.exe [2009-06-03 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lsimge42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLab&query=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lsimge42.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
AddRemove-eBay Icon - c:\documents and settings\Owner\Application Data\Desktopicon\uninst.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-17 16:04:32
ComboFix-quarantined-files.txt 2010-02-17 22:04

Pre-Run: 145,501,380,608 bytes free
Post-Run: 145,479,634,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A66656F258E6467FF8304D90C5517B98
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
ADASPROT

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Please go to Start > Run and copy/paste the following blue text, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply. ComboFix 10-02-16.03 - Owner 02/17/2010 17:39:38.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1524 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADASPROT
-------\Service_ADASPROT

((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-16 04:46 . 2010-02-16 04:46--------d-----w-c:\program files\Common Files\Java
2010-02-16 04:46 . 2010-02-16 04:46348160----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\msvcr71.dll
2010-02-16 04:46 . 2010-02-16 04:46503808----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\msvcp71.dll
2010-02-16 04:46 . 2010-02-16 04:46499712----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58030aed-n\jmc.dll
2010-02-16 04:45 . 2010-02-16 04:4561440----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c690e5-n\decora-sse.dll
2010-02-16 04:45 . 2010-02-16 04:4512800----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c690e5-n\decora-d3d.dll
2010-02-16 04:18 . 2010-01-07 22:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 04:18 . 2010-02-16 04:18--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-16 04:18 . 2010-01-07 22:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-16 03:12 . 2010-02-16 03:1252224----a-w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-16 03:12 . 2010-02-16 03:12117760----a-w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-16 02:46 . 2010-02-16 02:46--------d-----w-c:\program files\CCleaner
2010-02-14 04:13 . 2010-02-14 04:13--------d-----w-c:\windows\Sun
2010-02-10 21:09 . 2009-11-27 17:2317920-c----w-c:\windows\system32\dllcache\msyuv.dll
2010-02-10 21:09 . 2009-11-27 16:078704-c----w-c:\windows\system32\dllcache\tsbyuv.dll
2010-02-10 21:09 . 2009-11-27 16:0748128-c----w-c:\windows\system32\dllcache\iyuv_32.dll
2010-02-10 21:08 . 2009-12-04 17:25456832-c----w-c:\windows\system32\dllcache\mrxsmb.sys
2010-02-08 01:09 . 2010-02-11 18:42162512----a-w-c:\windows\system32\drivers\aswSP.sys
2010-02-08 01:09 . 2010-02-11 18:3819024----a-w-c:\windows\system32\drivers\aswFsBlk.sys
2010-02-08 01:09 . 2010-02-11 18:4246672----a-w-c:\windows\system32\drivers\aswTdi.sys
2010-02-08 01:09 . 2010-02-11 18:3923376----a-w-c:\windows\system32\drivers\aswRdr.sys
2010-02-08 01:09 . 2010-02-11 18:38100432----a-w-c:\windows\system32\drivers\aswmon2.sys
2010-02-08 01:09 . 2010-02-11 18:3894800----a-w-c:\windows\system32\drivers\aswmon.sys
2010-02-08 01:09 . 2010-02-11 18:3828880----a-w-c:\windows\system32\drivers\aavmker4.sys
2010-02-08 01:09 . 2010-02-11 18:5338848----a-w-c:\windows\system32\avastSS.scr
2010-02-08 01:09 . 2010-02-11 18:53153184----a-w-c:\windows\system32\aswBoot.exe
2010-02-08 01:09 . 2010-02-08 01:09--------d-----w-c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-07 23:39 . 2010-02-16 03:11--------d-----w-c:\program files\SUPERAntiSpyware
2010-02-07 06:00 . 2010-01-14 17:12181120------w-c:\windows\system32\MpSigStub.exe
2010-02-07 05:29 . 2010-02-07 05:29--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-06 19:40 . 2010-02-16 06:01--------d-----w-c:\program files\Trend Micro
2010-02-06 12:29 . 2010-02-06 20:08--------d-----w-c:\documents and settings\All Users\Application Data\Systweak
2010-02-06 12:25 . 2010-02-06 20:08--------d-----w-c:\documents and settings\Owner\Application Data\Systweak
2010-02-06 12:19 . 2010-02-06 19:110----a-w-c:\windows\IntIgn0xF28456.dat
2010-02-02 14:15 . 2009-12-17 06:0949241----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_BunkerHill.dll
2010-02-02 14:15 . 2009-12-16 13:07136528----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\Vercopy.exe
2010-02-02 14:15 . 2009-12-15 12:33120144----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\SBFix.exe
2010-02-02 14:15 . 2009-12-15 12:1495568----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\RunOnce.exe
2010-02-02 14:15 . 2009-12-15 10:35106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Raga_Refresh.dll
2010-02-02 14:15 . 2009-12-14 22:00106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Almaak.dll
2010-02-02 14:15 . 2009-12-14 20:06106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Thailand.dll
2010-02-02 14:15 . 2009-12-14 20:03106496----a-w-c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_Strauss.dll
2010-01-29 12:51 . 2010-01-29 12:51--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-01-29 12:51 . 2010-01-29 12:51--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-26 00:26 . 2010-02-16 02:35--------d-----w-c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 23:43 . 2009-08-06 06:25720----a-w-c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-17 09:17 . 2009-06-03 20:59--------d-----w-c:\program files\Defraggler
2010-02-16 04:45 . 2009-11-19 06:15--------d-----w-c:\program files\Java
2010-02-16 03:11 . 2009-08-14 03:44--------d-----w-c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-16 03:11 . 2009-12-22 23:15--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-02-08 01:09 . 2009-06-03 20:58--------d-----w-c:\program files\Alwil Software
2010-02-07 05:41 . 2009-09-12 18:10--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 16:06 . 2009-09-01 20:10--------d-----w-c:\documents and settings\Owner\Application Data\AOL
2010-02-02 14:15 . 2009-09-01 20:03--------d-----w-c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\documents and settings\Owner\Application Data\Yahoo!
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-29 12:51 . 2009-08-15 14:52--------d-----w-c:\program files\Yahoo!
2010-01-17 13:12 . 2009-11-19 06:30--------d-----w-c:\program files\Common Files\AVSMedia
2010-01-17 13:11 . 2009-11-19 06:29--------d-----w-c:\program files\AVS4YOU
2010-01-17 03:00 . 2009-06-04 14:0767880----a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 02:56 . 2010-01-16 02:26--------d-----w-c:\program files\Roxio
2010-01-17 02:56 . 2010-01-16 02:25--------d-----w-c:\program files\Common Files\Roxio Shared
2010-01-17 02:55 . 2010-01-16 02:26--------d-----w-c:\documents and settings\All Users\Application Data\Roxio
2010-01-16 02:37 . 2010-01-16 02:34--------d-----w-c:\documents and settings\Owner\Application Data\Roxio
2010-01-16 02:35 . 2010-01-16 02:35--------d-----w-c:\documents and settings\LocalService\Application Data\Roxio
2010-01-16 02:30 . 2010-01-16 02:30--------d-----w-c:\documents and settings\All Users\Application Data\InstallShield
2010-01-16 02:29 . 2010-01-16 02:29--------d-----w-c:\documents and settings\All Users\Application Data\Sonic
2010-01-16 02:27 . 2009-06-10 17:29--------d-----w-c:\program files\Common Files\InstallShield
2010-01-16 02:25 . 2010-01-16 02:25--------d-----w-c:\program files\DivX
2010-01-15 21:17 . 2010-01-15 21:17--------d-----w-c:\program files\Windows Media Connect 2
2010-01-13 19:53 . 2010-01-13 19:53--------d-----w-c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-12 00:42 . 2010-01-12 00:39164----a-w-c:\windows\install.dat
2010-01-05 09:57 . 2008-10-16 19:24841216------w-c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2007-08-13 15:4578336----a-w-c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2007-01-08 16:0117408----a-w-c:\windows\system32\corpol.dll
2010-01-01 07:58 . 2008-09-08 10:37353792----a-w-c:\windows\system32\drivers\srv.sys
2009-12-22 23:15 . 2009-12-22 23:12--------d-----w-c:\program files\LeapFrog
2009-12-22 23:14 . 2009-12-22 23:1428696928----a-w-c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-22 23:13 . 2009-12-22 23:134852064----a-w-c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\Leapster2Plugin.exe
2009-12-22 23:12 . 2009-12-22 23:12--------d-----w-c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-17 23:14 . 2009-11-19 06:15411368----a-w-c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-06-03 20:44343040----a-w-c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 10:4133280----a-w-c:\windows\system32\csrsrv.dll
2009-12-08 18:20 . 2008-08-14 09:392145280------w-c:\windows\system32\ntoskrnl.exe
2009-12-08 17:40 . 2008-08-14 04:092023936------w-c:\windows\system32\ntkrnlpa.exe
2009-12-04 17:25 . 2008-10-24 10:41456832----a-w-c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:23 . 2008-05-07 04:041291776----a-w-c:\windows\system32\quartz.dll
2009-11-27 17:23 . 2008-04-14 05:4217920----a-w-c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-02-28 11:0028672----a-w-c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:368704----a-w-c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 10:4211264----a-w-c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 10:4184992----a-w-c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 05:4148128----a-w-c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2008-04-14 10:41471552----a-w-c:\windows\AppPatch\aclayers.dll
2009-07-11 13:53 . 2009-07-11 13:5336122624----a-w-c:\program files\ess_nt32_enu.msi
.

((((((((((((((((((((((((((((( [emailprotected]_22.03.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-17 23:43 . 2010-02-17 23:4316384 c:\windows\temp\Perflib_Perfdata_8d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DisCryptor Free"="c:\program files\DisCryptor Free\DisCryptor.exe" [2009-02-01 1671168]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-12 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-12 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-12 141336]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Dorland Anywhere"="c:\program files\Dorland\Anywhere\DorAny.exe" [2008-01-23 409600]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HostManager"="c:\program files\Common Files\AOL\1251835694\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 4.lnk - c:\program files\OLYMPUS\DeviceDetector\DeviceDetector4.exe [2008-8-5 397312]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1251835694\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\OLYMPUS\\DSSPlayerStandard\\TranscriptionModule.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/7/2010 7:09 PM 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/7/2010 7:09 PM 19024]
R3 Olympus DVR Service;Olympus DVR Service;c:\program files\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [8/5/2008 2:58 PM 167936]
R4 discryptor;discryptor;c:\program files\DisCryptor Free\discryptor.sys [2/1/2009 3:55 PM 265984]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\User_Feed_Synchronization-{8E86AB1F-EB25-48A4-AFD3-B0077CB92854}.job
- c:\windows\system32\msfeedssync.exe [2009-06-03 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lsimge42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLab&query=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lsimge42.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 17:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\dimsntfy.dll

- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\zstatus.exe
.
**************************************************************************
.
Completion time: 2010-02-17 17:45:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 23:45
ComboFix2.txt 2010-02-17 22:04

Pre-Run: 145,485,348,864 bytes free
Post-Run: 145,380,700,160 bytes free

- - End Of File - - B72B4EEF571518FD2250AD7A3612872D

7-Zip 4.65
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
AutoUpdate
avast! Free Antivirus
CCleaner
CCScore
CDBurnerXP
Defraggler
DisCryptor Free - Encryption Software
DivX
Dorland's Electronic Medical Speller
Download Updater (AOL LLC)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
fflink
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
hp LaserJet 1000
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 18
K-Lite Mega Codec Pack 3.8.0
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LeapFrog Connect
LeapFrog Leapster2 Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.3
Microsoft IntelliType Pro 5.3
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Small Business Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB973688)
netbrdg
OfotoXMI
Olympus DSS Player Standard
OpenOffice.org 3.0
QuickTime
Realtek High Definition Audio Driver
rjhExtensions
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SFR
SHASTA
skin0001
SKINXSDK
staticcr
SUPERAntiSpyware Free Edition
Uninstall AOL Emergency Connect Utility 1.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
Viewpoint Media Player
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Vista Wallpapers
WIRELESS
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Mail Advisor
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint Media Player

----------

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
First Evilfantasy thank you so much for your HELP with this and the time you have taken to help me...I'm so glad that we are able to have folks like you to help ones like me,,,who does not really know squat about computers... here is the Eset Online Scan Log results.

C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP233\A0083431.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087847.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087848.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087849.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087851.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087852.DLLWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087853.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087858.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087859.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087860.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087861.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087863.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP255\A0087864.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091335.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091336.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091338.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091340.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091341.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091342.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091343.EXEWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091348.EXEWin32/Adware.FunWeb applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091349.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091351.SCRWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP275\A0091352.DLLWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{1F83C1C3-FAD3-4F0D-898A-2860FCC07073}\RP289\A0093131.scrWin32/Toolbar.MyWebSearch applicationcleaned by deleting - quarantined
That all is nothing to worry about.

If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, VIRUSES and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

4518.	Solve : Super AntiSpyware Problem?
Answer» Yes, is that bad? Same result on Administrator - Thanks - It's not bad. It just changes what we can and can't use. Download TrendMicro HijackThis.exe (HJT) to the desktop. * Double-click on HJTInstall. * Click on the Install button. * It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. * Upon install, HijackThis should open for you. * Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator * Click on the Do a system scan and save a log file button * HijackThis will scan and then a log will open in notepad. * Copy and then paste the entire contents of the log in your post. * Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.Finally something worked - yeah!! Let me know what you see - thanks again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\IPSBHO.DLL O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Users\glenda\Desktop\SUPERAntiSpyware.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) O13 - Gopher Prefix: O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Users\glenda\Desktop\SASWINLO.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile DEVICE - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing) -- End of file - 10458 bytesAlmost! The top of the log is missing.Sorry :/ This should be the whole thing - thanks! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:36 PM, on 2/16/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running PROCESSES: C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Secunia\PSI\psi.exe C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files (x86)\Internet Explorer\ieuser.exe C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\IPSBHO.DLL O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Users\glenda\Desktop\SUPERAntiSpyware.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) O13 - Gopher Prefix: O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Users\glenda\Desktop\SASWINLO.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing) -- End of file - 10458 bytes Right click HijackThis and choose Run as Administrator Next select Do a system scan only Place a check mark next to the following entries: (if there) O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - . Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Update Malwarebytes' Anti-Malware and run a Full scan. * Open Malwarebytes' Anti-Malware * Select the Update tab * Click Check for Updates * After the update have been completed, Select the Scanner tab. * Select Perform full scan, then click on Scan * Leave the default options as it is and click on Start Scan * When done, you will be prompted. Click OK, then click on Show Results * Checked (ticked) all items and click on Remove Selected * After it has removed the items, Notepad will open. Please post this log in your next reply. I ran the HiJack program as per your directions no problem but remember I told you EARLIER that the malware won't shut down? It's STILL running - not responding and won't let me run it again because supposedly it's already running. I've tried task manager to shut it down several times. My only option seems to be to shut it down but I wanted to be sure that's OK since you've mentioned not restarting while in this process. Sorry, if this is a stupid question but it's a little odd. Thanks! Yes restart the computer to shut it down.Finally some results!! Yeah............. Here's the log - please advise. Thanks! Malwarebytes' Anti-Malware 1.44 Database version: 3751 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 2/17/2010 2:44:34 PM mbam-log-2010-02-17 (14-44-34).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 504232 Time elapsed: 3 hour(s), 1 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files (x86)\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files (x86)\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files (x86)\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files (x86)\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully. Files Infected: C:\Program Files (x86)\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan LogOkay - It seemed to run ok - took several hours so I checked it every hour or so to make sure it was still running - after about 46 - 50% it seemed to go a lot faster and when I checked it the last time it showed that it was stopped by the user - which I did not do; so...............I deleted it and ran it again today with the same result - no log was created. I don't know if this means there's nothing to find or if it's getting kicked out before it finishes. Should I try again? Thanks! Try this one. Scan your computer with Panda ActiveScan * Once you are on the Panda site click the Scan your PC now button. * A new window will open...click the Scan Now button. * If it wants to install an ActiveX component allow it. * It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes) * You may get a warning from Internet Explorer that Panda is ready to install, please allow it. * The scan will begin. Please be patient as it can take an hour or more to complete. * When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad). * Save the ActiveScan.txt to a convenient location like your desktop. * Note: You do not need to select any of the Disinfect options. We will remove any threats manually. * Post the contents of the ActiveScan report in your next reply.Hello - I started the scan about 9:30 am - it got to 3% and stayed at 3% for more than 3 hours - so I stopped it to see if you think I should start it again and just wait it out (I'll be gone a couple of days so that's fine) or if I should try something else. Two things - first, does the screen saver stop the scan? second, when I stopped it I got a warning to the effect "this will stop the scan" I said ok and when it closed there was another screen scanning behind it - also at 3%?? This one I had to go to task manager to get it to stop. Hope this makes some kind of sense - it was almost like I started it twice but I don't think I did - thanks again!Update and run Malwarebytes' Anti-Malware again then post the log please.Hello again - Where to begin?? I was gone for a few days but I did try to run the malware prior to leaving with the same response - or no response - it just kicks me off the internet. So, now I'm back - a side note - one result of whatever this is is that my printer doesn't work unless I turn off the PC and turn it back on. I noticed this time when I turned it on that the AntiSpyware came up automatically - the update runs fine but when I run the scan it kicks me off. (Also, I always have to turn it off manually - it won't shut down or restart on it's own) Next I run the malware - ran as administrator - checked for updates which seemed to work fine - started the scan, got it going and left the pc; when I came back it was finished with a log similar to the one I sent earlier - basically nothing found; but it did say the scan was 'aborted' which I didn't do?? Then when I tried to get on-line to send you the log it went all pale or washed out - not sure how to describe it but it was frozen. Then I got a message that said "Logon process has failed to create security option dialog - in the middle of the box is a big X with Failure Security options. So, not sure why or what to do?? I hope this makes some sense - thanks!

4518.

Solve : Super AntiSpyware Problem?

Answer»

Yes, is that bad?

Same result on Administrator - Thanks - It's not bad. It just changes what we can and can't use.

Download TrendMicro HijackThis.exe (HJT) to the desktop.

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.
* Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in notepad.
* Copy and then paste the entire contents of the log in your post.
* Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.Finally something worked - yeah!! Let me know what you see - thanks again.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Users\glenda\Desktop\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Users\glenda\Desktop\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile DEVICE - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 10458 bytesAlmost! The top of the log is missing.Sorry :/

This should be the whole thing - thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:36 PM, on 2/16/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running PROCESSES:
C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Secunia\PSI\psi.exe
C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Users\glenda\Desktop\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Users\glenda\Desktop\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 10458 bytes
Right click HijackThis and choose Run as Administrator

Next select Do a system scan only

Place a check mark next to the following entries: (if there)

O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Update Malwarebytes' Anti-Malware and run a Full scan.

* Open Malwarebytes' Anti-Malware
* Select the Update tab
* Click Check for Updates
* After the update have been completed, Select the Scanner tab.
* Select Perform full scan, then click on Scan
* Leave the default options as it is and click on Start Scan
* When done, you will be prompted. Click OK, then click on Show Results
* Checked (ticked) all items and click on Remove Selected
* After it has removed the items, Notepad will open. Please post this log in your next reply.
I ran the HiJack program as per your directions no problem but remember I told you EARLIER that the malware won't shut down? It's STILL running - not responding and won't let me run it again because supposedly it's already running. I've tried task manager to shut it down several times.

My only option seems to be to shut it down but I wanted to be sure that's OK since you've mentioned not restarting while in this process. Sorry, if this is a stupid question but it's a little odd.

Thanks!
Yes restart the computer to shut it down.Finally some results!! Yeah.............

Here's the log - please advise.

Thanks!

Malwarebytes' Anti-Malware 1.44
Database version: 3751
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2/17/2010 2:44:34 PM
mbam-log-2010-02-17 (14-44-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 504232
Time elapsed: 3 hour(s), 1 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files (x86)\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files (x86)\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan LogOkay - It seemed to run ok - took several hours so I checked it every hour or so to make sure it was still running - after about 46 - 50% it seemed to go a lot faster and when I checked it the last time it showed that it was stopped by the user - which I did not do; so...............I deleted it and ran it again today with the same result - no log was created.

I don't know if this means there's nothing to find or if it's getting kicked out before it finishes.

Should I try again?

Thanks!
Try this one.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.Hello - I started the scan about 9:30 am - it got to 3% and stayed at 3% for more than 3 hours - so I stopped it to see if you think I should start it again and just wait it out (I'll be gone a couple of days so that's fine) or if I should try something else.

Two things - first, does the screen saver stop the scan? second, when I stopped it I got a warning to the effect "this will stop the scan" I said ok and when it closed there was another screen scanning behind it - also at 3%?? This one I had to go to task manager to get it to stop. Hope this makes some kind of sense - it was almost like I started it twice but I don't think I did - thanks again!Update and run Malwarebytes' Anti-Malware again then post the log please.Hello again - Where to begin?? I was gone for a few days but I did try to run the malware prior to leaving with the same response - or no response - it just kicks me off the internet.

So, now I'm back - a side note - one result of whatever this is is that my printer doesn't work unless I turn off the PC and turn it back on. I noticed this time when I turned it on that the AntiSpyware came up automatically - the update runs fine but when I run the scan it kicks me off. (Also, I always have to turn it off manually - it won't shut down or restart on it's own)

Next I run the malware - ran as administrator - checked for updates which seemed to work fine - started the scan, got it going and left the pc; when I came back it was finished with a log similar to the one I sent earlier - basically nothing found; but it did say the scan was 'aborted' which I didn't do??

Then when I tried to get on-line to send you the log it went all pale or washed out - not sure how to describe it but it was frozen. Then I got a message that said "Logon process has failed to create security option dialog - in the middle of the box is a big X with Failure Security options.

So, not sure why or what to do??

I hope this makes some sense - thanks!

Discussion

4519.	Solve : Handed neighbor's laptop with a plea of help?
Answer» She thinks she got something while in MySpace... the laptop has been saying she has been infected and forces her to either a antivirus site or a porn site. I have kept it off the internet and got through all the scans. I have read the instructions and the logs are attached in one file. Thanks in ADVANCE for all the help. wetwolf [Saving space, attachment deleted by admin]1. Close all open Web browsers. 2. From the Start menu in Windows select Control Panel. 3. Select Add or Remove Programs. 4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different) - Ask.com - Ask Bar - Ask Desktop Search - Ask Search - Ask Toolbar - Ask Jeeves 5. Click Change/Remove for each and uninstall all found. ---------- Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the BOTTOM box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop. ---------- Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) O15 - Trusted Zone: http://.trymedia.com (HKLM) O18 - Filter hijack: text/html - {b7be8c3e-021c-4480-8db5-55c857833ee2} - C:\WINDOWS\system32\msiebbar.dll . Important:* Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any ANTISPYWARE real time protection before performing a scan. Click this link to see a LIST of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix**Many thanks! My neighbor says thanks too! Seems to be back to normal. wetwolfWithout the logs I request we can't be sure...sorry, I did not see the request. I will have them run HJT and report back.

4519.

Solve : Handed neighbor's laptop with a plea of help?

Answer»

She thinks she got something while in MySpace... the laptop has been saying she has been infected and forces her to either a antivirus site or a porn site. I have kept it off the internet and got through all the scans.

I have read the instructions and the logs are attached in one file.

Thanks in ADVANCE for all the help.

wetwolf

[Saving space, attachment deleted by admin]1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar
- Ask Jeeves

5. Click Change/Remove for each and uninstall all found.

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the BOTTOM box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Filter hijack: text/html - {b7be8c3e-021c-4480-8db5-55c857833ee2} - C:\WINDOWS\system32\msiebbar.dll

Discussion

4520.	Solve : disable Java & ActiveX??
Answer» To avoid malware infections, should I permanently disable Java and ActiveX in Internet Explorer? How about Javascript? If I should also disable Javascript, should I just disable Active scripting, or all options? But I don't also need to disable any of these in Windows itself, right?What antivirus and firewall do you use? Two methods to keep your normal configuration but block most known browser exploits. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.Quote What antivirus and firewall do you use? I use Webroot Internet Security Essentials for both. And of course my router has a firewall.The recommended security settings for IE are as follows. Tighten Internet Explorer's security setting * Since Internet Explorer is the leading browser it will always be the lead in attacks from the bad guys. o Make your Internet Explorer more secure 1. From within Internet Explorer click the Tools menu and then on Internet Options. 2. Click once on the Security tab 3. Click once on the Internet icon so it BECOMES highlighted. 4. Click once on the Custom Level button. + Change the Download signed ActiveX controls to PROMPT + Change the Download unsigned ActiveX controls to Disable + Change the Initialize and script ActiveX controls not marked as safe to Disable + Change the Installation of desktop items to Prompt + Change the Launching programs and files in an IFRAME to Prompt + Change the Navigate sub-frames across different domains to Prompt + When all these settings have been made, click on the OK button. + If it prompts you as to whether or not you want to save the settings, press the Yes button. 5. Next press the Apply button and then the OK to exit the Internet Properties page. Tighten Internet Explorer's security setting continued - Default Internet Explorer settings should be set to high. 1. Start up IE then go to Tools > Internet Options > Security 2. Set the Security level for the Internet Zone to High. (If no slider is visible, click Default Level.) 3. Click the Trusted Sites icon. 4. Set the Security level for the this Zone to Medium. (If no slider is visible, click Default Level.) 5. Click OK. I've been reading about malware in a few different forums, and a lot of people recommend installing several anti-malware apps. But if you do that, don't you have to make sure they're not all in the Start menu, so they don't run all at once and collide?The only thing you should have running is 1 antivirus, 1 firewall and 1 antimalware (optional). The ones I suggested don't run in real time.

4520.

Solve : disable Java & ActiveX??

Answer»

To avoid malware infections, should I permanently disable Java and ActiveX in Internet Explorer? How about Javascript? If I should also disable Javascript, should I just disable Active scripting, or all options? But I don't also need to disable any of these in Windows itself, right?What antivirus and firewall do you use?

Two methods to keep your normal configuration but block most known browser exploits.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.Quote

What antivirus and firewall do you use?

I use Webroot Internet Security Essentials for both. And of course my router has a firewall.The recommended security settings for IE are as follows.

Tighten Internet Explorer's security setting

* Since Internet Explorer is the leading browser it will always be the lead in attacks from the bad guys.
o Make your Internet Explorer more secure
1. From within Internet Explorer click the Tools menu and then on Internet Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it BECOMES highlighted.
4. Click once on the Custom Level button.
+ Change the Download signed ActiveX controls to PROMPT
+ Change the Download unsigned ActiveX controls to Disable
+ Change the Initialize and script ActiveX controls not marked as safe to Disable
+ Change the Installation of desktop items to Prompt
+ Change the Launching programs and files in an IFRAME to Prompt
+ Change the Navigate sub-frames across different domains to Prompt
+ When all these settings have been made, click on the OK button.
+ If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

Tighten Internet Explorer's security setting continued - Default Internet Explorer settings should be set to high.

1. Start up IE then go to Tools > Internet Options > Security
2. Set the Security level for the Internet Zone to High. (If no slider is visible, click Default Level.)
3. Click the Trusted Sites icon.
4. Set the Security level for the this Zone to Medium. (If no slider is visible, click Default Level.)
5. Click OK.
I've been reading about malware in a few different forums, and a lot of people recommend installing several anti-malware apps. But if you do that, don't you have to make sure they're not all in the Start menu, so they don't run all at once and collide?The only thing you should have running is 1 antivirus, 1 firewall and 1 antimalware (optional). The ones I suggested don't run in real time.

Discussion

4521.	Solve : Is this malware, hardware, or just windows being windows??
Answer» I am not sure this is malware related, but it could be, so I posted here. I have a Thinkpad X60s. It came with a 100g SATA HD. I am running XP-SP2. I ran out of room, so I purchased a WD Scorpio Blue 500g HD. I used Acronis to clone over my existing C and E drives to the new drive, and expanded both. C: is NTFS and E: is a Fat32, with system restore info on it. Everything went well for about 2 months. Then one day, my new drive would blue screen upon BOOTING. However, I could boot into safe mode. After virus scans and a bit of hacking, I made no progress. However, this may be irrelevant. Keep reading... So I swapped back the old drive into the computer and used the new drive via usb. Here's where it gets weird. I boot the old drive, (which has had no MS updates SINCE December 09). It boots up just fine. I PLUG the new drive in, it gets recognized in Windows explorer, and then the machine immediately blue screens. However, if I boot into safe mode, I can attach the new drive without incident. The new drive plugged into a random XP SP3 machine caused no issues. It also looks fine under OS X and Linux. So what's up? Is there some weird MBR sector thing on the new drive. Is there some malware on the old drive? (That got cloned over to the new one?) It's clearly some driver that's loaded in normal windows and that's not loaded in safe mode, but how do I FIGURE out which one? I have scanned the old drive with Malwarebytes, SuperAntiSpyware (full scans on both) and they came out clean. I also ran Combofix, and Rootrepeal, and I think they came out clean, but I am not sure I can interpret the output. I have spent far too much time on this and I am almost ready to reimage the new drive, but I am worried that the same thing will happen again later. Any advice? Thanks for listening. John H Some additional notes: I have tried using msconfig to minimize things that get loaded. However, even on msconfig with diagnostic startup (minimal services loaded), I still bluescreen when I plug in the new drive. I also tried disabling all services and disabling all startup. Still bluescreen. Help!

Discussion

4522.	Solve : My computer is running extremly slow...?
Answer» Hello, my computer is RUNNING really slow. It is taking a long time to boot up, and even longer to open a document or FOLDER. I have already tried DEFRAGMENTING but still runs the same. Could I have a virus? If so, how do I know and how can I fix the problem? Thanks!Welcome to CH. Prior to posting for help we ask that you please read and follow all instructions in the pinned topic titled Please read this before requesting malware removal help. Following the steps in the Guide will allow for us to quickly help you with specific FIXES for your system. When you have completed those steps post the logs in the Computer VIRUSES and Spyware forum as outlined in the Please read this thread.Thank you....I have found this site very useful.

Discussion

4523.	Solve : Uniblue (liutilities.com) can be misleading?
Answer» This is just my opinion on this issue but here's two EXAMPLES where their site will say "DISABLE AND REMOVE .exe IMMEDIATELY. This process is most likely a virus or trojan", when a valid process by that name exists and is needed for proper functioning in Windows systems: csrss.exe - csrss process information lsass.exe - lsass process information I think they really ought to make their recommendations more clear where a valid process by that name does, indeed, exist in Windows. I know they explain, in their narrative, that valid files by these names exist in Windows. But then, they make a point-blank statement that the file should be removed without clearly saying they MEAN any process by that name which is found in a location other than where the valid file for Windows is located.It's important to always read the entire article. Quote Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe But I do completely agree with you and so do many others. http://www.mywot.com/en/scorecard/liutilities.com Quote from: evilfantasy on February 19, 2010, 12:44:54 PM It's important to always read the entire article. But I do completely agree with you and so do many others. http://www.mywot.com/en/scorecard/liutilities.com Hmm, interesting, thanks for posting that link. Lot of NEGATIVE comments there. I STILL think it's a useful source of info but, as you say, "It's important to always read the entire article." Otherwise, you could do the wrong thing and harm your computer.

4523.

Solve : Uniblue (liutilities.com) can be misleading?

Answer»

This is just my opinion on this issue but here's two EXAMPLES where their site will say "DISABLE AND REMOVE .exe IMMEDIATELY. This process is most likely a virus or trojan", when a valid process by that name exists and is needed for proper functioning in Windows systems:
csrss.exe - csrss process information
lsass.exe - lsass process information

I think they really ought to make their recommendations more clear where a valid process by that name does, indeed, exist in Windows. I know they explain, in their narrative, that valid files by these names exist in Windows. But then, they make a point-blank statement that the file should be removed without clearly saying they MEAN any process by that name which is found in a location other than where the valid file for Windows is located.It's important to always read the entire article.

Quote

Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe

But I do completely agree with you and so do many others. http://www.mywot.com/en/scorecard/liutilities.com Quote from: evilfantasy on February 19, 2010, 12:44:54 PM

It's important to always read the entire article.

But I do completely agree with you and so do many others. http://www.mywot.com/en/scorecard/liutilities.com

Hmm, interesting, thanks for posting that link. Lot of NEGATIVE comments there. I STILL think it's a useful source of info but, as you say, "It's important to always read the entire article." Otherwise, you could do the wrong thing and harm your computer.

Discussion

4524.	Solve : Can Someone Help with an Execessive Error message?
Answer» My LAPTOP KEEPS getting a "Security Warning" that reads as follows: Application cannot be executed. the file ytbb.exe is infected. Do you want to ACTIVATE your antivirus software now? I cannot go into another other programs, however if I leave it open long enough it redirects to a porn site. Can anyone help? PLEASE note I am a real beginner with computers. Thank you Please visit this webpage for a TUTORIAL on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix, and when done, post the log back here.

Discussion

4525.	Solve : Best FREE anti-spyware program? (must be conflict-free with avast! home)?
Answer» I am currently running: Avast! Free Edition Windows Defender Malwarebytes Anti-Malware (free edition) Windows Firewall I don't like Windows Defender. I want to replace it with another, free, reliable anti-spyware program. What should I use? SOMETHING THAT IS CONFLICT-FREE WITH AVAST!!!!!!!!!!!!!!!! And overall, do i have good PROTECTION? EDIT: Apparently, Avast! auto-updates every 240 minutes, by default. I thought it updated immediately when there were new virus definitions? Can I set it so that it updates like this? 1) You cannot set an av to update when there are new definitions - how would it know? 2) I don't care for Windows Defender EITHER and I always disable it on all of my systems. You're FINE without it. The only thing I would ADD to what you ALREADY use is SpywareBlaster free edition. It does NOT run resident and you need to remember to update it about once a week. It blocks known malicious web sites. Other than that you should be fine.

Discussion

4526.	Solve : Do I have good PC security??
Answer» I am running Windows Firewall, Microsoft Security Essentials, and Malwarebytes Anti-Malware (free EDITION). Is this good enough for the average PC user or what? Should be fine. More IMPORTANT, know what you are doing (don't open email ATTACHMENTS or click on links unless you are 100% certain you know what they are, etc).

Discussion

4527.

Solve : Application has been infected....?

Answer»

My computer recently started having the problem of telling my that none of my programs could run because they were infected. The internet wouldn't work, unless it was opening on its own to a porn page. I did some searching and found this site and after about 4 hours of work have gotten the three logs that you ask for. Much of this was done in safe mode but that's the only way I could GET it to work. I'll post the logs in the order I acquired them.

I hope I post these right, but please let me know if I did something wrong. Thanks in advance for your help. I really appreciate it.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2010 at 07:29 PM

Application Version : 4.34.1000

Core Rules Database Version : 4601
Trace Rules Database Version: 2413

Scan type : Complete Scan
Total Scan Time : 01:45:14

Memory items scanned : 314
Memory threats detected : 0
Registry items scanned : 8694
Registry threats detected : 2
File items scanned : 198158
File threats detected : 2

Rogue.AntivirusSoft
[llcjbwvj] C:\USERS\ROBERTA\APPDATA\LOCAL\CSNEFM\OBLQSFTAV.EXE
C:\USERS\ROBERTA\APPDATA\LOCAL\CSNEFM\OBLQSFTAV.EXE
HKU\S-1-5-21-28988871-2951861398-4232707214-1001\Software\avsoft
C:\Windows\Prefetch\OBLQSFTAV.EXE-96E2E17F.pf

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882

2/18/2010 7:49:03 PM
mbam-log-2010-02-18 (19-49-03).txt

Scan type: Quick Scan
Objects scanned: 107548
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pufpyiod (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:22 PM, on 2/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\System32\mobsync.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.bresnan.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet

Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet

Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search

Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet

Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m

"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'TOOLS' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web

Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://chat.bresnan.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) -

http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) -

http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41

\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32

\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media

Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file

missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-

2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media

Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media

Server\Shells\MCLServiceATL.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41

\ccSvcHst.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI

Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 20056 bytes
Download The Comedian by Rorschach112 to your desktop.

* Double click the program to run it.
* It will do a series of tasks and tell you when each one is finished.
* You will be prompted to press any key after each step
* When it is done it will close and exit itself automatically.
* You can delete The_Comedian.exe once it is finished.

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
DDS (Ver_09-12-01.01) - NTFSx86
Run by Roberta at 21:54:52.29 on Thu 02/18/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.846 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\mobsync.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hp\kbd\kbd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Roberta\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.bresnan.net/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0205.2\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0205.2\npwinext.dll
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [updateMgr] "c:\program files\adobe\adobe acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [lightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: []
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0205.2\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\roberta\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://chat.bresnan.com/sdccommon/download/tgctlcm.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSvix86.sys [2010-2-12 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-5-11 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-17 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-8-15 968064]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1008000.029\symndisv.sys [2010-1-27 48688]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-21 21504]
S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2010-02-19 03:19:140d-----w-c:\program files\Trend Micro
2010-02-19 03:04:570d-----w-c:\programdata\Sun
2010-02-19 00:09:210d-----w-c:\programdata\SUPERAntiSpyware.com
2010-02-19 00:07:520d-----w-c:\users\roberta\appdata\roaming\SUPERAntiSpyware.com
2010-02-19 00:07:520d-----w-c:\program files\SUPERAntiSpyware
2010-02-18 23:41:140d-----w-c:\program files\common files\Wise Installation Wizard
2010-02-18 23:37:220d-----w-c:\program files\CCleaner
2010-02-12 22:14:420d-----w-c:\program files\iPod
2010-02-12 22:14:380d-----w-c:\program files\iTunes
2010-02-09 20:08:113600456----a-w-c:\windows\system32\ntkrnlpa.exe
2010-02-09 20:08:113548216----a-w-c:\windows\system32\ntoskrnl.exe
2010-02-09 20:06:50212992----a-w-c:\windows\system32\drivers\mrxsmb10.sys
2010-02-09 20:06:50105984----a-w-c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 17:16:250d-----w-c:\users\roberta\appdata\roaming\SupportSoft
2010-02-09 16:44:450d-----w-c:\program files\common files\supportsoft
2010-01-23 14:49:190d-----w-C:\WTablet

==================== Find3M ====================

2010-02-19 03:03:40411368----a-w-c:\windows\system32\deploytk.dll
2010-02-17 17:42:3360724----a-w-c:\windows\fonts\ClarendonTLig.ttf
2010-02-17 17:39:0046848----a-w-c:\windows\fonts\clrndnc_0.ttf
2010-02-17 17:39:0046848----a-w-c:\windows\fonts\clrndnc.ttf
2010-02-17 17:09:0149652----a-w-c:\windows\fonts\Clarendon Bold Condensed BT.ttf
2010-02-17 16:57:5764436----a-w-c:\windows\fonts\CLARENDO (2).TTF
2010-02-08 18:11:3339888----a-w-c:\windows\fonts\Djfancy.TTF
2010-02-08 18:10:3553976----a-w-c:\windows\fonts\NICKELOD.TTF
2010-02-08 18:08:4746184----a-w-c:\windows\fonts\CACPINAF.TTF
2010-01-07 23:07:1438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:0419160----a-w-c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38:20916480----a-w-c:\windows\system32\wininet.dll
2010-01-02 06:32:3371680----a-w-c:\windows\system32\iesetup.dll
2010-01-02 06:32:33109056----a-w-c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00133632----a-w-c:\windows\system32\ieUnatt.exe
2010-01-02 02:46:48254----a-w-c:\users\roberta\jobq.dat
2009-12-04 18:30:0512288----a-w-c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:411314816----a-w-c:\windows\system32\quartz.dll
2009-12-04 18:28:5222528----a-w-c:\windows\system32\msyuv.dll
2009-12-04 18:28:5131744----a-w-c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51123904----a-w-c:\windows\system32\msvfw32.dll
2009-12-04 18:28:4913312----a-w-c:\windows\system32\msrle32.dll
2009-12-04 18:28:2782944----a-w-c:\windows\system32\mciavi32.dll
2009-12-04 18:28:2150176----a-w-c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:1291136----a-w-c:\windows\system32\avifil32.dll
2009-11-17 10:28:0486016----a-w-c:\windows\inf\infpub.dat
2009-11-17 10:28:04665600----a-w-c:\windows\inf\drvindex.dat
2009-11-17 10:28:03143360----a-w-c:\windows\inf\infstrng.dat
2009-11-17 10:28:03143360----a-w-c:\windows\inf\infstor.dat
2008-07-27 03:28:58174--sha-w-c:\program files\desktop.ini
2006-11-02 12:42:0230674----a-w-c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:0230674----a-w-c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02287440----a-w-c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02287440----a-w-c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21287440----a-w-c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21287440----a-w-c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:1930674----a-w-c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:1930674----a-w-c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 00:54:30245760--sha-w-c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-12-02 02:32:5922--sha-w-c:\windows\sminst\HPCD.sys
2007-08-16 02:32:558192--sha-w-c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:56:21.58 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/3/2007 8:36:15 AM
System Uptime: 2/18/2010 7:55:03 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | Leonite2
Processor: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz | Socket 775 | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 289 GiB total, 183.476 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.214 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Acrobat 7.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 ActiveX
Adobe GoLive CS2
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop CS2
Adobe Reader 8.1.0
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Version Cue CS2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BresnanClientSetup
BufferChm
C4600
CCleaner
Destinations
DeviceDiscovery
DIGOpt
Drivers Install For Linksys Easylink Advisor
Enhanced Multimedia Keyboard Solution
ERUNT 1.1j
FamilySearch Indexing (www.familysearchindexing.org)
FreeAgent Go Tools
Google Toolbar for Internet Explorer
GPBaseService2
Hardware Diagnostic Tools
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Customer Participation Program 13.0
HP Easy Setup - Frontend
HP Imaging Device Functions 13.0
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart C4600 All-In-One Driver Software 13.0 Rel .5
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
HPPhotoGadget
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel® Viiv™ Software
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) SE Runtime Environment 6 Update 1
LightScribe 1.6.45.1
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Default Manager
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSN
MSN Toolbar
MSN Toolbar Platform
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Network Magic
Norton Internet Security
PC VGA [emailprotected] Plus
Pen Tablet
PS_AIO_05_C4600_Software_Min
PSSWCORE
Pure Networks Platform
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Safari
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype web features
Skype™ 4.1
SmartWebPrinting
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SolutionCenter
Status
Suite Specific
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoToolkit01
Viewpoint Media Player
WeatherBug Gadget
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================
Go to Add or Remove Programs and uninstall:

Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player

.
----------

If you already have COMBOFIX be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [<NO NAME>]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeI got the programs uninstalled and ComboFix to run, but once it restarted the computer and gave me a log, IE would now longer let me run it saying it was an "Illegal operation attempted on a registry key that has been marked for deletion." The same message was presented when I tried to run Safari (the only other browser installed on that computer). So I saved the log and am posting from a different computer.

ComboFix 10-02-18.09 - Roberta 02/19/2010 9:13.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.2038.697 [GMT -7:00]
Running from: c:\users\Roberta\Desktop\ComboFix.exe
Command switches used :: c:\users\Roberta\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2247044132-4097389474-3979866955-1000
c:\$recycle.bin\S-1-5-21-2707314144-2212986238-3296375092-500
c:\$recycle.bin\S-1-5-21-28988871-2951861398-4232707214-500

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 16:22 . 2010-02-19 16:25--------d-----w-c:\users\Roberta\AppData\Local\temp
2010-02-19 16:22 . 2010-02-19 16:22--------d-----w-c:\users\IUSR_NMPR\AppData\Local\temp
2010-02-19 04:53 . 2010-02-19 04:53--------d-----w-c:\program files\ERUNT
2010-02-19 03:19 . 2010-02-19 03:19--------d-----w-c:\program files\Trend Micro
2010-02-19 00:09 . 2010-02-19 00:09--------d-----w-c:\programdata\SUPERAntiSpyware.com
2010-02-19 00:07 . 2010-02-19 00:07--------d-----w-c:\program files\SUPERAntiSpyware
2010-02-19 00:07 . 2010-02-19 00:07--------d-----w-c:\users\Roberta\AppData\Roaming\SUPERAntiSpyware.com
2010-02-18 23:41 . 2010-02-18 23:41--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-02-18 23:37 . 2010-02-18 23:37--------d-----w-c:\program files\CCleaner
2010-02-18 22:42 . 2010-02-19 02:30--------d-----w-c:\users\Roberta\AppData\Local\csnefm
2010-02-12 22:14 . 2010-02-12 22:14--------d-----w-c:\program files\iPod
2010-02-12 22:14 . 2010-02-12 22:15--------d-----w-c:\program files\iTunes
2010-02-12 22:10 . 2010-02-12 22:11--------d-----w-c:\program files\QuickTime
2010-02-09 20:08 . 2009-12-08 20:013600456----a-w-c:\windows\system32\ntkrnlpa.exe
2010-02-09 20:08 . 2009-12-08 20:013548216----a-w-c:\windows\system32\ntoskrnl.exe
2010-02-09 20:06 . 2009-12-04 15:56212992----a-w-c:\windows\system32\drivers\mrxsmb10.sys
2010-02-09 20:06 . 2009-12-04 15:56105984----a-w-c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 17:16 . 2010-02-09 17:16--------d-----w-c:\users\Roberta\AppData\Roaming\SupportSoft
2010-02-09 16:44 . 2010-02-09 16:44--------d-----w-c:\program files\Common Files\supportsoft
2010-01-23 14:49 . 2010-01-23 14:49--------d-----w-C:\WTablet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 16:24 . 2008-05-11 18:42--------d-----w-c:\users\Roberta\AppData\Roaming\WTablet
2010-02-19 16:08 . 2007-08-16 02:06--------d-----w-c:\program files\Java
2010-02-19 16:08 . 2007-08-16 02:06--------d-----w-c:\program files\Common Files\Java
2010-02-19 16:08 . 2010-02-19 16:080----a-w-c:\windows\system32\REN2119.tmp
2010-02-19 16:08 . 2010-02-19 16:080----a-w-c:\windows\system32\REN2118.tmp
2010-02-19 16:08 . 2010-02-19 16:080----a-w-c:\windows\system32\REN2117.tmp
2010-02-19 15:52 . 2009-09-18 00:42--------d-----w-c:\programdata\Viewpoint
2010-02-19 15:52 . 2009-09-18 00:41--------d-----w-c:\program files\Viewpoint
2010-02-19 03:03 . 2009-03-13 21:38411368----a-w-c:\windows\system32\deploytk.dll
2010-02-18 23:46 . 2009-02-17 03:43--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-18 23:29 . 2007-10-25 22:56120824----a-w-c:\users\Roberta\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-12 22:14 . 2007-11-03 19:40--------d-----w-c:\program files\Common Files\Apple
2010-02-10 10:20 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-02-09 05:28 . 2008-03-02 03:02--------d-----w-c:\users\Roberta\AppData\Roaming\Skype
2010-02-08 23:01 . 2008-02-10 21:18--------d-----w-c:\users\Roberta\AppData\Roaming\skypePM
2010-01-20 15:52 . 2009-10-25 03:22--------d-----w-c:\program files\Microsoft Silverlight
2010-01-19 18:58 . 2010-01-05 15:38--------d-----w-c:\programdata\McAfee Security Scan
2010-01-19 18:58 . 2007-08-16 02:08--------d-----w-c:\program files\Microsoft Works
2010-01-19 16:26 . 2010-01-19 16:26--------d-----w-c:\programdata\Office Genuine Advantage
2010-01-07 23:07 . 2009-02-17 03:4338224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-02-17 03:4319160----a-w-c:\windows\system32\drivers\mbam.sys
2010-01-07 15:38 . 2010-01-07 15:38--------d-----w-c:\programdata\McAfee
2010-01-06 15:13 . 2007-10-26 00:03--------d-----w-c:\users\Roberta\AppData\Roaming\MSN6
2010-01-04 20:34 . 2007-08-16 01:57--------d-----w-c:\program files\HP
2010-01-02 06:38 . 2010-01-22 10:47916480----a-w-c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:4771680----a-w-c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 10:47109056----a-w-c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 10:47133632----a-w-c:\windows\system32\ieUnatt.exe
2010-01-02 02:46 . 2009-03-13 21:41254----a-w-c:\users\Roberta\jobq.dat
2009-12-11 11:43 . 2010-02-09 20:07302080----a-w-c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-09 20:0798816----a-w-c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-09 20:07904776----a-w-c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:26 . 2010-02-09 20:0730720----a-w-c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-09 20:0712288----a-w-c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-09 20:071314816----a-w-c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-09 20:0722528----a-w-c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-09 20:0731744----a-w-c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-09 20:07123904----a-w-c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-09 20:0713312----a-w-c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-09 20:0782944----a-w-c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-09 20:0750176----a-w-c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-09 20:0791136----a-w-c:\windows\system32\avifil32.dll
2007-12-02 02:32 . 2007-12-02 02:3222--sha-w-c:\windows\SMINST\HPCD.sys
2007-08-16 02:32 . 2007-08-16 02:288192--sha-w-c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & LEGIT default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-06-01 1783400]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 307200]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-16 484904]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-02 451896]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-08-10 319488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-03 178712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe" [2009-08-10 239456]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\users\Roberta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-10-26 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):74,6e,03,b8,f5,5f,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1008000.029\SymEFA.sys [1/27/2010 5:42 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1008000.029\BHDrvx86.sys [1/27/2010 5:42 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1008000.029\cchpx86.sys [1/27/2010 5:42 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSvix86.sys [2/12/2010 3:20 PM 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 10:32 AM 208896]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 5:42 PM 117640]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
R2 TabletServicePen;TabletServicePen;c:\windows\System32\Pen_Tablet.exe [5/11/2008 11:39 AM 1373480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 4:51 PM 102448]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [8/15/2007 6:48 PM 968064]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1008000.029\symndisv.sys [1/27/2010 5:42 PM 48688]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 9:13 AM 29696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 3:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 3:25 AM 251904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\User_Feed_Synchronization-{34328BA2-3743-460B-B852-FA2B82D198EA}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.bresnan.net/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8356)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DllHost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2010-02-19 09:34:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 16:34

Pre-Run: 198,380,818,432 bytes free
Post-Run: 198,430,007,296 bytes free

- - End Of File - - 3D85B29514A15D6A197B59588930FA8B
Have you tried restarting the computer to see if the error goes away?Upon restarting, i was able to get the internet to work again. Do you need the combo fix log again? Thanks!Quote from: king0913 on February 19, 2010, 03:40:39 PM

Do you need the combo fix log again? Thanks!

No.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the TERMS of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
It just ran combofix again.... and gave me another log, it didn't uninstall it.. did I do something wrong?You need to type in the command right or it will just run it again.

Copy this blue text and then paste it in the Run window.

Combofix /UninstallI ran ESET Online Scanner, but it never gave me the option to get a List of found threats. There was only an option to uninstall or finish. I clicked finish and now its trying to get me to buy other ESET programs. It didn't find any threats though, both were listed as 0. Did I do something wrong? I hope not because that took over 3 hours.If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

4528.	Solve : Does my computer have too many security programs??
Answer» I am running: AVAST! Free EDITION 5 Comodo Firewall (w/ Defense +) Windows Defender IObit SECURITY 360 Is this good? Or too MUCH? Or just right? You're fine. The most important thing is "smart computing". Do not open email attachments unless you know for sure what they are, don't click on links unless you know where they go, etc.Okay, thanks!

Discussion

4529.	Solve : atapi.sys infected with rootkit?
Answer» It was an empty folder which is gone now. I ran AVG and had it just can C:\Windows\System32\drivers\ and it came back clean. I also had VirusTotal scan the new atapi.sys which came back clean as well. I'm currently running MBAM and a full AVG scan and installing CCleaner. I'll also run an online scan after CCleaner is installed and ran and let you know, but as of right now seems like it's gone. I have a question though. I obviously tried the ComboFix to try to replace atapi.sys and when I got the warning I decided to come here. My first instict after that though was to get into safe mode with command prompt and copy the files that way. Would it have worked? and if not would running a command prompt from a restore cd/flash drive and copying the file have worked?Yes you most likely could have copied it a number of ways. You just have to be very careful with that file. Without it Windows will not boot. Which is why AVG wouldn't remove it. Hopefully nothing else will be found but since the other file that we deleted was there then you never know what else might come up. And as a precaution we should run a scanner that doesn't remove what it finds to be on the safe side. Use Panda instead of ESET. Scan your computer with Panda ActiveScan * Once you are on the Panda site click the Scan your PC now button. * A new window will open...click the Scan Now button. * If it wants to install an ActiveX component allow it. * It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes) * You may get a warning from Internet Explorer that Panda is ready to install, please allow it. * The scan will begin. Please be patient as it can take an hour or more to complete. * When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad). * Save the ActiveScan.txt to a convenient location like your desktop. * Note: You do not need to select any of the Disinfect options. We will remove any threats manually. * Post the contents of the ActiveScan report in your next reply. ;*************************************************************************** ANALYSIS: 2009-11-15 02:48:51 PROTECTIONS: 1 MALWARE: 7 SUSPECTS: 3 ;************************************************************************* PROTECTIONS Description Version Active UPDATED ;==================================================================== AVG Anti-Virus Free Yes Yes ;==================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;==================================================================== 00020386 Application/MotherboardMonitor.A HackTools No 0 Yes No c:\program files\mirc\moo.dll 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\[emailprotected][2].txt 00815304 mIRC/Gen Virus/Worm No 0 Yes No c:\program files\mirc\backups\aliases.ini 00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\avenger\utizmjqx.sys 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\avenger\atapi.sys ;==================================================================== SUSPECTS Sent Location ;==================================================================== No c:\program files\mirc\backups\mirc.exe No c:\program files\mirc\mirc-keygen\keygen.exe No c:\users\stillborn\documents\utilities and installers\uniblue powersuite 2009\setup.exe ;==================================================================== VULNERABILITIES Id Severity Description ;==================================================================== Using cracks will get you infected every time... Download OTM by OldTimer to your desktop. Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator*. Save it to your Desktop. * Double-click OTM.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and PRESSING CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :services :reg :files c:\program files\mirc c:\avenger\utizmjqx.sys c:\avenger\atapi.sys :Commands [purity] [emptytemp] [start explorer] * Return to OTM, right click in the "Paste Instructions for ITEMS to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy EVERYTHING in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. * Close OTM Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. The system required reboot so I wasn't able to copy the results and post them. I checked everything under the "files" list and they're all gone. Sounds good. Time to finish up. 1. Double click OTM to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. When finished exit out of OTM. ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your BROWSER. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Had the same problem. Use Hitman Pro. Works fantastic to get rid of atapi. sys root.... Hitman Pro can not fix this infection. In fact, there is no AV now that can do it. It takes specialized tools and/or knowledge of how to replace the infected file which is a legitimate Windows file and why the AV's can't fix it. Kaspersky has developed a tool, TDSSKiller, that will clean and replace the infected atapi.sys file then clean the registry of the TDL3 rootkit. But TDL3 has evolved and that doesn't even work much of the time now. http://support.kaspersky.com/viruses/solutions?qid=208280684

4529.

Solve : atapi.sys infected with rootkit?

Answer»

It was an empty folder which is gone now. I ran AVG and had it just can C:\Windows\System32\drivers\ and it came back clean. I also had VirusTotal scan the new atapi.sys which came back clean as well. I'm currently running MBAM and a full AVG scan and installing CCleaner. I'll also run an online scan after CCleaner is installed and ran and let you know, but as of right now seems like it's gone.

I have a question though. I obviously tried the ComboFix to try to replace atapi.sys and when I got the warning I decided to come here. My first instict after that though was to get into safe mode with command prompt and copy the files that way. Would it have worked? and if not would running a command prompt from a restore cd/flash drive and copying the file have worked?Yes you most likely could have copied it a number of ways. You just have to be very careful with that file. Without it Windows will not boot. Which is why AVG wouldn't remove it.

Hopefully nothing else will be found but since the other file that we deleted was there then you never know what else might come up. And as a precaution we should run a scanner that doesn't remove what it finds to be on the safe side.

Use Panda instead of ESET.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

;*****************************************************************************
ANALYSIS: 2009-11-15 02:48:51
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 3
;*****************************************************************************
PROTECTIONS
Description Version Active UPDATED
;====================================================================
AVG Anti-Virus Free Yes Yes
;====================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;====================================================================
00020386 Application/MotherboardMonitor.A HackTools No 0 Yes No c:\program files\mirc\moo.dll
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\[emailprotected][2].txt
00815304 mIRC/Gen Virus/Worm No 0 Yes No c:\program files\mirc\backups\aliases.ini
00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\avenger\utizmjqx.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\avenger\atapi.sys
;====================================================================
SUSPECTS
Sent Location
;====================================================================
No c:\program files\mirc\backups\mirc.exe
No c:\program files\mirc\mirc-keygen\keygen.exe
No c:\users\stillborn\documents\utilities and installers\uniblue powersuite 2009\setup.exe
;====================================================================
VULNERABILITIES
Id Severity Description
;====================================================================
Using cracks will get you infected every time...

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and PRESSING CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services

:reg

:files
c:\program files\mirc
c:\avenger\utizmjqx.sys
c:\avenger\atapi.sys

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for ITEMS to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy EVERYTHING in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. The system required reboot so I wasn't able to copy the results and post them. I checked everything under the "files" list and they're all gone. Sounds good. Time to finish up.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your BROWSER. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Had the same problem. Use Hitman Pro. Works fantastic to get rid of atapi. sys root....

Hitman Pro can not fix this infection. In fact, there is no AV now that can do it. It takes specialized tools and/or knowledge of how to replace the infected file which is a legitimate Windows file and why the AV's can't fix it.

Kaspersky has developed a tool, TDSSKiller, that will clean and replace the infected atapi.sys file then clean the registry of the TDL3 rootkit. But TDL3 has evolved and that doesn't even work much of the time now. http://support.kaspersky.com/viruses/solutions?qid=208280684

Discussion

4530.	Solve : Java a security risk??
Answer» Is ENABLING Java in my browser a security risk? How about Javascript?As long as your antivirus is RUNNING and up to date it isn't a huge risk. I've always had java enabled and NEVER been infected by a Java exploit.

Discussion

4531.	Solve : I think I have a virus?
Answer» This POST is further to one earlier today - "Email query/problem" - I wasn't sure how to amend my earlier post. I've just found my email has another lot of AUTO replies and undelivered notices about messages that I have not sent. As far as I can figure out, a message purporting to be from me has been sent to all the addresses in my contacts list. This list (added to by AOL with every new addressee) includes my own Hotmail address, and when I checked that I found that the message was in fact a link to a healthcare website. It seems like a scam to direct people there. I'm not sure what to do to stop this - would deleting all contacts work? - or uninstalling all AOL stuff and getting a new email account? (AOL is no longer my ISP). Advice needed.Prior to POSTING for help we ask that you please READ and follow all instructions in the pinned topic titled Please read this before requesting malware removal help. FOLLOWING the steps in the Guide will allow for us to quickly help you with specific fixes for your system.

Discussion

4532.	Solve : Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed?
Answer» Hi Jay. spend some days without using that pc... today I caught up and followed your latest suggestions...here is the log: Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: ESET Online Scanner v3 Prevx Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: SUPERAntiSpyware Free Edition HijackThis 2.0.2 Java(TM) 6 Update 10 Java(TM) 6 Update 6 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 8.1.2 - Deutsch Adobe Reader 8.1.2 Security Update 1 (KB403742) Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Symantec Client Security Symantec AntiVirus DefWatch.exe antivirus stuff SecurityCheck.exe Symantec Client Security Symantec Client Firewall SymSPort.exe `````````````````````````````` DNS Vulnerability Check: Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?) `````````End of Log``````````` _______________________________________ ______________________________________ Do you think i am clean now ? i still have those files in my Windows temp folder... Thank youPlease download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop. Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything ELSE during the scan. Double click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results, click Yes to the Optional_Scan Please follow the instructions that pop up for posting the results. Close the program window, and delete the program from your Desktop. I cannot execute this file since my system associates that "dds.scr" as a Autocad Script (Autocad is a digital drawing software that I have installed on my PC. Isn't SCR a screensaver file-type ? if I used the "open with..." button: which App. do I choose ? I guess I have to run as DLL32 ... please tell me how to do this.. Thanks againTry the one from Forospyware up there. That is a PIF file type instead of the other link being a SCR.Yes, that one worked better...in the "Created Last 30" there is that "serauth2.dll" again....I also had trouble booting my PC: I rebooted it several times and every time the windows explorer would hang up and therefore the system would not boot completely (Desktop without Icons, non functional taskbar , never the less I was able to prompt for "MSCONFIG" and deactivated (almost) all non Windows startup processes to be able to boot succesfully. My desktop background is gone again...but at least the system is up and running again. These issues drive me nuts...but thank you for your patience. DDS (Ver_09-12-01.01) - NTFSx86 Run by Wolz at 1:41:38,10 on 16.02.2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3067.2455 [GMT -5:00] AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall disabled {5CB76A43-5FAD-476B-B9FF-26FA61F13187} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Programme\Google\Update\GoogleUpdate.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe C:\PROGRA~1\SAAZOD\SAAZScheduler.exe C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe C:\PROGRA~1\SAAZOD\RMHLPDSK.exe C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe C:\cgtech62\windows\license\lservnt.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe C:\Programme\TeamViewer\Version5\Teamviewer.exe C:\WINDOWS\system32\TODDSrv.exe c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Programme\TOSHIBA\TAudEffect\TAudEff.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\software-setup\antivirus stuff\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = .local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.5.4723.1820\swg.dll BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [TPSMain] TPSMain.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [TAudEffect] c:\programme\toshiba\taudeffect\TAudEff.exe /run mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE mPolicies-explorer: NoResolveTrack = 0 (0x0) mPolicies-explorer: NoFileAssociate = 0 (0x0) dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\NETWORK Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}c:\programme\timeleft3\tlintergie.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist! IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264776624859 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/GET/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: TosBtNP - TosBtNP.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\dokume~1\wolz\anwend~1\mozilla\firefox\profiles\ba9ldl0e.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\programme\mozilla firefox\plugins\npcosmop211.dll FF - plugin: c:\programme\virtual earth 3d\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.blink_allowed - true FF - user.js: network.prefetch-next - true FF - user.js: nglayout.initialpaint.delay - 250 FF - user.js: layout.spellcheckDefault - 1 FF - user.js: browser.urlbar.autoFill - false FF - user.js: browser.search.openintab - false FF - user.js: browser.tabs.closeButtons - 1 FF - user.js: browser.tabs.opentabfor.middleclick - true FF - user.js: browser.tabs.tabMinWidth - 100 FF - user.js: browser.urlbar.hideGoButton - false FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5) c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-1-29 30280] R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [2009-11-5 971168] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528] R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2010-1-5 9968] R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2010-1-5 74480] R1 SAVRT;SAVRT;c:\programme\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592] R1 SAVRTPEL;SAVRTPEL;c:\programme\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-7-21 5888] R2 ccSetMgr;Symantec Settings Manager;c:\programme\gemeinsame dateien\symantec shared\ccSetMgr.exe [2006-3-7 169632] R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680] R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-1-29 47664] R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2009-6-13 81920] R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2009-6-4 73728] R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-1-29 77824] R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824] R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2009-6-4 81920] R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [2008-10-16 774144] R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\gemeinsame dateien\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-10 328992] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856] R2 TeamViewer5;TeamViewer 5;c:\programme\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640] R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016] R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2008-4-30 4992] R3 ccEvtMgr;Symantec Event Manager;c:\programme\gemeinsame dateien\symantec shared\ccEvtMgr.exe [2006-3-7 192160] R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-21 244368] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-21 41216] R3 NAVENG;NAVENG;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\naveng.sys [2009-9-13 84912] R3 NAVEX15;NAVEX15;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\navex15.sys [2009-9-13 1323568] R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-1-29 24368] R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088] R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-7-21 435072] S2 CSIScanner;CSIScanner;c:\programme\prevx\prevx.exe [2010-1-29 6297008] S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2010-1-1 135664] S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\ugs\ugslicensing\lmgrd.exe [2009-7-7 1510152] S3 ccProxy;Symantec Network Proxy;c:\programme\gemeinsame dateien\symantec shared\ccProxy.exe [2006-3-7 202400] S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [2008-10-26 20645] S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2010-1-5 7408] S3 Symantec AntiVirus;Symantec AntiVirus;c:\programme\symantec client security\symantec antivirus\Rtvscan.exe [2006-3-16 1799408] S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\gemeinsame dateien\intel\privacy icon\uns\UNS.exe [2008-10-8 2058776] S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-5-3 627072] S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2008-10-27 259584] S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [2009-4-5 177152] S4 DfSdkS;Defragmentation-Service;c:\programme\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2009-12-27 406016] S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712] S4 SavRoam;SAVRoam;c:\programme\symantec client security\symantec antivirus\SavRoam.exe [2006-3-16 115952] S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688] S4 Tmesrv;Tmesrv3;c:\programme\toshiba\tme3\TMESRV31.exe [2008-7-21 118784] S4 TPCHSrv;TPCH Service;c:\programme\toshiba\tphm\TPCHSrv.exe [2008-5-27 628072] =============== Created Last 30 ================ 2010-02-15 06:49:560d-----w-c:\dokumente und einstellungen\wolz\_Email-Backup 2010-02-15 06:47:020d-----w-c:\dokume~1\wolz\anwend~1\Sync App Settings 2010-02-15 06:46:310d-----w-c:\dokume~1\alluse~1\anwend~1\Sync App Settings 2010-02-15 06:46:260d-----w-c:\programme\Allway Sync 2010-02-09 04:52:460d-----w-c:\dokume~1\wolz\anwend~1\TeraCopy 2010-02-09 04:52:430d-----w-c:\programme\TeraCopy 2010-02-08 04:38:120d-----w-C:\_fp39 2010-02-08 04:16:38291328----a-w-c:\windows\system32\SAXZIPSPAN.DLL 2010-02-07 22:14:291024----a-w-c:\windows\system32\serauth2.dll 2010-02-07 22:14:291024----a-w-c:\windows\system32\serauth1.dll 2010-02-04 08:11:280d-----w-C:\_fp39_old 2010-02-02 04:40:516443----a-w-c:\dokumente und einstellungen\wolz\.recently-used.xbel 2010-01-31 03:07:390d-----w-c:\programme\ESET 2010-01-31 02:26:2995----a-w-c:\windows\system32\prsrvk.dll 2010-01-31 02:26:2972----a-w-c:\windows\system32\nsprs.dll 2010-01-31 00:10:43204----a-w-c:\windows\system32\lsprst7.dll 2010-01-30 23:55:43218----a-w-c:\windows\system32\lsprst7.tgz 2010-01-30 23:55:4314----a-w-c:\windows\system32\tmpPrst.tgz 2010-01-30 23:36:530d-sha-r-C:\cmdcons 2010-01-30 23:34:1877312----a-w-c:\windows\MBR.exe 2010-01-30 23:34:18261632----a-w-c:\windows\PEV.exe 2010-01-30 08:24:430d-----w-c:\programme\Trend Micro 2010-01-29 18:05:3155184----a-w-c:\windows\system32\PxSecure.dll 2010-01-29 18:05:3147664----a-w-c:\windows\system32\drivers\pxrts.sys 2010-01-29 18:05:3130280----a-w-c:\windows\system32\drivers\pxscan.sys 2010-01-29 18:05:3124368----a-w-c:\windows\system32\drivers\pxkbf.sys 2010-01-29 18:05:310d-----w-c:\programme\Prevx 2010-01-29 18:05:1432----a-w-c:\windows\wininit.ini 2010-01-29 18:05:140d-----w-c:\dokume~1\alluse~1\anwend~1\PrevxCSI 2010-01-29 14:55:29471552-c----w-c:\windows\system32\dllcache\aclayers.dll 2010-01-29 14:44:300d-----w-c:\dokume~1\wolz\anwend~1\XLAB ISL Light Client3 2010-01-29 14:15:54150528----a-w-c:\windows\system32\TLBINF32.dll 2010-01-29 14:15:530d-----w-c:\dokume~1\alluse~1\anwend~1\VSoft 2010-01-29 14:15:520d-----w-c:\programme\gemeinsame dateien\VSoft 2010-01-29 14:15:470d-----w-c:\programme\SAAZExmonScripts 2010-01-29 14:11:480d-----w-C:\12539265af95f2fffe2558 2010-01-29 14:11:410d-----w-c:\programme\SAAZOD 2010-01-29 14:11:170d-----w-c:\programme\SetupLogs 2010-01-29 14:11:13290816----a-w-c:\windows\system32\WINHTTP5.DLL 2010-01-29 14:11:13102912----a-w-c:\windows\system32\VB6STKIT.DLL 2010-01-29 04:34:590d-----w-C:\_mal 2010-01-25 21:59:190d-----w-C:\_fp91 2010-01-25 16:32:210d-----w-c:\dokume~1\wolz\anwend~1\Malwarebytes 2010-01-25 16:32:1838224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-25 16:32:1619160----a-w-c:\windows\system32\drivers\mbam.sys 2010-01-25 16:32:160d-----w-c:\programme\Malwarebytes' Anti-Malware 2010-01-25 16:32:160d-----w-c:\dokume~1\alluse~1\anwend~1\Malwarebytes 2010-01-25 13:36:060d-----w-c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com 2010-01-25 13:35:340d-----w-c:\programme\SUPERAntiSpyware 2010-01-25 13:35:340d-----w-c:\dokume~1\wolz\anwend~1\SUPERAntiSpyware.com 2010-01-25 13:35:130d-----w-c:\programme\gemeinsame dateien\Wise Installation Wizard 2010-01-25 13:32:110d-----w-c:\programme\XLAB ISL Plugins 2010-01-25 13:30:260d-----w-c:\programme\XLAB ISL Light Client3 2010-01-23 20:43:11552----a-w-c:\windows\system32\d3d8caps.dat 2010-01-23 20:13:58120----a-w-c:\windows\Twamilaha.dat 2010-01-22 16:11:440d-----w-C:\____fp91 2010-01-22 03:24:110d-----w-c:\programme\ABBYY FineReader 6.0 Sprint 2010-01-22 03:23:290d-----w-c:\dokume~1\alluse~1\anwend~1\UDL 2010-01-22 03:21:590d-----w-c:\programme\Epson Software 2010-01-22 03:21:2586528----a-w-c:\windows\system32\E_FLBEJA.DLL 2010-01-22 03:21:2578848----a-w-c:\windows\system32\E_FD4BEJA.DLL 2010-01-22 03:21:0097----a-w-c:\windows\system32\PICSDK.ini 2010-01-22 03:21:0080024----a-w-c:\windows\system32\PICSDK.dll 2010-01-22 03:21:00501912----a-w-c:\windows\system32\PICSDK2.dll 2010-01-22 03:21:00108704----a-w-c:\windows\system32\PICEntry.dll 2010-01-22 03:19:420d-----w-c:\dokume~1\alluse~1\anwend~1\EPSON 2010-01-22 03:19:2371680----a-w-c:\windows\system32\escwiad.dll 2010-01-22 03:19:210d-----w-c:\programme\epson 2010-01-22 03:18:1844----a-w-c:\windows\EPSNX300.ini 2010-01-17 20:38:3926600----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys 2010-01-17 20:38:39107368----a-w-c:\windows\system32\GEARAspi.dll 2010-01-17 20:38:140d-----w-c:\programme\iPod 2010-01-17 20:38:110d-----w-c:\programme\iTunes 2010-01-17 20:38:110d-----w-c:\dokume~1\alluse~1\anwend~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-01-17 20:37:520d-----w-c:\programme\Bonjour 2010-01-17 20:37:1140448----a-w-c:\windows\system32\drivers\usbaapl.sys 2010-01-17 20:37:112065696----a-w-c:\windows\system32\usbaaplrc.dll 2010-01-17 20:36:480d-----w-c:\programme\gemeinsame dateien\Apple 2010-01-17 19:21:040d-----w-C:\download_torrent 2010-01-17 09:34:040d-----w-c:\dokume~1\alluse~1\anwend~1\AVS4YOU 2010-01-17 09:33:520d-----w-c:\programme\gemeinsame dateien\AVSMedia 2010-01-17 09:33:5124576----a-w-c:\windows\system32\msxml3a.dll 2010-01-17 09:33:510d-----w-c:\programme\AVS4YOU ==================== Find3M ==================== 2010-02-02 20:05:1432----a-w-c:\windows\system32\drivers\mshcmd.sys. 2010-01-30 12:36:15312344----a-w-c:\windows\system32\drivers\iaStor.sys 2010-01-29 15:11:58574580----a-w-c:\windows\system32\perfh007.dat 2010-01-29 15:11:58127768----a-w-c:\windows\system32\perfc007.dat 2009-12-22 05:07:58672768------w-c:\windows\system32\wininet.dll 2009-12-22 05:07:5581920----a-w-c:\windows\system32\ieencode.dll 2009-11-23 19:34:06436674----a-w-C:\_fp83.zip 1992-03-10 10:00:0095232----a-w-c:\programme\CARDFILE.EXE ============= FINISH: 1:41:57,89 =============== There is a dangerous backdoor trojan on your system. This is a sign of total system compromise. Backdoor trojans are very dangerous* because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417 I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please *get to a known clean* computer and change all passwords** where applicable. Do NOT* change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.* (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? What Should I Do If I've Become A Victim Of Identity Theft? Identity Theft Victims GUIDE - What to do [/color] Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully: When should I re-format? How should I reinstall? Help: I Got Hacked. Now What Do I Do? Help: I Got Hacked. Now What Do I Do? Part II Where to draw the line? When to recommend a format and reinstall? Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115 http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143 However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.Hello. Sorry that you haven't heard from me for a while... So I guess most secure would be setting up a new Windows, right ? and of course changing the router password and so forth...Actually, before I opened this thread I was already thinking that I need to set up windows again from scratch... now it seems like this is really the case . I assume you found something bad in my last log-post.. so what was it ? I don't see any benefit in chasing after this malware, so I'd just rather set Windows up again. The recovery CD got lost, so I will just buy a XP setup CD. Two points make me worry: -bad code in the MBR -my Data is stored on a wireless network-drive and I will have to reload it onto on my new system, hopefully without getting infected again I have not read through all the tutorials you suggested... so I might come back with a question, but I thank you very much for all your work and spending your free time to read through all these of log files that added up during the last month...

4532.

Solve : Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed?

Answer»

Hi Jay.
spend some days without using that pc... today I caught up and followed your latest suggestions...here is the log:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
ESET Online Scanner v3
Prevx
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 10
Java(TM) 6 Update 6
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2 - Deutsch
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec Client Security Symantec AntiVirus DefWatch.exe
antivirus stuff SecurityCheck.exe
Symantec Client Security Symantec Client Firewall SymSPort.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````
_______________________________________ ______________________________________

Do you think i am clean now ?
i still have those files in my Windows temp folder...
Thank youPlease download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything ELSE during the scan.

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results, click Yes to the Optional_Scan
Please follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your Desktop.

I cannot execute this file since my system associates that "dds.scr" as a Autocad Script (Autocad is a digital drawing software that I have installed on my PC.
Isn't SCR a screensaver file-type ? if I used the "open with..." button: which App. do I choose ? I guess I have to run as DLL32 ... please tell me how to do this..
Thanks againTry the one from Forospyware up there. That is a PIF file type instead of the other link being a SCR.Yes, that one worked better...in the "Created Last 30" there is that "serauth2.dll" again....I also had trouble booting my PC:

I rebooted it several times and every time the windows explorer would hang up and therefore the system would not boot completely (Desktop without Icons, non functional taskbar , never the less I was able to prompt for "MSCONFIG" and deactivated (almost) all non Windows startup processes to be able to boot succesfully. My desktop background is gone again...but at least the system is up and running again. These issues drive me nuts...but thank you for your patience.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Wolz at 1:41:38,10 on 16.02.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3067.2455 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\cgtech62\windows\license\lservnt.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
C:\Programme\TeamViewer\Version5\Teamviewer.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\TOSHIBA\TAudEffect\TAudEff.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\software-setup\antivirus stuff\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TAudEffect] c:\programme\toshiba\taudeffect\TAudEff.exe /run
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\NETWORK Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}c:\programme\timeleft3\tlintergie.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264776624859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/GET/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TosBtNP - TosBtNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\wolz\anwend~1\mozilla\firefox\profiles\ba9ldl0e.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\programme\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5)
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-1-29 30280]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [2009-11-5 971168]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SAVRT;SAVRT;c:\programme\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\programme\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-7-21 5888]
R2 ccSetMgr;Symantec Settings Manager;c:\programme\gemeinsame dateien\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-1-29 47664]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2009-6-13 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2009-6-4 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-1-29 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2009-6-4 81920]
R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [2008-10-16 774144]
R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\gemeinsame dateien\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-10 328992]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 TeamViewer5;TeamViewer 5;c:\programme\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2008-4-30 4992]
R3 ccEvtMgr;Symantec Event Manager;c:\programme\gemeinsame dateien\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-21 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-21 41216]
R3 NAVENG;NAVENG;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\naveng.sys [2009-9-13 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\navex15.sys [2009-9-13 1323568]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-1-29 24368]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-7-21 435072]
S2 CSIScanner;CSIScanner;c:\programme\prevx\prevx.exe [2010-1-29 6297008]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2010-1-1 135664]
S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\ugs\ugslicensing\lmgrd.exe [2009-7-7 1510152]
S3 ccProxy;Symantec Network Proxy;c:\programme\gemeinsame dateien\symantec shared\ccProxy.exe [2006-3-7 202400]
S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [2008-10-26 20645]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\programme\symantec client security\symantec antivirus\Rtvscan.exe [2006-3-16 1799408]
S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\gemeinsame dateien\intel\privacy icon\uns\UNS.exe [2008-10-8 2058776]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-5-3 627072]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2008-10-27 259584]
S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [2009-4-5 177152]
S4 DfSdkS;Defragmentation-Service;c:\programme\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2009-12-27 406016]
S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SavRoam;SAVRoam;c:\programme\symantec client security\symantec antivirus\SavRoam.exe [2006-3-16 115952]
S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 Tmesrv;Tmesrv3;c:\programme\toshiba\tme3\TMESRV31.exe [2008-7-21 118784]
S4 TPCHSrv;TPCH Service;c:\programme\toshiba\tphm\TPCHSrv.exe [2008-5-27 628072]

=============== Created Last 30 ================

2010-02-15 06:49:560d-----w-c:\dokumente und einstellungen\wolz\_Email-Backup
2010-02-15 06:47:020d-----w-c:\dokume~1\wolz\anwend~1\Sync App Settings
2010-02-15 06:46:310d-----w-c:\dokume~1\alluse~1\anwend~1\Sync App Settings
2010-02-15 06:46:260d-----w-c:\programme\Allway Sync
2010-02-09 04:52:460d-----w-c:\dokume~1\wolz\anwend~1\TeraCopy
2010-02-09 04:52:430d-----w-c:\programme\TeraCopy
2010-02-08 04:38:120d-----w-C:\_fp39
2010-02-08 04:16:38291328----a-w-c:\windows\system32\SAXZIPSPAN.DLL
2010-02-07 22:14:291024----a-w-c:\windows\system32\serauth2.dll
2010-02-07 22:14:291024----a-w-c:\windows\system32\serauth1.dll
2010-02-04 08:11:280d-----w-C:\_fp39_old
2010-02-02 04:40:516443----a-w-c:\dokumente und einstellungen\wolz\.recently-used.xbel
2010-01-31 03:07:390d-----w-c:\programme\ESET
2010-01-31 02:26:2995----a-w-c:\windows\system32\prsrvk.dll
2010-01-31 02:26:2972----a-w-c:\windows\system32\nsprs.dll
2010-01-31 00:10:43204----a-w-c:\windows\system32\lsprst7.dll
2010-01-30 23:55:43218----a-w-c:\windows\system32\lsprst7.tgz
2010-01-30 23:55:4314----a-w-c:\windows\system32\tmpPrst.tgz
2010-01-30 23:36:530d-sha-r-C:\cmdcons
2010-01-30 23:34:1877312----a-w-c:\windows\MBR.exe
2010-01-30 23:34:18261632----a-w-c:\windows\PEV.exe
2010-01-30 08:24:430d-----w-c:\programme\Trend Micro
2010-01-29 18:05:3155184----a-w-c:\windows\system32\PxSecure.dll
2010-01-29 18:05:3147664----a-w-c:\windows\system32\drivers\pxrts.sys
2010-01-29 18:05:3130280----a-w-c:\windows\system32\drivers\pxscan.sys
2010-01-29 18:05:3124368----a-w-c:\windows\system32\drivers\pxkbf.sys
2010-01-29 18:05:310d-----w-c:\programme\Prevx
2010-01-29 18:05:1432----a-w-c:\windows\wininit.ini
2010-01-29 18:05:140d-----w-c:\dokume~1\alluse~1\anwend~1\PrevxCSI
2010-01-29 14:55:29471552-c----w-c:\windows\system32\dllcache\aclayers.dll
2010-01-29 14:44:300d-----w-c:\dokume~1\wolz\anwend~1\XLAB ISL Light Client3
2010-01-29 14:15:54150528----a-w-c:\windows\system32\TLBINF32.dll
2010-01-29 14:15:530d-----w-c:\dokume~1\alluse~1\anwend~1\VSoft
2010-01-29 14:15:520d-----w-c:\programme\gemeinsame dateien\VSoft
2010-01-29 14:15:470d-----w-c:\programme\SAAZExmonScripts
2010-01-29 14:11:480d-----w-C:\12539265af95f2fffe2558
2010-01-29 14:11:410d-----w-c:\programme\SAAZOD
2010-01-29 14:11:170d-----w-c:\programme\SetupLogs
2010-01-29 14:11:13290816----a-w-c:\windows\system32\WINHTTP5.DLL
2010-01-29 14:11:13102912----a-w-c:\windows\system32\VB6STKIT.DLL
2010-01-29 04:34:590d-----w-C:\_mal
2010-01-25 21:59:190d-----w-C:\_fp91
2010-01-25 16:32:210d-----w-c:\dokume~1\wolz\anwend~1\Malwarebytes
2010-01-25 16:32:1838224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 16:32:1619160----a-w-c:\windows\system32\drivers\mbam.sys
2010-01-25 16:32:160d-----w-c:\programme\Malwarebytes' Anti-Malware
2010-01-25 16:32:160d-----w-c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-01-25 13:36:060d-----w-c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:340d-----w-c:\programme\SUPERAntiSpyware
2010-01-25 13:35:340d-----w-c:\dokume~1\wolz\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:130d-----w-c:\programme\gemeinsame dateien\Wise Installation Wizard
2010-01-25 13:32:110d-----w-c:\programme\XLAB ISL Plugins
2010-01-25 13:30:260d-----w-c:\programme\XLAB ISL Light Client3
2010-01-23 20:43:11552----a-w-c:\windows\system32\d3d8caps.dat
2010-01-23 20:13:58120----a-w-c:\windows\Twamilaha.dat
2010-01-22 16:11:440d-----w-C:\____fp91
2010-01-22 03:24:110d-----w-c:\programme\ABBYY FineReader 6.0 Sprint
2010-01-22 03:23:290d-----w-c:\dokume~1\alluse~1\anwend~1\UDL
2010-01-22 03:21:590d-----w-c:\programme\Epson Software
2010-01-22 03:21:2586528----a-w-c:\windows\system32\E_FLBEJA.DLL
2010-01-22 03:21:2578848----a-w-c:\windows\system32\E_FD4BEJA.DLL
2010-01-22 03:21:0097----a-w-c:\windows\system32\PICSDK.ini
2010-01-22 03:21:0080024----a-w-c:\windows\system32\PICSDK.dll
2010-01-22 03:21:00501912----a-w-c:\windows\system32\PICSDK2.dll
2010-01-22 03:21:00108704----a-w-c:\windows\system32\PICEntry.dll
2010-01-22 03:19:420d-----w-c:\dokume~1\alluse~1\anwend~1\EPSON
2010-01-22 03:19:2371680----a-w-c:\windows\system32\escwiad.dll
2010-01-22 03:19:210d-----w-c:\programme\epson
2010-01-22 03:18:1844----a-w-c:\windows\EPSNX300.ini
2010-01-17 20:38:3926600----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-17 20:38:39107368----a-w-c:\windows\system32\GEARAspi.dll
2010-01-17 20:38:140d-----w-c:\programme\iPod
2010-01-17 20:38:110d-----w-c:\programme\iTunes
2010-01-17 20:38:110d-----w-c:\dokume~1\alluse~1\anwend~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 20:37:520d-----w-c:\programme\Bonjour
2010-01-17 20:37:1140448----a-w-c:\windows\system32\drivers\usbaapl.sys
2010-01-17 20:37:112065696----a-w-c:\windows\system32\usbaaplrc.dll
2010-01-17 20:36:480d-----w-c:\programme\gemeinsame dateien\Apple
2010-01-17 19:21:040d-----w-C:\download_torrent
2010-01-17 09:34:040d-----w-c:\dokume~1\alluse~1\anwend~1\AVS4YOU
2010-01-17 09:33:520d-----w-c:\programme\gemeinsame dateien\AVSMedia
2010-01-17 09:33:5124576----a-w-c:\windows\system32\msxml3a.dll
2010-01-17 09:33:510d-----w-c:\programme\AVS4YOU

==================== Find3M ====================

2010-02-02 20:05:1432----a-w-c:\windows\system32\drivers\mshcmd.sys.
2010-01-30 12:36:15312344----a-w-c:\windows\system32\drivers\iaStor.sys
2010-01-29 15:11:58574580----a-w-c:\windows\system32\perfh007.dat
2010-01-29 15:11:58127768----a-w-c:\windows\system32\perfc007.dat
2009-12-22 05:07:58672768------w-c:\windows\system32\wininet.dll
2009-12-22 05:07:5581920----a-w-c:\windows\system32\ieencode.dll
2009-11-23 19:34:06436674----a-w-C:\_fp83.zip
1992-03-10 10:00:0095232----a-w-c:\programme\CARDFILE.EXE

============= FINISH: 1:41:57,89 ===============
There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

[/color]
Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.Hello. Sorry that you haven't heard from me for a while...
So I guess most secure would be setting up a new Windows, right ? and of course changing the router password and so forth...Actually, before I opened this thread I was already thinking that I need to set up windows again from scratch... now it seems like this is really the case . I assume you found something bad in my last log-post.. so what was it ?
I don't see any benefit in chasing after this malware, so I'd just rather set Windows up again.
The recovery CD got lost, so I will just buy a XP setup CD.
Two points make me worry:
-bad code in the MBR
-my Data is stored on a wireless network-drive and I will have to reload it onto on my new system, hopefully without getting infected again
I have not read through all the tutorials you suggested... so I might come back with a question, but I thank you very much for all your work and spending your free time to read through all these of log files that added up during the last month...

Discussion

4533.	Solve : Sysvxd.exe Error?
Answer» Computer acting up and getting Sysvxd.exe error when shutting down. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:48:13 PM, on 2/22/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal RUNNING processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Steam\Steam.exe C:\Program Files\AIM\aim.exe C:\Garmin\ANT Agent\ANT Agent.exe C:\Documents and Settings\Justin\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Documents and Settings\Justin\Local Settings\Apps\2.0\W83W12O8.2QW\WB6T86YA.MVG\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\AVG\AVG9\avgui.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -K O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [ANT Agent] C:\Garmin\ANT Agent\ANT Agent.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Justin\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe O4 - HKUS\S-1-5-19\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s (User 'NETWORK SERVICE') O4 - Startup: CurseClientStartup.ccip O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\fimahafu.dll,c:\windows\system32\nowelafo.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Update Service (gupdate1c9d8c3caf7286c) (gupdate1c9d8c3caf7286c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 9902 bytes OPEN HijackThis and select Do a system scan only* Place a check mark next to the following entries: (if there) O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O20 - AppInit_DLLs: C:\WINDOWS\system32\fimahafu.dll,c:\windows\system32\nowelafo.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) . Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Download CCleaner Slim and save it to your desktop. * When the file has been saved, go to your desktop and double-click on ccsetupxxx_slim.exe * Follow the prompts to install the program. * Double-click the CCleaner shortcut on the desktop to start the program. * Click on the Options block on the left, then choose Cookies. * Under Cookies to Delete, highlight any cookies you would like to retain PERMANENTLY * Click the right arrow > to move them to the Cookies to Keep window. * Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours * Click Cleaner on the left then Run Cleaner on the right to run the program. * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner * Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry. * Exit CCleaner after it has completed its process. Note CCleaner is a 100% free tool. I suggest keeping it and running it regularly to keep your computer running smooth. ---------- If you already have Malwarebytes be sure to update it before running the scan! Download Malwarebytes' Anti-Malware (MBAM) * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to the following: * Update Malwarebytes' Anti-Malware * Launch Malwarebytes' Anti-Malware * Then click Finish * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that EVERYTHING is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. ---------- Download DDS from \|HERE\| or \|HERE\| or \|HERE\| and save it to your desktop. Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it) * XP users Double click on dds to run it. * If your antivirus or firewall try to block DDS then please allow it to run. * When finished DDS will open two (2) logs. 1) DDS.txt 2) Attach.txt * Save both logs to your desktop. * Please copy and paste the entire contents of both logs in your next reply. Note: DDS will instruct you to post the Attach.txt log as an attachment. Please just post it as you would any other log by copy and pasting it into the reply. ---------- Next post please add MBAM log Both DDS logs

4533.

Solve : Sysvxd.exe Error?

Answer»

Computer acting up and getting Sysvxd.exe error when shutting down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:13 PM, on 2/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

RUNNING processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Garmin\ANT Agent\ANT Agent.exe
C:\Documents and Settings\Justin\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Justin\Local Settings\Apps\2.0\W83W12O8.2QW\WB6T86YA.MVG\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -K
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ANT Agent] C:\Garmin\ANT Agent\ANT Agent.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Justin\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dufeyeduti] Rundll32.exe "C:\WINDOWS\system32\gitalobo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: CurseClientStartup.ccip
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\fimahafu.dll,c:\windows\system32\nowelafo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9d8c3caf7286c) (gupdate1c9d8c3caf7286c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9902 bytes
OPEN HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - AppInit_DLLs: C:\WINDOWS\system32\fimahafu.dll,c:\windows\system32\nowelafo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download CCleaner Slim and save it to your desktop.

* When the file has been saved, go to your desktop and double-click on ccsetupxxx_slim.exe
* Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.

* Under Cookies to Delete, highlight any cookies you would like to retain PERMANENTLY
* Click the right arrow > to move them to the Cookies to Keep window.

* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner
* Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
* Exit CCleaner after it has completed its process.

Note CCleaner is a 100% free tool. I suggest keeping it and running it regularly to keep your computer running smooth.

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that EVERYTHING is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

Next post please add

MBAM log
Both DDS logs

Discussion

4534.	Solve : Trojan Propogator.?
Answer» You can remove them with MBAM or not. The next step is going to remove them and any more that may not have been found.Ok system restore disabled and re-enabled.You should be good to go as FAR as malware is concerned. Any other issues will need to be ADDRESSED in the respective forum. That is wonderful news to hear. What about uninstalling hijack this, RSIT, avenger, etc; are there any special procedures or just UNINSTALL them?Uninstall HijackThis and just delete the others.Many THANKS for your help and expertise, and many thanks as well to Superdave. Words like trojan and ROOTKIT bring fear into us mere mortals. Your help is much appreciated. Regards Brian.Your welcome. Safe surfing...

Discussion

4535.	Solve : csrssc.exe and csrcs.exe [NOT csrss.exe]?
Answer» Well, today I was trying to play RTC Wolfenstein ONLINE when every time I pressed any key on the keyboard the game would crash and exit me out. Anyway I tried restarting my PC but till the same thing happened so I ran Kaspersky Full Scan and Kaspersky found a bunch of Trojans (my license EXPIRED like a week ago and I was too lazy to get another one so my my computer was unprotected for like a week.) Anyway I deleted the Trojans and restarted my PC and tried to Wolfenstein again and it still does the same thing, so I was about to scan again when Kaspersky gave me alert about csrcs.exe and csrssc.exe(not csrss.exe, which is the system file so no onegets confused!) I know that those two files shouldn't be there and Kaspersky doesn't delete them but instead only restricts their operation. I need help on removing those files please. UPDATE: Kaspersky detected a Trojan but cannot delete because the pathway is write protected so I had Kaspersky block its EXECUTION. Should I post a HijackThis log?If Kaspersky is out of date then it's almost the same as having NO antivirus. You should install a free antivirus that will give just as much protection as any paid solution. Remember to only install one antivirus! 1) Avast! Home Free Edition 2) AVG Free Edition 3) Avira AntiVir Personal ---------- Download random's system information tool (RSIT) by random/random from and save it to your Desktop. Double click on RSIT.exe to run. Click Continue at the disclaimer screen. Once it has finished, two logs will open. log.txt <will be maximized and info.txt <will be minimized Please post the contents of both logs in the next reply. Don't worry I have the license for Kasperksy now and its updated, but it couldn't delete the Trojan because the pathway was write protected. Here is log.txt: http://www.megaupload.com/?d=CTMKZ1EY Here is info.txt: http://www.megaupload.com/?d=276JJEV2 Sorry for the download links, the files were too long to post.If you have to upload any more then please use MediaFire.com. That site has too many pop-ups and junk. Could be where you got the virus. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet EXPLORER, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Ok did what you said and ran ComboFix, performed its scan, and rebooted my PC. After that I tried play Wolfenstein and the old problem seems to be resolved. Here is the ComboFix log: log.txt Here is RSIT log: log.txt Everything seems to be good, is there anything else I should do? And thanks for the help! Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: c:\windows\ekikiqaqoju.dll c:\windows\Okimuqoboxe.dll c:\windows\ST4UNST.EXE c:\windows\Setup1.exe c:\windows\ST6UNST.EXE c:\windows\ST6UNST.000 c:\windows\msdownld.tmp C:\WINDOWS\zip.exe C:\WINDOWS\VFIND.exe C:\WINDOWS\SWXCACLS.exe C:\WINDOWS\SWSC.exe C:\WINDOWS\SWREG.exe C:\WINDOWS\sed.exe C:\WINDOWS\NIRCMD.exe C:\WINDOWS\grep.exe C:\WINDOWS\fdsv.exe Folder:: C:\khq Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Nxirodowurafox"=- "Ebubitigokid"=- 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeOk did what you said here is the second log file: log.txt Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. ---------- Download ATF Cleaner by Atribune to your Desktop. Alternate download link Note: Vista users must use Run As Administrator Under Main: Select Files to Delete choose: Select All. Click the Empty Selected button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. Click Exit on the Main menu to close the program. Note that your system will run slower for a reboot or two after having used this tool so don't panic. ---------- Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . Important:** Restart the computer before continuing. ---------- Scan with Panda ActiveScan This scanner requires Internet Explorer Once you are on the Panda site click the Scan your PC now button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Select the appropriate Yes or No to receiving marketing information Click the Free Online Scan button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report in your next reply. I ran into this ARTICLE, hope it will help: <Removed>

4535.

Solve : csrssc.exe and csrcs.exe [NOT csrss.exe]?

Answer»

Well, today I was trying to play RTC Wolfenstein ONLINE when every time I pressed any key on the keyboard the game would crash and exit me out. Anyway I tried restarting my PC but till the same thing happened so I ran Kaspersky Full Scan and Kaspersky found a bunch of Trojans (my license EXPIRED like a week ago and I was too lazy to get another one so my my computer was unprotected for like a week.) Anyway I deleted the Trojans and restarted my PC and tried to Wolfenstein again and it still does the same thing, so I was about to scan again when Kaspersky gave me alert about csrcs.exe and csrssc.exe(not csrss.exe, which is the system file so no onegets confused!) I know that those two files shouldn't be there and Kaspersky doesn't delete them but instead only restricts their operation. I need help on removing those files please.

UPDATE: Kaspersky detected a Trojan but cannot delete because the pathway is write protected so I had Kaspersky block its EXECUTION. Should I post a HijackThis log?If Kaspersky is out of date then it's almost the same as having NO antivirus. You should install a free antivirus that will give just as much protection as any paid solution.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal

----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

Don't worry I have the license for Kasperksy now and its updated, but it couldn't delete the Trojan because the pathway was write protected.

Here is log.txt:
http://www.megaupload.com/?d=CTMKZ1EY

Here is info.txt:
http://www.megaupload.com/?d=276JJEV2

Sorry for the download links, the files were too long to post.If you have to upload any more then please use MediaFire.com. That site has too many pop-ups and junk. Could be where you got the virus.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet EXPLORER, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Ok did what you said and ran ComboFix, performed its scan, and rebooted my PC. After that I tried play Wolfenstein and the old problem seems to be resolved.

Here is the ComboFix log:
log.txt

Here is RSIT log:
log.txt

Everything seems to be good, is there anything else I should do? And thanks for the help! Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\windows\ekikiqaqoju.dll
c:\windows\Okimuqoboxe.dll
c:\windows\ST4UNST.EXE
c:\windows\Setup1.exe
c:\windows\ST6UNST.EXE
c:\windows\ST6UNST.000
c:\windows\msdownld.tmp
C:\WINDOWS\zip.exe
C:\WINDOWS\VFIND.exe
C:\WINDOWS\SWXCACLS.exe
C:\WINDOWS\SWSC.exe
C:\WINDOWS\SWREG.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\NIRCMD.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\fdsv.exe

Folder::
C:\khq

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nxirodowurafox"=-
"Ebubitigokid"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeOk did what you said here is the second log file:
log.txt

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
Important: Restart the computer before continuing.

----------

Scan with Panda ActiveScan

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report in your next reply.
I ran into this ARTICLE, hope it will help: <Removed>

Discussion

4536.	Solve : Computer Spyware Malware Problem?
Answer» Hi, I got a serious issue with my system. Somehow some trogan/rogue has affected my system. It keeps flashing me virus ALERT and whenever i try to run any program it says "Application cannot be executed. The FILE **** is infected......." (not even a command prompt or notepad can be opened but with multiple try sometime i get the command prompt but it is ridiculous). I cannot open any programs what so ever.Try not to restart the computer until one of the tools we use does it for you or tells you to. 1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run. There are 4 different versions. If one of them won't run then download and try to run the next one. Vista and Windows 7 users need to right click Rkill and choose Run as Administrator You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus. * Rkill.com * Rkill.scr * Rkill.pif * Rkill.exe * Double-click on the Rkill desktop icon to run the tool. * If using Vista or Windows 7 right-click on it and choose Run As Administrator. * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. * When finished it will create a log. * Please post the rkill.log in the next reply. * If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. * Do not reboot until instructed. * If the tool does not run from any of the links provided, please let me know. Once you've gotten one of them to run then try to immediately run the following. 2) Download and run exeHelper * Please download exeHelper from Raktor to your desktop. * Double-click on exeHelper.com to run the fix. * A black window should pop up, press any key to close once the fix is completed. * A log file named log.txt will be created in the directory where you ran exeHelper.com * Add the log.txt file to your next message. Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file). 3) If you already have Malwarebytes be sure to update it before running the scan! Download Malwarebytes' Anti-Malware (MBAM) * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to the following: * Update Malwarebytes' Anti-Malware * Launch Malwarebytes' Anti-Malware * Then click Finish * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is COMPLETE, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.This is the log I got.... Malwarebytes' Anti-Malware 1.44 Database version: 3510 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/24/2010 5:46:21 PM 1111mbam-log-2010-02-24 (17-46-06).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 292070 Time elapsed: 1 hour(s), 13 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\32788R22FWJFW\Combo-Fix.sys (Malware.Trace) -> No action taken. C:\ComboFix\Combo-Fix.sys (Malware.Trace) -> No action taken. C:\System Volume Information\_restore{B9D8AF98-2083-4821-A576-35BA893F2599}\RP308\A0050932.sys (Malware.Trace) -> No action taken. Everything says No action taken. Did you let Malwarebytes fix what it found?YA I did. and under the quarantined, I went ahead and deleted the files.If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not MOUSECLICK ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix**

Discussion

4537.	Solve : Is this enough to keep me reasonable safe??
Answer» OK, I did my homework, so is this all I'm gonna need (in addition to safe surfing practices)? OS:....................................... ...........Windows XP Pro (version 5.1) SP3 anti-virus:....................................... ..Avast Free 5.0.418 firewall:....................................... ......PC Tools Firewall Plus Free 6.0.0.74 anti-malware blocker:..........................SpywareBlaste r 4.2 anti-malware scanner / removers:..........Malwarebytes' Anti-Malware 1.44 freeware ....................................... ................SUPERAntiSpyware freeware 4.33.1000 clean-up utility:..................................Glary UTILITIES 2.20.0.831 browser:....................................... .....Internet Explorer 8 Assuming IE8 is like IE7, here are the security settings I'll use: * Zone: Trusted sites * Security level for this zone: Medium-high * Zone: Internet * Security level for this zone: High <-- Medium-high to download^ * Custom Level button : * ActiveX controls and plug-ins: * Download signed ActiveX controls…………………………………………………………..Prompt * Download unsigned ActiveX controls………………………………………….…………..Disable * Initialize and script ActiveX controls not marked as safe for scripting…..Disable * RUN ActiveX controls and plug-ins…………………………………………....……………Enable * Script ActiveX controls marked safe for scripting………………………….……….Enable * Miscellaneous: * Installation of desktop items……………………………………………………………….….Prompt * Launching programs and files in an IFRAME…………………………….………………Prompt * Navigate sub-frames across different domains……………………………....…….Prompt ^ For some reason, IE7 requires me to do this even at a Trusted Site and even with: 1. "require server verification..." unselected, and 2. Security level for Trusted sites zone set at Medium-high. And if my NetGear WGR614v6 wireless router is capable of it, I'll put its firewall into "stealth" mode (to drop incoming packets rather than denying them, which supposedly makes you invisible to some attackers). And should I go to OpenDNS.org for a free secure DNS source? And does anybody know if enabling Java in the browser constitutes a vulnerability to malware? How about Javascript? You're fine. I think Avast AV is probably the BEST freeware AV program. I gone into several known "unsafe" websites just to test it out. So far, so good. I think a good AV program is the most important software you can have on your computer. When reloading a computer o.s. it is the first thing I put in after I put in all the drivers. I try to put it in before I go online (unless I download it from the website-and then the first thing I do after downloading and installing it is to run a virus SCAN). AVG used to be pretty good and I used it for a long time. But lately, it doesn't seem to "cut the mustard". Avira is a little better. I had a third party firewall in my computer recently and it started blocking all incoming traffic even when turned off. I had no luck with telephone tech service, so the technician came out and determined it was the firewall. He said the firewall supplied by Windows XP is good enough and I don't need a third party firewall. I've always read that the Windows firewall is rather weak, that's why I installed a third-party firewall. Anyhoo...I uninstalled the firewall and have had no problems since... Some of these clean-up programs are pretty good. I use Advanced System Care. It's pretty good and free. Also two good programs you can buy at WalMart are Fix-It Utilities and System Mechanic. Both are good and cost about $30 ea./year. (unless the price has gone up recently-it's for a one-year's subscription). Personally, I don't like subscription-based software. I'd rather pay once and pay $200-300 and use it as long as I want, and in all my computers than pay $30 a year for each computer. I try to avoid subscription-based software whenever POSSIBLE, but it's getting more difficult to do. Periodically cleaning out the prefetch folder will help improve the startup time of your computer. There's also a program CALLED WOT (Web Of Trust) which I may have mentioned earlier. It is free and will notify you of potentially dangerous websites. It also has a plug-in for Firefox. I'm sure these things will keep you reasonably safe. Quote from: spock on February 21, 2010, 08:37:31 AM Fix-It Utilities and System Mechanic. Both are good and cost about $30 ea./year. (unless the price has gone up recently-it's for a one-year's subscription). Periodically cleaning out the prefetch folder will help improve the startup time of your computer. 1) DO NOT use any registry cleaners or utilities 2) DO NOT "clean out" the prefetch folder

4537.

Solve : Is this enough to keep me reasonable safe??

Answer»

OK, I did my homework, so is this all I'm gonna need (in addition to safe surfing practices)?

OS:....................................... ...........Windows XP Pro (version 5.1) SP3
anti-virus:....................................... ..Avast Free 5.0.418
firewall:....................................... ......PC Tools Firewall Plus Free 6.0.0.74
anti-malware blocker:..........................SpywareBlaste r 4.2
anti-malware scanner / removers:..........Malwarebytes' Anti-Malware 1.44 freeware
....................................... ................SUPERAntiSpyware freeware 4.33.1000
clean-up utility:..................................Glary UTILITIES 2.20.0.831
browser:....................................... .....Internet Explorer 8

Assuming IE8 is like IE7, here are the security settings I'll use:
* Zone: Trusted sites
* Security level for this zone: Medium-high
* Zone: Internet
* Security level for this zone: High <-- Medium-high to download^
* Custom Level button :
* ActiveX controls and plug-ins:
* Download signed ActiveX controls…………………………………………………………..Prompt
* Download unsigned ActiveX controls………………………………………….…………..Disable
* Initialize and script ActiveX controls not marked as safe for scripting…..Disable
* RUN ActiveX controls and plug-ins…………………………………………....……………Enable
* Script ActiveX controls marked safe for scripting………………………….……….Enable
* Miscellaneous:
* Installation of desktop items……………………………………………………………….….Prompt
* Launching programs and files in an IFRAME…………………………….………………Prompt
* Navigate sub-frames across different domains……………………………....…….Prompt

^ For some reason, IE7 requires me to do this even at a Trusted Site and even with:
1. "require server verification..." unselected, and
2. Security level for Trusted sites zone set at Medium-high.

And if my NetGear WGR614v6 wireless router is capable of it, I'll put its firewall into "stealth" mode (to drop incoming packets rather than denying them, which supposedly makes you invisible to some attackers).

And should I go to OpenDNS.org for a free secure DNS source?

And does anybody know if enabling Java in the browser constitutes a vulnerability to malware? How about Javascript?
You're fine. I think Avast AV is probably the BEST freeware AV program. I gone into several
known "unsafe" websites just to test it out. So far, so good. I think a good AV program is the most important software you can have on your computer. When reloading a computer o.s. it is the first thing I put in after I put in all the drivers.
I try to put it in before I go online (unless I download it from the website-and then the first thing I do after downloading and installing it is to run a virus SCAN).
AVG used to be pretty good and I used it for a long time. But lately, it doesn't
seem to "cut the mustard". Avira is a little better.
I had a third party firewall in my computer recently and it started blocking all
incoming traffic even when turned off. I had no luck with telephone tech service,
so the technician came out and determined it was the firewall. He said the firewall supplied
by Windows XP is good enough and I don't need a third party firewall. I've
always read that the Windows firewall is rather weak, that's why I installed a third-party firewall. Anyhoo...I uninstalled the firewall and have had no problems since...
Some of these clean-up programs are pretty good. I use Advanced System Care.
It's pretty good and free. Also two good programs you can buy at WalMart are
Fix-It Utilities and System Mechanic. Both are good and cost about $30 ea./year. (unless the price has gone up recently-it's for a one-year's subscription).
Personally, I don't like subscription-based software. I'd rather pay once and pay
$200-300 and use it as long as I want, and in all my computers than pay $30 a
year for each computer. I try to avoid subscription-based software whenever POSSIBLE, but it's getting more difficult to do.
Periodically cleaning out the prefetch folder will help improve the startup time of your computer.
There's also a program CALLED WOT (Web Of Trust) which I may have mentioned
earlier. It is free and will notify you of potentially dangerous websites. It also has a plug-in for Firefox.
I'm sure these things will keep you reasonably safe.
Quote from: spock on February 21, 2010, 08:37:31 AM

Fix-It Utilities and System Mechanic. Both are good and cost about $30 ea./year. (unless the price has gone up recently-it's for a one-year's subscription).

Periodically cleaning out the prefetch folder will help improve the startup time of your computer.

1) DO NOT use any registry cleaners or utilities
2) DO NOT "clean out" the prefetch folder

Discussion

4538.	Solve : trojan keeps coming back.?
Answer» So my problem is, 3 same trojans keep coming back after I remove them with Malwarebytes. I have tried 6 times with MBAM to remove the trojans, but they just come back. Also I do not know if this is related to the Trojans, but for some odd reason, my P2P program utorrent does not work anymore. I try to execute it, but nothing happens. So I tried to uninstall it, but it wouldn't let me and I ended up just deleting the actual folder with all the files. Another program I have trouble with is a game client file (.exe) I downloaded it off the correct site and I'm pretty sure it's clean but just like the utorrent problem, when I try to execute it, nothing happens. It just stand there. help would be appreciated. Other info: I run on Windows XP professional and I currently don't have an anti VIRUS and I doubt I can get any in the near future with this computer, as this device is essentially ancient. The computer would be slow at incomprehensible speeds, so that is why I don't have an anti virus. MBAM Quote Malwarebytes' Anti-Malware 1.44 Database version: 3747 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 2/19/2010 8:49:32 PM mbam-log-2010-02-19 (20-49-32).txt Scan type: Quick Scan Objects scanned: 124567 Time elapsed: 9 minute(s), 29 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: C:\WINDOWS\svchost.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\powermanager (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. Quote SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/19/2010 at 07:54 PM Application Version : 4.34.1000 Core Rules Database Version : 4597 Trace Rules Database Version: 2409 Scan type : Complete Scan Total Scan Time : 02:38:52 Memory items scanned : 480 Memory threats detected : 1 Registry items scanned : 5782 Registry threats detected : 26 File items scanned : 69975 File threats detected : 78 Trojan.SVCHost/Fake C:\WINDOWS\SVCHOST.EXE C:\WINDOWS\SVCHOST.EXE C:\WINDOWS\Prefetch\SVCHOST.EXE-16C7D411.pf Adware.Tracking Cookie C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][3].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected]ger[1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][2].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][2].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt C:\Documents and Settings\William\Cookies\[emailprotected][1].txt C:\Documents and Settings\William\Cookies\[emailprotected][1].txt Virus.HiddenDragon HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Driver HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control#ActiveService HKLM\SYSTEM\CurrentControlSet\Services\PowerManager HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Type HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Start HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ObjectName HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Description HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#NextInstance C:\QOOBOX\QUARANTINE\C\WINDOWS\SVCHOST.EXE.VIR Trojan.Agent/Gen-Nullo[Short] C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP67\A0023991.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP81\A0026149.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP83\A0027415.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP90\A0027589.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP96\A0029169.EXE uggh there seems to be another problem now. my computer is running slower then usual. Could this be the effect of the svchost.exe trojan? Am I allowed to bump? Quote from: hunt3rshadow on February 22, 2010, 01:57:13 PM Am I allowed to bump? It makes your wait time longer because you go to the end of the list. Download TrendMicro HijackThis.exe (HJT) to the desktop. * Double-click on HJTInstall. * Click on the Install button. * It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. * Upon install, HijackThis should open for you. * Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator * Click on the Do a system scan and save a log file button * HijackThis will scan and then a log will open in NOTEPAD. * Copy and then paste the ENTIRE contents of the log in your post. * Do not have HijackThis fix anything yet. Most of what it finds will be HARMLESS or even required.

4538.

Solve : trojan keeps coming back.?

Answer»

So my problem is, 3 same trojans keep coming back after I remove them with Malwarebytes. I have tried 6 times with MBAM to remove the trojans, but they just come back. Also I do not know if this is related to the Trojans, but for some odd reason, my P2P program utorrent does not work anymore. I try to execute it, but nothing happens. So I tried to uninstall it, but it wouldn't let me and I ended up just deleting the actual folder with all the files. Another program I have trouble with is a game client file (.exe) I downloaded it off the correct site and I'm pretty sure it's clean but just like the utorrent problem, when I try to execute it, nothing happens. It just stand there. help would be appreciated.

Other info:
I run on Windows XP professional and I currently don't have an anti VIRUS and I doubt I can get any in the near future with this computer, as this device is essentially ancient. The computer would be slow at incomprehensible speeds, so that is why I don't have an anti virus.

MBAM
Quote

Malwarebytes' Anti-Malware 1.44
Database version: 3747
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/19/2010 8:49:32 PM
mbam-log-2010-02-19 (20-49-32).txt

Scan type: Quick Scan
Objects scanned: 124567
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\powermanager (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Quote

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/19/2010 at 07:54 PM

Application Version : 4.34.1000

Core Rules Database Version : 4597
Trace Rules Database Version: 2409

Scan type : Complete Scan
Total Scan Time : 02:38:52

Memory items scanned : 480
Memory threats detected : 1
Registry items scanned : 5782
Registry threats detected : 26
File items scanned : 69975
File threats detected : 78

Trojan.SVCHost/Fake
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-16C7D411.pf

Adware.Tracking Cookie
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected]ger[1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Richard\Cookies\[emailprotected][2].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][2].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][2].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt
C:\Documents and Settings\jimmy\Cookies\[emailprotected][1].txt
C:\Documents and Settings\William\Cookies\[emailprotected][1].txt
C:\Documents and Settings\William\Cookies\[emailprotected][1].txt

Virus.HiddenDragon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Type
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Start
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Description
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#NextInstance
C:\QOOBOX\QUARANTINE\C\WINDOWS\SVCHOST.EXE.VIR

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP67\A0023991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP81\A0026149.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP83\A0027415.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP90\A0027589.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B5FEA85-F8E2-4BD4-82C8-85241A71E15E}\RP96\A0029169.EXE

uggh there seems to be another problem now. my computer is running slower then usual. Could this be the effect of the svchost.exe trojan? Am I allowed to bump? Quote from: hunt3rshadow on February 22, 2010, 01:57:13 PM

Am I allowed to bump?

It makes your wait time longer because you go to the end of the list.

Download TrendMicro HijackThis.exe (HJT) to the desktop.

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.
* Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in NOTEPAD.
* Copy and then paste the ENTIRE contents of the log in your post.
* Do not have HijackThis fix anything yet. Most of what it finds will be HARMLESS or even required.

Discussion

4539.	Solve : APPInet dll?
Answer» Hello: I use the Kaspersky Internet Security 2010 and the Advanced SYSTEM Optimizer 3 - windows 7 at work i get this message from the program : Advanced System Optimizer 3 (the program includes the protection system) APPInet dll shield ALERT : allow APPInet dll created by : Giving two options: allow or ban. I CHOOSE to allow. Am I wrong or not Photos of the program to clarify the appINIT dll's are PART of kaspersky.thanks BC_Programmer This means that my behavior is TRUE

Discussion

4540.	Solve : Plz check my log for glitch?
Answer» Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:33:48 PM, on 2/20/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Documents and Settings\Administrator\My Documents\utorrent.exe C:\WINDOWS\system32\wuauclt.exe D:\YahELite\YahELite.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IDMAN] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows GENUINE Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264617489750 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- End of file - 4648 bytes Have HijackThis fix this. O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k What problems are you having? my computer runs slow at times. i am suspecting it to be AFFECTED by trojan or keylogger. here's my log after deleting SPECIFIED entry. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:38:11 PM, on 2/21/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe c:\program files\avira\antivir desktop\avcenter.exe C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264617489750 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- End of file - 4556 bytes The log is clean. Have you run any other scans looking for malware?

Discussion

4541.	Solve : insufficient system error?
Answer» Try this. Click Start, click Control Panel, click Performance and Maintenance, and then click System. On the Hardware tab, click Device Manager.ok..now what there is dvd/cd rom drivesIs there an question mark next to anything?nada...i open up wmp and it shows nothing in driveWas this happening before the malware? Can you get the CD to play by choosing it in WMP?never had problemGo back into Device Manager and right click the drive and choose to Update it. See if that fixes it. If not try ROLLING it back.already did that..nothing..whats rollbackHow To Use the ROLL Back Driver Feature in Windows XP http://support.microsoft.com/kb/283657nothing..this blows really badTry posting in the Windows forum. You will get more answers there. I'm not sure what to think.thx for your help bro...had to delete spybot it was freezing my computer like CRAZY...but do APPRECIATE ur help

Discussion

4542.	Solve : Virus\Malware Problem?
Answer» I've been dealing with a nasty virus over the past few days, but have been unable to handle it myself because of how its dealing with the situation. First off, I can't install any new anti-virus software and with the scans I've ran nothing picks up the virus. I've tried reading the topic about what to do before posting and steps 1 , 2 , didn't help. And I couldn't install the programs listed in steps 3 or 4. What happens is I'll click on them, then nothing. They simple disappear, nothing pop-ups, no error messages, nothing. So I'm on Step 5 now. My Java version was Version 6 Update 16 before updating to Version 6 Update 18. Now Step 6..... I'll describe the virus first then post my HiJackThis log. 1. I get random re-directs from Google ENTRIES (Using Firefox) like the website I clicked will appear with another one completey not-related. 2. When I try to get some type of computer help, sometimes If I try and visit a computer help website like bleepingcomputer I'll get a webpage not found. 3. If I ctrl alt delete I can see under applications a bunch of Internet Explorer windows running what appears to be pop-ups but I cant see them. On a sidenote I feel that it may be 2-3 or viruses, somewhere in the background. Code: [Select]Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 8:42:54 AM, on 2/20/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\drweb.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\taskmgr.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe O2 - BHO: C:\WINDOWS\system32\yns8e.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll -- End of file - 1893 bytes I understand [Saving space, attachment deleted by admin]Welcome to CH. Try this please. Try not to restart the computer until one of the tools we use does it for you or tells you to. 1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run. There are 4 different versions. If one of them won't run then download and try to run the next one. Vista and Windows 7 users need to right click Rkill and choose Run as Administrator You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus. * Rkill.com * Rkill.scr * Rkill.pif * Rkill.exe * Double-click on the Rkill desktop icon to run the tool. * If using Vista or Windows 7 right-click on it and choose Run As Administrator. * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. * When finished it will create a log. * Please post the rkill.log in the next reply. * If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. * Do not reboot until instructed. * If the tool does not run from any of the links provided, please let me know. Once you've gotten one of them to run then try to immediately run the following. 2) Download and run exeHelper * Please download exeHelper from Raktor to your desktop. * Double-click on exeHelper.com to run the fix. * A black window should pop up, press any key to close once the fix is completed. * A log file named log.txt will be created in the directory where you ran exeHelper.com * Add the log.txt file to your next message. Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file). 3) If you already have Malwarebytes be sure to update it before running the scan! Download Malwarebytes' Anti-Malware (MBAM) * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to the following: * Update Malwarebytes' Anti-Malware * Launch Malwarebytes' Anti-Malware * Then click Finish * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Alright here is the rkill log that I just got Code: [Select]This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as HP_Owner on 02/20/2010 at 22:30:16. Processes terminated by Rkill or while it was running: C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\cmd.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\spoolsv.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\services.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\svchost.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\debug.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\setup.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\system.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\lsass.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\win16.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe Rkill completed on 02/20/2010 at 22:30:23. When I ran the exehelper it would go then stop after policies. Here is the log. Code: [Select]exeHelper by Raktor Build 20091220 Run at 22:28:11 on 02/20/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- I was unable to install Malwarebytes' Anti-Malware due to it never loading. I downloaded the mbam-setup.exe to my desktop and from there once I clicked on it nothing would happen. This doesn't happen with other programs. Aswell, I see that the program is running when I go to Task Manager under processes. On a side note it appears that I have had Malwarebytes' Anti-Malware installed under Code: [Select]C:\Program Files\Malwarebytes' Anti-Malware but, when I click on the Icon nothing happens again. This doesn't happen with other programs too. It's like the virus knows the programs I'm trying to run and stops them from loading\appearing.Restart the computer and the run Rkill again and then immediately after try this. Download ComboFix from one of the below links. You must rename it before saving it! Important! You MUST save ComboFix to your desktop. Link #1 Link #2 Rename ComboFix to Combo-Fix before saving it to the desktop. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a LIST of security programs that should be disabled and how to disable them. Double click on Combo-Fix.exe & follow the prompts. Vista and Windows 7 users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) Do not mouse-click ComboFix's window while it is running. That may cause it to stall. When the scan completes it will open a text window. Post the contents of that log in your next reply. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. When I follow the link to download ComboFix on the first link. I get a server not found It's almost like the virus\trojan will allow me to go to certain sites and use only certain programs. But I think if someone was able to put the ComboFix in a zip\rar folder then upload it somewhere else, I could then download from that website and run on it my computer. When I try the second link, nothing happens I get redirected to Code: [Select]http://www.forospyware.com/. Sorry about all this troubleDownload the NVT Malware Remover Tool to your desktop. * Unzip the file and then run the INSTALLER. * Once installed click on the Update tab and check for updates. * Next click the Scan tab and then click Scan button to begin the scanner. * If any threats are found select the Remove button and then click Apply * Next select the button next to Copy in DETECTED folder then click Apply * Next at the top of the scanner window click Menu then select Open DETECTED folder * Post that log back here. * Restart the computer.Here is the log that came back Code: [Select]NoVirusThanks Malware Remover 2.4.0.0 DB version: 196 (07.02.2010) http://www.novirusthanks.org Report created on 2/21/2010 at 7:26:34 PM Microsoft Windows XP 5.1 Service Pack 2 32-bit OS Scan type: Quick Scan Time elapsed: 00:19:51 Objects scanned: 21849 Threats detected: 2 Files Infected: C:\WINDOWS\Temp\_ex-08.exe -> No action taken C:\WINDOWS\Temp\_ex-68.exe -> No action taken Folders Infected: End. I know there is more in there. Maybe I need to get a version of ComboFix, anywhere you could put it in a folder and upload it? I ran another program called RemoveIT Pro V4- Se. And they told me that I have a Code: [Select]Win32.Unknown.Random.X Sys32.1194322800 Theres more aswell, but they are all Sys32.X X being random numbers like the first one. Im not sure if this is any help but it's what I've been able to come up with. Thanks Quote No action taken Did you let those be fixed? Download OTL to your desktop. * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. * Vista and Windows 7 users Right-click OTL and choose Run as Administrator) * When the window appears, underneath Output at the top change it to Minimal Output. * Check the boxes beside LOP Check and Purity Check. * Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy and pate the contents of these files, one at a time, into your next reply. Note: You may need two or more posts to fit them all in.I let those two things get taken care of. When I clicked on the link to go to OTL I got another Server Not Found. *Sidenote: This doesn't happen regularly and only with certain websites. However, I was able to get you a pretty much full log report of some of the stuff happening in my computer. Code: [Select]RemoveIT Pro v7 - SE (Build date: 25.6.2009) full information log file. Generated at: 2/21/2010 on 7:45:38 PM Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Author: Damjan Irgolic http://www.incodesolutions.com [emailprotected] You have some viruses in your computer. Please Scan your computer with RemoveIT Pro to remove discovered viruses. Virus list: Infected with Sys32.1194322800 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1194322800.exe Infected with Sys32.1434602420 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1434602420.exe Infected with Sys32.158686840 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\158686840.exe Infected with Sys32.1949126510 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1949126510.exe Infected with Sys32.225736298 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\225736298.exe Infected with Sys32.2308537926 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2308537926.exe Infected with Sys32.2407992742 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2407992742.exe Infected with Sys32.2538690376 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2538690376.exe Infected with Sys32.2646026966 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2646026966.exe Infected with Sys32.2664493634 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2664493634.exe Infected with Sys32.2701815552 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2701815552.exe Infected with Sys32.2720634474 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2720634474.exe Infected with Sys32.2897654786 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2897654786.exe Infected with Sys32.3042749252 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3042749252.exe Infected with Sys32.3081335842 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3081335842.exe Infected with Sys32.3090823340 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3090823340.exe Infected with Sys32.3142124428 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3142124428.exe Infected with Sys32.3375361794 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3375361794.exe Infected with Sys32.3548130850 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3548130850.exe Infected with Sys32.3576110384 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3576110384.exe Infected with Sys32.3729369912 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3729369912.exe Infected with Sys32.3751284930 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3751284930.exe Infected with Sys32.3976175968 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3976175968.exe Infected with Sys32.4067901878 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4067901878.exe Infected with Sys32.4191888010 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4191888010.exe Infected with Sys32.4205536296 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4205536296.exe Infected with Sys32.4283058304 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4283058304.exe Infected with Sys32.682687032 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\682687032.exe Infected with Sys32.700499532 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\700499532.exe Infected with Sys32.733246950 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\733246950.exe Infected with Sys32.751303072 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\751303072.exe Infected with Sys32.828545174 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\828545174.exe Infected with Sys32._voidkrl32mainweq - File C:\documents and settings\all users\application data\_voidkrl32mainweq.dll Infected with Sys32._voidmainqt - File C:\documents and settings\all users\application data\_voidmainqt.dll Running processes: (23) C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe Startup files: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TOY5KNQ8OC [C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe [C:\WINDOWS\system32\ctfmon.exe] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb [C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\winamp.exe] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remote System Protection [rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig [C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched ["C:\Program Files\Common Files\Java\Java Update\jusched.exe"] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task ["C:\Program Files\QuickTime\qttask.exe" -atboottime] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\15515522 [C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON [C:\WINDOWS\Temp\_ex-08.exe] Detail report: (82) Clsid C:\Program Files\uTorrent\uTorrent.exe /UNINSTALL[d41d8cd98f00b204e9800998ecf8427e][0] Clsid C:\WINDOWS\system32\ati2evxx.dll[17c3eb51d17d90eb10b60d9804d8884d][155648] Clsid C:\WINDOWS\system32\crypt32.dll[efc958396a7a7ef7e6d4a52b97512e18][597504] Clsid C:\WINDOWS\system32\cryptnet.dll[cad4aa32e7eca00c23cc39c0eb833f9d][63488] Clsid C:\WINDOWS\system32\cscdll.dll[587729679b4fe04ce06a5c61d6c56dcd][101888] Clsid C:\WINDOWS\system32\lmiinit.dll[959ff3a8c74e51676ccdc740657464cc][87352] Clsid C:\WINDOWS\system32\sclgntfy.dll[d636fa41e50671160d838ea2dace3330][20992] Clsid c:\windows\system32\stobject.dll[297101a925ecffdcdf7f6341ffbb6c1a][121856] Clsid c:\windows\system32\webcheck.dll[cc8915db4e33e8fb29ca0d2dbf75306e][236544] Clsid C:\WINDOWS\system32\wlnotify.dll[a599e5e366c1408e48aa5d37882d4e3e][92672] Clsid c:\windows\system32\wpdshserviceobj.dll[045e228f71c31901084b64be59093499][133632] Clsid c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000] Proc C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800] Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528] Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe[359cfd2ea9a17b9300683c0dcfb3c756][20000] Proc C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE[4063f7194c37217a66db6799046a2774][196424] Proc C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe[df716209199ba7c72dab2364f747dd98][557568] Proc C:\Program Files\Internet Explorer\IEXPLORE.EXE[b60dddd2d63ce41cb8c487fcfbb6419e][638816] Proc C:\Program Files\Java\jre6\bin\jqs.exe[77ac10db097dfd0cd3071465b644d0ab][153376] Proc C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe[35f177825e8680bfa0f1432116603fce][26120] Proc C:\Program Files\Microsoft Windows OneCare Live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920] Proc C:\Program Files\Mozilla Firefox\firefox.exe[9a1d58a8d5da06ee6592673cf695db95][910296] Proc C:\WINDOWS\explorer.exe[a0732187050030ae399b241436565e64][1032192] Proc C:\WINDOWS\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360] Proc C:\WINDOWS\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312] Proc C:\WINDOWS\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592] Proc C:\WINDOWS\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856] Proc C:\WINDOWS\system32\svchost.exe[8f078ae4ed187aaabc0a305146de6716][14336] RegRun c:\docume~1\alluse~1\applic~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800] RegRun c:\docume~1\hp_own~1.000\locals~1\temp\hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528] RegRun c:\program files\common files\java\java update\jusched.exe[e0d6538b62c79fcbf0b27f95faf3208b][246504] RegRun c:\program files\quicktime\qttask.exe [55d7a219ad8d0db8980528944152a6fd][417792] RegRun c:\windows\pchealth\helpctr\binaries\msconfig.exe [4fd22142f54692463a7b98b7de175573][158208] RegRun c:\windows\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360] RegRun c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000] Service c:\program files\bonjour\mdnsresponder.exe[3f56903e124e820aeece6d471583c6c1][238888] Service c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe[4b5ae15e5c73eb4dc8dbec2788230d41][144672] Service c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe[6f95324909b502e2651442c1548ab12f][73728] Service c:\program files\common files\microsoft shared\vs7debug\mdm.exe[11f714f85530a2bd134074dc30e99fca][322120] Service c:\program files\ipod\bin\ipodservice.exe[1e6f080d5edb4c3b4c4eb787a0848dcc][545576] Service c:\program files\java\jre6\bin\jqs.exe [77ac10db097dfd0cd3071465b644d0ab][153376] Service c:\program files\lavasoft\ad-aware\aawservice.exe[db25bc5b0998e7b522c04a1e6a3303af][1229232] Service c:\program files\logmein\x86\logmein.exe[9015122d04c195bdab88febcbae229db][63040] Service c:\program files\logmein\x86\ramaint.exe[500f1e4461075d602ce77109a9a3d634][116032] Service c:\program files\microsoft windows onecare live\ochealthmon.exe[35f177825e8680bfa0f1432116603fce][26120] Service c:\program files\microsoft windows onecare live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920] Service c:\program files\nos\bin\getplus_helpersvc.exe[25867e27fc02e99c2a34b8a7dd6f20d4][66056] Service c:\program files\windows media player\wmpnetwk.exe[f74e3d9a7fa9556c3bbb14d4e5e63d3b][913408] Service c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe[0e5e4957549056e2bf2c49f4f6b601ad][34312] Service c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe[d87acaed61e417bba546ced5e7e36d9c][69632] Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe[c01ac32dc5c03076cfb852cb5da5229c][881664] Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe[d34612c5d02d026535b3095d620626ae][132096] Service c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe[8ba7c024070f2b7fdd98ed8a4ba41789][46104] Service c:\windows\system32\alg.exe[f1958fbf86d5c004cf19a5951a9514b7][44544] Service c:\windows\system32\ati2evxx.exe[42e4e2cf0406394bbce7eb358ae4e208][602112] Service c:\windows\system32\ati2sgag.exe[460741befbfc91c88934620bc546d172][593920] Service c:\windows\system32\cisvc.exe[3192bd04d032a9c4a85a3278c268a13a][5632] Service c:\windows\system32\clipsrv.exe[c8dec22c4137d7a90f8bdf41ca4b82ae][33280] Service c:\windows\system32\dllhost.exe [dd87db7387b9eb441c5674888a0d840c][5120] Service c:\windows\system32\dmadmin.exe [554c7cb178fe3bd12450b81ad63adbc3][224768] Service c:\windows\system32\fxssvc.exe[fcbd571fa0ee8dc238944ae5fab74461][267776] Service c:\windows\system32\hpzipm12.exe[9d84376931440f3679beef2a414fa493][69632] Service c:\windows\system32\imapi.exe[fa788520bcac0f5d9d5cde5615c0d931][150016] Service c:\windows\system32\locator.exe[793f04a09b15e7c6c11dbdffaf06c0ab][75264] Service c:\windows\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312] Service c:\windows\system32\mnmsrvc.exe[f6415361201915b9fe3896b0e4e724ff][32768] Service c:\windows\system32\msdtc.exe[c7c3d89eb0a6f3dba622ea737fa335b1][6144] Service c:\windows\system32\msiexec.exe [f5f0146580e7023adb963879840777f8][78848] Service c:\windows\system32\netdde.exe[05afb5ad06462257bea7495283c86d50][111104] Service c:\windows\system32\rsvp.exe[471b3f9741d762abe75e9deea4787e47][132608] Service c:\windows\system32\scardsvr.exe[25d8de134df108e3dbc8d7d23b1aa58e][95744] Service c:\windows\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592] Service c:\windows\system32\sessmgr.exe[729798e0933076b8fcfcd9934698f164][140800] Service c:\windows\system32\smlogsvc.exe[8b54aa346d1b1b113ffaa75501b8b1b2][89600] Service c:\windows\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856] Service c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336] Service c:\windows\system32\ups.exe[3f5df65b0758675f95a2d43918a740a3][18432] Service c:\windows\system32\vssvc.exe[3ee00364ae0fd8d604f46cbaf512838a][289792] Service c:\windows\system32\wbem\wmiapsrv.exe[ba8cecc3e813e1f7c441b20393d4f86c][126464] Startup c:\documents and settings\all users\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84] Startup c:\documents and settings\hp_owner.your-f78bf48ce2.000\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84] System.ini c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336] Startup folder: (2) Startup name: desktop.ini Command: C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2.000\Start Menu\Programs\Startup\desktop.ini Startup name: desktop.ini Command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Win.ini Startup: (1) Path: No additional driver found! Win.ini Startup: (1) Path: No additional driver found! Keyboard drivers: (1) Name: No Keyboard Filter driver found! Services: (101) Service Name: .NET Runtime Optimization Service v2.0.50727_X86 [Stopped], Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Service Name: Alerter [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k LocalService Service Name: Apple Mobile Device [Stopped], Path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" Service Name: Application Layer Gateway Service [Running], Path: C:\WINDOWS\System32\alg.exe Service Name: Application Management [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: ASP.NET State Service [Stopped], Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe Service Name: Ati HotKey Poller [Stopped], Path: C:\WINDOWS\system32\Ati2evxx.exe Service Name: ATI Smart [Stopped], Path: C:\WINDOWS\system32\ati2sgag.exe Service Name: Automatic Updates [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Background Intelligent Transfer Service [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Bonjour Service [Stopped], Path: "C:\Program Files\Bonjour\mDNSResponder.exe" Service Name: ClipBook [Stopped], Path: C:\WINDOWS\system32\clipsrv.exe Service Name: COM+ Event System [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: COM+ System Application [Stopped], Path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} Service Name: Computer Browser [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Cryptographic Services [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: DCOM Server Process Launcher [Running], Path: C:\WINDOWS\system32\svchost -k DcomLaunch Service Name: DHCP Client [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Distributed Link Tracking Client [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Distributed Transaction Coordinator [Stopped], Path: C:\WINDOWS\system32\msdtc.exe Service Name: DNS Client [Running], Path: C:\WINDOWS\system32\svchost.exe -k NetworkService Service Name: Error Reporting Service [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Event Log [Running], Path: C:\WINDOWS\system32\services.exe Service Name: Fast User Switching Compatibility [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Fax [Stopped], Path: C:\WINDOWS\system32\fxssvc.exe Service Name: getPlus(R) Helper [Stopped], Path: C:\Program Files\NOS\bin\getPlus_HelperSvc.exe Service Name: Help and Support [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: HID Input Service [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: HTTP SSL [Stopped], Path: C:\WINDOWS\System32\svchost.exe -k HTTPFilter Service Name: IMAPI CD-Burning COM Service [Stopped], Path: C:\WINDOWS\system32\imapi.exe Service Name: Indexing Service [Stopped], Path: C:\WINDOWS\system32\cisvc.exe Service Name: InstallDriver Table Manager [Stopped], Path: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" Service Name: iPod Service [Stopped], Path: "C:\Program Files\iPod\bin\iPodService.exe" Service Name: IPSEC Services [Running], Path: C:\WINDOWS\system32\lsass.exe Service Name: Java Quick Starter [Running], Path: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" Service Name: Lavasoft Ad-Aware Service [Stopped], Path: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" Service Name: Logical Disk Manager [Stopped], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Logical Disk Manager Administrative Service [Stopped], Path: C:\WINDOWS\System32\dmadmin.exe /com Service Name: LogMeIn [Stopped], Path: "C:\Program Files\LogMeIn\x86\LogMeIn.exe" Service Name: LogMeIn Maintenance Service [Stopped], Path: "C:\Program Files\LogMeIn\x86\RaMaint.exe" Service Name: Machine Debug Manager [Stopped], Path: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" Service Name: Messenger [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: MS Software Shadow Copy Provider [Stopped], Path: C:\WINDOWS\system32\dllhost.exe /Processid:{20434C82-24BE-4DD7-A39B-AE61CD09B496} Service Name: Net Logon [Stopped], Path: C:\WINDOWS\system32\lsass.exe Service Name: Net.Tcp Port Sharing Service [Stopped], Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" Service Name: NetMeeting Remote Desktop Sharing [Stopped], Path: C:\WINDOWS\system32\mnmsrvc.exe Service Name: Network Connections [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Network DDE [Stopped], Path: C:\WINDOWS\system32\netdde.exe Service Name: Network DDE DSDM [Stopped], Path: C:\WINDOWS\system32\netdde.exe Service Name: Network Location Awareness (NLA) [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Network Provisioning Service [Stopped], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: NT LM Security Support Provider [Stopped], Path: C:\WINDOWS\system32\lsass.exe Service Name: Office Source Engine [Stopped], Path: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" Service Name: Performance Logs and Alerts [Stopped], Path: C:\WINDOWS\system32\smlogsvc.exe Service Name: Plug and Play [Running], Path: C:\WINDOWS\system32\services.exe Service Name: Pml Driver HPZ12 [Stopped], Path: C:\WINDOWS\system32\HPZipm12.exe Service Name: Portable Media Serial Number Service [Stopped], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Print Spooler [Running], Path: C:\WINDOWS\system32\spoolsv.exe Service Name: Protected Storage [Running], Path: C:\WINDOWS\system32\lsass.exe Service Name: QoS RSVP [Stopped], Path: C:\WINDOWS\system32\rsvp.exe Service Name: Remote Access Auto Connection Manager [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Remote Access Connection Manager [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Remote Desktop Help Session Manager [Stopped], Path: C:\WINDOWS\system32\sessmgr.exe Service Name: Remote Procedure Call (RPC) [Running], Path: C:\WINDOWS\system32\svchost -k rpcss Service Name: Remote Procedure Call (RPC) Locator [Stopped], Path: C:\WINDOWS\system32\locator.exe Service Name: Removable Storage [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Routing and Remote Access [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Secondary Logon [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Security Accounts Manager [Running], Path: C:\WINDOWS\system32\lsass.exe Service Name: Security Center [Stopped], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Server [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Shell Hardware Detection [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Smart Card [Stopped], Path: C:\WINDOWS\System32\SCardSvr.exe Service Name: SSDP Discovery Service [Running], Path: C:\WINDOWS\system32\svchost.exe -k LocalService Service Name: SSHNAS [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: System Event Notification [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: System Restore Service [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Task Scheduler [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: TCP/IP NetBIOS Helper [Running], Path: C:\WINDOWS\system32\svchost.exe -k LocalService Service Name: Telephony [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Terminal Services [Running], Path: C:\WINDOWS\System32\svchost -k DComLaunch Service Name: Themes [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Uninterruptible Power Supply [Stopped], Path: C:\WINDOWS\System32\ups.exe Service Name: Universal Plug and Play Device Host [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k LocalService Service Name: Volume Shadow Copy [Stopped], Path: C:\WINDOWS\System32\vssvc.exe Service Name: WebClient [Running], Path: C:\WINDOWS\system32\svchost.exe -k LocalService Service Name: Windows Audio [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Windows CardSpace [Stopped], Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" Service Name: Windows Driver Foundation - User-mode Driver Framework [Stopped], Path: C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup Service Name: Windows Firewall/Internet Connection Sharing (ICS) [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Windows Image Acquisition (WIA) [Running], Path: C:\WINDOWS\system32\svchost.exe -k imgsvc Service Name: Windows Installer [Stopped], Path: C:\WINDOWS\system32\msiexec.exe /V Service Name: Windows Live OneCare Health Monitor [Running], Path: "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe" Service Name: Windows Live OneCare Restore Tool [Running], Path: C:\Program Files\Microsoft Windows OneCare Live\winss.exe Service Name: Windows Management Instrumentation [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Service Name: Windows Media Player Network Sharing Service [Stopped], Path: "C:\Program Files\Windows Media Player\WMPNetwk.exe" Service Name: Windows Presentation Foundation Font Cache 3.0.0.0 [Stopped], Path: c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe Service Name: Windows Time [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: Wireless Zero Configuration [Running], Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Service Name: WMI Performance Adapter [Stopped], Path: C:\WINDOWS\system32\wbem\wmiapsrv.exe Service Name: WORKSTATION [Running], Path: C:\WINDOWS\system32\svchost.exe -k netsvcs Finished... Check your PM inbox.Thanks for the help Evil Fantasy, but I had to resort to doing a System Recovery. The computer when it was restarted had become infected with a new virus that was even newer and nastier. This time it didn't allow me to open ANYTHING and my desktop was completely blank. Luckily was able to install everything. thanks for all your help, cya around

4542.

Solve : Virus\Malware Problem?

Answer»

I've been dealing with a nasty virus over the past few days, but have been unable to handle it myself because of how its dealing with the situation. First off, I can't install any new anti-virus software and with the scans I've ran nothing picks up the virus.

I've tried reading the topic about what to do before posting and steps 1 , 2 , didn't help. And I couldn't install the programs listed in steps 3 or 4. What happens is I'll click on them, then nothing. They simple disappear, nothing pop-ups, no error messages, nothing. So I'm on Step 5 now. My Java version was Version 6 Update 16 before updating to Version 6 Update 18.

Now Step 6.....

I'll describe the virus first then post my HiJackThis log.
1. I get random re-directs from Google ENTRIES (Using Firefox) like the website I clicked will appear with another one completey not-related.
2. When I try to get some type of computer help, sometimes If I try and visit a computer help website like bleepingcomputer I'll get a webpage not found.
3. If I ctrl alt delete I can see under applications a bunch of Internet Explorer windows running what appears to be pop-ups but I cant see them.

On a sidenote I feel that it may be 2-3 or viruses, somewhere in the background.

Code: [Select]Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:42:54 AM, on 2/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: C:\WINDOWS\system32\yns8e.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll

--
End of file - 1893 bytes

I understand

[Saving space, attachment deleted by admin]Welcome to CH.

Try this please.

Try not to restart the computer until one of the tools we use does it for you or tells you to.

1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

2) Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Alright here is the rkill log that I just got

Code: [Select]This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as HP_Owner on 02/20/2010 at 22:30:16.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\services.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\svchost.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\debug.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\system.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe

Rkill completed on 02/20/2010 at 22:30:23.

When I ran the exehelper it would go then stop after policies. Here is the log.
Code: [Select]exeHelper by Raktor
Build 20091220
Run at 22:28:11 on 02/20/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
I was unable to install Malwarebytes' Anti-Malware due to it never loading. I downloaded the mbam-setup.exe to my desktop and from there once I clicked on it nothing would happen. This doesn't happen with other programs. Aswell, I see that the program is running when I go to Task Manager under processes.

On a side note it appears that I have had Malwarebytes' Anti-Malware installed under Code: [Select]C:\Program Files\Malwarebytes' Anti-Malware but, when I click on the Icon nothing happens again. This doesn't happen with other programs too. It's like the virus knows the programs I'm trying to run and stops them from loading\appearing.Restart the computer and the run Rkill again and then immediately after try this.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link #1
Link #2

Rename ComboFix to Combo-Fix before saving it to the desktop.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a LIST of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista and Windows 7 users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
When I follow the link to download ComboFix on the first link. I get a server not found

It's almost like the virus\trojan will allow me to go to certain sites and use only certain programs.

But I think if someone was able to put the ComboFix in a zip\rar folder then upload it somewhere else, I could then download from that website and run on it my computer.

When I try the second link, nothing happens I get redirected to Code: [Select]http://www.forospyware.com/.
Sorry about all this troubleDownload the NVT Malware Remover Tool to your desktop.

* Unzip the file and then run the INSTALLER.
* Once installed click on the Update tab and check for updates.
* Next click the Scan tab and then click Scan button to begin the scanner.
* If any threats are found select the Remove button and then click Apply
* Next select the button next to Copy in DETECTED folder then click Apply
* Next at the top of the scanner window click Menu then select Open DETECTED folder
* Post that log back here.
* Restart the computer.Here is the log that came back

Code: [Select]NoVirusThanks Malware Remover 2.4.0.0
DB version: 196 (07.02.2010)
http://www.novirusthanks.org
Report created on 2/21/2010 at 7:26:34 PM
Microsoft Windows XP 5.1 Service Pack 2 32-bit OS

Scan type: Quick Scan
Time elapsed: 00:19:51
Objects scanned: 21849
Threats detected: 2

Files Infected:

C:\WINDOWS\Temp\_ex-08.exe -> No action taken
C:\WINDOWS\Temp\_ex-68.exe -> No action taken

Folders Infected:

End.

I know there is more in there. Maybe I need to get a version of ComboFix, anywhere you could put it in a folder and upload it?

I ran another program called RemoveIT Pro V4- Se. And they told me that I have a
Code: [Select]Win32.Unknown.Random.X
Sys32.1194322800

Theres more aswell, but they are all Sys32.X
X being random numbers like the first one. Im not sure if this is any help but it's what I've been able to come up with.

Thanks
Quote

No action taken

Did you let those be fixed?

Download OTL to your desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy and pate the contents of these files, one at a time, into your next reply.

Note: You may need two or more posts to fit them all in.I let those two things get taken care of.
When I clicked on the link to go to OTL I got another Server Not Found.

*Sidenote: This doesn't happen regularly and only with certain websites.

However, I was able to get you a pretty much full log report of some of the stuff happening in my computer.

Code: [Select]RemoveIT Pro v7 - SE (Build date: 25.6.2009) full information log file.
Generated at: 2/21/2010 on 7:45:38 PM
Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Author: Damjan Irgolic
http://www.incodesolutions.com
[emailprotected]

You have some viruses in your computer.
Please Scan your computer with RemoveIT Pro to remove discovered viruses.
Virus list:
Infected with Sys32.1194322800 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1194322800.exe
Infected with Sys32.1434602420 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1434602420.exe
Infected with Sys32.158686840 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\158686840.exe
Infected with Sys32.1949126510 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1949126510.exe
Infected with Sys32.225736298 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\225736298.exe
Infected with Sys32.2308537926 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2308537926.exe
Infected with Sys32.2407992742 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2407992742.exe
Infected with Sys32.2538690376 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2538690376.exe
Infected with Sys32.2646026966 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2646026966.exe
Infected with Sys32.2664493634 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2664493634.exe
Infected with Sys32.2701815552 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2701815552.exe
Infected with Sys32.2720634474 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2720634474.exe
Infected with Sys32.2897654786 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2897654786.exe
Infected with Sys32.3042749252 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3042749252.exe
Infected with Sys32.3081335842 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3081335842.exe
Infected with Sys32.3090823340 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3090823340.exe
Infected with Sys32.3142124428 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3142124428.exe
Infected with Sys32.3375361794 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3375361794.exe
Infected with Sys32.3548130850 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3548130850.exe
Infected with Sys32.3576110384 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3576110384.exe
Infected with Sys32.3729369912 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3729369912.exe
Infected with Sys32.3751284930 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3751284930.exe
Infected with Sys32.3976175968 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3976175968.exe
Infected with Sys32.4067901878 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4067901878.exe
Infected with Sys32.4191888010 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4191888010.exe
Infected with Sys32.4205536296 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4205536296.exe
Infected with Sys32.4283058304 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4283058304.exe
Infected with Sys32.682687032 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\682687032.exe
Infected with Sys32.700499532 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\700499532.exe
Infected with Sys32.733246950 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\733246950.exe
Infected with Sys32.751303072 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\751303072.exe
Infected with Sys32.828545174 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\828545174.exe
Infected with Sys32._voidkrl32mainweq - File C:\documents and settings\all users\application data\_voidkrl32mainweq.dll
Infected with Sys32._voidmainqt - File C:\documents and settings\all users\application data\_voidmainqt.dll

Running processes: (23)
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe

Startup files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TOY5KNQ8OC
[C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
[C:\WINDOWS\system32\ctfmon.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb
[C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\winamp.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remote System Protection
[rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
[C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
["C:\Program Files\Common Files\Java\Java Update\jusched.exe"]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
["C:\Program Files\QuickTime\qttask.exe" -atboottime]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\15515522
[C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON
[C:\WINDOWS\Temp\_ex-08.exe]

Detail report: (82)
Clsid C:\Program Files\uTorrent\uTorrent.exe /UNINSTALL[d41d8cd98f00b204e9800998ecf8427e][0]
Clsid C:\WINDOWS\system32\ati2evxx.dll[17c3eb51d17d90eb10b60d9804d8884d][155648]
Clsid C:\WINDOWS\system32\crypt32.dll[efc958396a7a7ef7e6d4a52b97512e18][597504]
Clsid C:\WINDOWS\system32\cryptnet.dll[cad4aa32e7eca00c23cc39c0eb833f9d][63488]
Clsid C:\WINDOWS\system32\cscdll.dll[587729679b4fe04ce06a5c61d6c56dcd][101888]
Clsid C:\WINDOWS\system32\lmiinit.dll[959ff3a8c74e51676ccdc740657464cc][87352]
Clsid C:\WINDOWS\system32\sclgntfy.dll[d636fa41e50671160d838ea2dace3330][20992]
Clsid c:\windows\system32\stobject.dll[297101a925ecffdcdf7f6341ffbb6c1a][121856]
Clsid c:\windows\system32\webcheck.dll[cc8915db4e33e8fb29ca0d2dbf75306e][236544]
Clsid C:\WINDOWS\system32\wlnotify.dll[a599e5e366c1408e48aa5d37882d4e3e][92672]
Clsid c:\windows\system32\wpdshserviceobj.dll[045e228f71c31901084b64be59093499][133632]
Clsid c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000]
Proc C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800]
Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528]
Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe[359cfd2ea9a17b9300683c0dcfb3c756][20000]
Proc C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE[4063f7194c37217a66db6799046a2774][196424]
Proc C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe[df716209199ba7c72dab2364f747dd98][557568]
Proc C:\Program Files\Internet Explorer\IEXPLORE.EXE[b60dddd2d63ce41cb8c487fcfbb6419e][638816]
Proc C:\Program Files\Java\jre6\bin\jqs.exe[77ac10db097dfd0cd3071465b644d0ab][153376]
Proc C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe[35f177825e8680bfa0f1432116603fce][26120]
Proc C:\Program Files\Microsoft Windows OneCare Live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920]
Proc C:\Program Files\Mozilla Firefox\firefox.exe[9a1d58a8d5da06ee6592673cf695db95][910296]
Proc C:\WINDOWS\explorer.exe[a0732187050030ae399b241436565e64][1032192]
Proc C:\WINDOWS\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360]
Proc C:\WINDOWS\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312]
Proc C:\WINDOWS\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592]
Proc C:\WINDOWS\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856]
Proc C:\WINDOWS\system32\svchost.exe[8f078ae4ed187aaabc0a305146de6716][14336]
RegRun c:\docume~1\alluse~1\applic~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800]
RegRun c:\docume~1\hp_own~1.000\locals~1\temp\hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528]
RegRun c:\program files\common files\java\java update\jusched.exe[e0d6538b62c79fcbf0b27f95faf3208b][246504]
RegRun c:\program files\quicktime\qttask.exe [55d7a219ad8d0db8980528944152a6fd][417792]
RegRun c:\windows\pchealth\helpctr\binaries\msconfig.exe [4fd22142f54692463a7b98b7de175573][158208]
RegRun c:\windows\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360]
RegRun c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000]
Service c:\program files\bonjour\mdnsresponder.exe[3f56903e124e820aeece6d471583c6c1][238888]
Service c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe[4b5ae15e5c73eb4dc8dbec2788230d41][144672]
Service c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe[6f95324909b502e2651442c1548ab12f][73728]
Service c:\program files\common files\microsoft shared\vs7debug\mdm.exe[11f714f85530a2bd134074dc30e99fca][322120]
Service c:\program files\ipod\bin\ipodservice.exe[1e6f080d5edb4c3b4c4eb787a0848dcc][545576]
Service c:\program files\java\jre6\bin\jqs.exe [77ac10db097dfd0cd3071465b644d0ab][153376]
Service c:\program files\lavasoft\ad-aware\aawservice.exe[db25bc5b0998e7b522c04a1e6a3303af][1229232]
Service c:\program files\logmein\x86\logmein.exe[9015122d04c195bdab88febcbae229db][63040]
Service c:\program files\logmein\x86\ramaint.exe[500f1e4461075d602ce77109a9a3d634][116032]
Service c:\program files\microsoft windows onecare live\ochealthmon.exe[35f177825e8680bfa0f1432116603fce][26120]
Service c:\program files\microsoft windows onecare live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920]
Service c:\program files\nos\bin\getplus_helpersvc.exe[25867e27fc02e99c2a34b8a7dd6f20d4][66056]
Service c:\program files\windows media player\wmpnetwk.exe[f74e3d9a7fa9556c3bbb14d4e5e63d3b][913408]
Service c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe[0e5e4957549056e2bf2c49f4f6b601ad][34312]
Service c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe[d87acaed61e417bba546ced5e7e36d9c][69632]
Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe[c01ac32dc5c03076cfb852cb5da5229c][881664]
Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe[d34612c5d02d026535b3095d620626ae][132096]
Service c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe[8ba7c024070f2b7fdd98ed8a4ba41789][46104]
Service c:\windows\system32\alg.exe[f1958fbf86d5c004cf19a5951a9514b7][44544]
Service c:\windows\system32\ati2evxx.exe[42e4e2cf0406394bbce7eb358ae4e208][602112]
Service c:\windows\system32\ati2sgag.exe[460741befbfc91c88934620bc546d172][593920]
Service c:\windows\system32\cisvc.exe[3192bd04d032a9c4a85a3278c268a13a][5632]
Service c:\windows\system32\clipsrv.exe[c8dec22c4137d7a90f8bdf41ca4b82ae][33280]
Service c:\windows\system32\dllhost.exe [dd87db7387b9eb441c5674888a0d840c][5120]
Service c:\windows\system32\dmadmin.exe [554c7cb178fe3bd12450b81ad63adbc3][224768]
Service c:\windows\system32\fxssvc.exe[fcbd571fa0ee8dc238944ae5fab74461][267776]
Service c:\windows\system32\hpzipm12.exe[9d84376931440f3679beef2a414fa493][69632]
Service c:\windows\system32\imapi.exe[fa788520bcac0f5d9d5cde5615c0d931][150016]
Service c:\windows\system32\locator.exe[793f04a09b15e7c6c11dbdffaf06c0ab][75264]
Service c:\windows\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312]
Service c:\windows\system32\mnmsrvc.exe[f6415361201915b9fe3896b0e4e724ff][32768]
Service c:\windows\system32\msdtc.exe[c7c3d89eb0a6f3dba622ea737fa335b1][6144]
Service c:\windows\system32\msiexec.exe [f5f0146580e7023adb963879840777f8][78848]
Service c:\windows\system32\netdde.exe[05afb5ad06462257bea7495283c86d50][111104]
Service c:\windows\system32\rsvp.exe[471b3f9741d762abe75e9deea4787e47][132608]
Service c:\windows\system32\scardsvr.exe[25d8de134df108e3dbc8d7d23b1aa58e][95744]
Service c:\windows\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592]
Service c:\windows\system32\sessmgr.exe[729798e0933076b8fcfcd9934698f164][140800]
Service c:\windows\system32\smlogsvc.exe[8b54aa346d1b1b113ffaa75501b8b1b2][89600]
Service c:\windows\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856]
Service c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336]
Service c:\windows\system32\ups.exe[3f5df65b0758675f95a2d43918a740a3][18432]
Service c:\windows\system32\vssvc.exe[3ee00364ae0fd8d604f46cbaf512838a][289792]
Service c:\windows\system32\wbem\wmiapsrv.exe[ba8cecc3e813e1f7c441b20393d4f86c][126464]
Startup c:\documents and settings\all users\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84]
Startup c:\documents and settings\hp_owner.your-f78bf48ce2.000\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84]
System.ini c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336]

Startup folder: (2)
Startup name: desktop.ini
Command: C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2.000\Start Menu\Programs\Startup\desktop.ini
Startup name: desktop.ini
Command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Win.ini Startup: (1)
Path: No additional driver found!

Win.ini Startup: (1)
Path: No additional driver found!

Keyboard drivers: (1)
Name: No Keyboard Filter driver found!

Services: (101)
Service Name: .NET Runtime Optimization Service v2.0.50727_X86 [Stopped],
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Service Name: Alerter [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Apple Mobile Device [Stopped],
Path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Service Name: Application Layer Gateway Service [Running],
Path: C:\WINDOWS\System32\alg.exe
Service Name: Application Management [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: ASP.NET State Service [Stopped],
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Service Name: Ati HotKey Poller [Stopped],
Path: C:\WINDOWS\system32\Ati2evxx.exe
Service Name: ATI Smart [Stopped],
Path: C:\WINDOWS\system32\ati2sgag.exe
Service Name: Automatic Updates [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Background Intelligent Transfer Service [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Bonjour Service [Stopped],
Path: "C:\Program Files\Bonjour\mDNSResponder.exe"
Service Name: ClipBook [Stopped],
Path: C:\WINDOWS\system32\clipsrv.exe
Service Name: COM+ Event System [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: COM+ System Application [Stopped],
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Service Name: Computer Browser [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Cryptographic Services [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: DCOM Server Process Launcher [Running],
Path: C:\WINDOWS\system32\svchost -k DcomLaunch
Service Name: DHCP Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Distributed Link Tracking Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Distributed Transaction Coordinator [Stopped],
Path: C:\WINDOWS\system32\msdtc.exe
Service Name: DNS Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
Service Name: Error Reporting Service [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Event Log [Running],
Path: C:\WINDOWS\system32\services.exe
Service Name: Fast User Switching Compatibility [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Fax [Stopped],
Path: C:\WINDOWS\system32\fxssvc.exe
Service Name: getPlus(R) Helper [Stopped],
Path: C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
Service Name: Help and Support [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: HID Input Service [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: HTTP SSL [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Service Name: IMAPI CD-Burning COM Service [Stopped],
Path: C:\WINDOWS\system32\imapi.exe
Service Name: Indexing Service [Stopped],
Path: C:\WINDOWS\system32\cisvc.exe
Service Name: InstallDriver Table Manager [Stopped],
Path: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
Service Name: iPod Service [Stopped],
Path: "C:\Program Files\iPod\bin\iPodService.exe"
Service Name: IPSEC Services [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Java Quick Starter [Running],
Path: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
Service Name: Lavasoft Ad-Aware Service [Stopped],
Path: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
Service Name: Logical Disk Manager [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Logical Disk Manager Administrative Service [Stopped],
Path: C:\WINDOWS\System32\dmadmin.exe /com
Service Name: LogMeIn [Stopped],
Path: "C:\Program Files\LogMeIn\x86\LogMeIn.exe"
Service Name: LogMeIn Maintenance Service [Stopped],
Path: "C:\Program Files\LogMeIn\x86\RaMaint.exe"
Service Name: Machine Debug Manager [Stopped],
Path: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
Service Name: Messenger [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: MS Software Shadow Copy Provider [Stopped],
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{20434C82-24BE-4DD7-A39B-AE61CD09B496}
Service Name: Net Logon [Stopped],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Net.Tcp Port Sharing Service [Stopped],
Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
Service Name: NetMeeting Remote Desktop Sharing [Stopped],
Path: C:\WINDOWS\system32\mnmsrvc.exe
Service Name: Network Connections [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Network DDE [Stopped],
Path: C:\WINDOWS\system32\netdde.exe
Service Name: Network DDE DSDM [Stopped],
Path: C:\WINDOWS\system32\netdde.exe
Service Name: Network Location Awareness (NLA) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Network Provisioning Service [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: NT LM Security Support Provider [Stopped],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Office Source Engine [Stopped],
Path: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Service Name: Performance Logs and Alerts [Stopped],
Path: C:\WINDOWS\system32\smlogsvc.exe
Service Name: Plug and Play [Running],
Path: C:\WINDOWS\system32\services.exe
Service Name: Pml Driver HPZ12 [Stopped],
Path: C:\WINDOWS\system32\HPZipm12.exe
Service Name: Portable Media Serial Number Service [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Print Spooler [Running],
Path: C:\WINDOWS\system32\spoolsv.exe
Service Name: Protected Storage [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: QoS RSVP [Stopped],
Path: C:\WINDOWS\system32\rsvp.exe
Service Name: Remote Access Auto Connection Manager [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Remote Access Connection Manager [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Remote Desktop Help Session Manager [Stopped],
Path: C:\WINDOWS\system32\sessmgr.exe
Service Name: Remote Procedure Call (RPC) [Running],
Path: C:\WINDOWS\system32\svchost -k rpcss
Service Name: Remote Procedure Call (RPC) Locator [Stopped],
Path: C:\WINDOWS\system32\locator.exe
Service Name: Removable Storage [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Routing and Remote Access [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Secondary Logon [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Security Accounts Manager [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Security Center [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Server [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Shell Hardware Detection [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Smart Card [Stopped],
Path: C:\WINDOWS\System32\SCardSvr.exe
Service Name: SSDP Discovery Service [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: SSHNAS [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: System Event Notification [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: System Restore Service [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Task Scheduler [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: TCP/IP NetBIOS Helper [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Telephony [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Terminal Services [Running],
Path: C:\WINDOWS\System32\svchost -k DComLaunch
Service Name: Themes [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Uninterruptible Power Supply [Stopped],
Path: C:\WINDOWS\System32\ups.exe
Service Name: Universal Plug and Play Device Host [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Volume Shadow Copy [Stopped],
Path: C:\WINDOWS\System32\vssvc.exe
Service Name: WebClient [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Windows Audio [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Windows CardSpace [Stopped],
Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
Service Name: Windows Driver Foundation - User-mode Driver Framework [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Service Name: Windows Firewall/Internet Connection Sharing (ICS) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Windows Image Acquisition (WIA) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k imgsvc
Service Name: Windows Installer [Stopped],
Path: C:\WINDOWS\system32\msiexec.exe /V
Service Name: Windows Live OneCare Health Monitor [Running],
Path: "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"
Service Name: Windows Live OneCare Restore Tool [Running],
Path: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
Service Name: Windows Management Instrumentation [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Windows Media Player Network Sharing Service [Stopped],
Path: "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Service Name: Windows Presentation Foundation Font Cache 3.0.0.0 [Stopped],
Path: c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Service Name: Windows Time [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Wireless Zero Configuration [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: WMI Performance Adapter [Stopped],
Path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Service Name: WORKSTATION [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Finished...
Check your PM inbox.Thanks for the help Evil Fantasy, but I had to resort to doing a System Recovery.

The computer when it was restarted had become infected with a new virus that was even newer and nastier. This time it didn't allow me to open ANYTHING and my desktop was completely blank.

Luckily was able to install everything.

thanks for all your help, cya around

Discussion

4543.	Solve : Computer opportunities?
Answer» Quote he computer ran a lot faster before I installed SpyBot. If it's slowing you down the uninstall it. Quote I ran the Web Root system Analyzer and it still shows that I have the following on the computer. Virus: Mal/Generic-A Information item: Killapp I need a file path or log to know what it's complaining about. Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) - O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\SEANAN~1\LOCALS~1\Temp\hpdj00.exe (file missing) Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. If HJT asks to restart choose No. ---------- Open HijackThis, but instead of scanning, click on the Open the MISC tools section button at the bottom of the choices. Copy this red text -> hpdj00 In HijackThis select Delete an NT Service Paste the text into the box that opens and then click OK If you receive any error messages just ignore them and continue. Now repeat the above to delete the below Services (if you do not FIND them or get any errors, just continue): . Now exit HijackThis and reboot when it tells you it needs to.I completed the Hijack this instructions and removed the file. I don't have a log with the scan that the Web Root System Analyzer does, or a file path. Any suggestions on a product that I can do that will provide this would be greatly appreciated. I did run a Free AVG scan and I found where the Mal/Generic-A was coming from. I had a program that I use that had a dll file attached to it that it was showing up in. I was able to delete what I don't use, and it didn't appear to be a malicious file. I am assuming they were using it to collect data on how I use the product, as well it may have been an open door for the communication part of the software. I am still showing: Killapp as an information item on the computer scan though. Again that software I have doesn't provide a log or file path. None of the other programs I have bring anything up. If you have any suggestions on a product that I can use it would be greatly appreciated. I know it is not a big problem, but I would still like to get it off. Also the computer still hangs up 80% of the time when I reboot or turn off. About 30% of the time when I turn it back on it will hang up while it is trying to reboot, and I have to turn it off again. It will then ask you if you want to open in safe mode. Thank You for your help! The service that your providing is remarkable, and I will defiantly make sure others know of the help that you can offer. Scan your computer with Panda ActiveScan * Once you are on the Panda site click the Scan your PC now button. * A new window will open...click the Scan Now button. * If it wants to install an ActiveX component allow it. * It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes) * You may get a warning from Internet Explorer that Panda is ready to install, please allow it. * The scan will begin. Please be patient as it can take an hour or more to complete. * When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad). * Save the ActiveScan.txt to a convenient location like your desktop. * Note: You do not need to select any of the Disinfect options. We will remove any threats manually. * Post the contents of the ActiveScan report in your next reply.I started to run the Panda scan sometime around 11:00 am yesterday. I know that you said to be patient, but it is still running this morning. It says that is is only 23% complete and this is the rest: Item in progress: c:\windows\installer\275bd898.msp[unk_4165] (it is still counting) Files scanned: 542764 Files infected: 3 Suspicious files detected: 2 Vulnerabilities detected: 0 Do I need to just allow it to keep going?The computer just shut down while it was scanning, and I was doing some work. The security essentials popped up and said the computer was not protected and then the screen went blank and then came back up saying it was shutting down but hung up in the process. I turned it off and back on, but have now lost the scan. This should work better. ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click FINISH. In your next reply please include the ESET Online Scan LogI went ahead and re-ran the panda scan, and for whatever reason it made it way through it. It only picked up 2 files vs 3 when it shut down, but I am posting the log. Thank You for all your help. ;******************************************************************************************* ANALYSIS: 2010-02-18 18:23:52 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 2 ;***************************************************************************************** PROTECTIONS Description Version Active Updated ;================================================================================== Microsoft Security Essentials 2.0.6212.0 Yes Yes ;================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;================================================================================== 03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{728d2b6c-ef40-5718-e9f9-d749100268b3}-acssetup.exe 03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{6b6dd3c2-8578-db28-2ff5-d6fa577e5b20}-acssetup.exe ;================================================================================== SUSPECTS Sent Location ;================================================================================== No c:\documents and settings\sean and wylene\my documents\antivirus\spiceworks.exe No c:\system volume information\_restore{38619354-a30c-4aa1-999e-c6e4474b633e}\rp10\a0001944.dll ;================================================================================== VULNERABILITIES Id Severity Description ;==================================================================================That's a false positive so nothing to worry about. Disable/Enable the System Restore Utility to flush old infected restore points 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Put a check mark next to Turn off System Restore on All Drives 4) Click the OK button. 5) You will be prompted to restart the computer. Click the Yes button. Now re-enable System Restore To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'. 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Remove the check mark next to Turn off System Restore on All Drives 4) Click the OK button. ---------- Use the Secunia Software Inspector** to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant AMOUNT of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.I appreciate everything that you all have done to help me. This has been one of the best experiences that I have ever had, and to imagine it was all free. In the computer world where most peoples knowledge is limited it is hard to trust anyone to give you advice let alone free advice. You all take it to another level and ad the service as well. Not sure I understand the business model, but I hope that you all are getting everything you are looking for, and if there is anything that I can help you with to return the favor please just ask. I will definitely make sure anyone that I come across that needs help in the computer world is given the information to your site. I wish you all the best in your endeavors. Hands down the best experience in service and advice that I have ever experienced. SRoseYour very welcome. Safe surfing...

4543.

Solve : Computer opportunities?

Answer»

Quote

he computer ran a lot faster before I installed SpyBot.

If it's slowing you down the uninstall it.

Quote

I ran the Web Root system Analyzer and it still shows that I have the following on the computer.

Virus: Mal/Generic-A
Information item: Killapp

I need a file path or log to know what it's complaining about.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\SEANAN~1\LOCALS~1\Temp\hpdj00.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

If HJT asks to restart choose No.

----------

Open HijackThis, but instead of scanning, click on the Open the MISC tools section button at the bottom of the choices.

Copy this red text -> hpdj00

In HijackThis select Delete an NT Service
Paste the text into the box that opens and then click OK
If you receive any error messages just ignore them and continue.
Now repeat the above to delete the below Services (if you do not FIND them or get any errors, just continue):

.
Now exit HijackThis and reboot when it tells you it needs to.I completed the Hijack this instructions and removed the file.

I don't have a log with the scan that the Web Root System Analyzer does, or a file path. Any suggestions on a product that I can do that will provide this would be greatly appreciated.

I did run a Free AVG scan and I found where the Mal/Generic-A was coming from. I had a program that I use that had a dll file attached to it that it was showing up in. I was able to delete what I don't use, and it didn't appear to be a malicious file. I am assuming they were using it to collect data on how I use the product, as well it may have been an open door for the communication part of the software.

I am still showing: Killapp as an information item on the computer scan though. Again that software I have doesn't provide a log or file path. None of the other programs I have bring anything up. If you have any suggestions on a product that I can use it would be greatly appreciated. I know it is not a big problem, but I would still like to get it off.

Also the computer still hangs up 80% of the time when I reboot or turn off. About 30% of the time when I turn it back on it will hang up while it is trying to reboot, and I have to turn it off again. It will then ask you if you want to open in safe mode.

Thank You for your help! The service that your providing is remarkable, and I will defiantly make sure others know of the help that you can offer.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.I started to run the Panda scan sometime around 11:00 am yesterday. I know that you said to be patient, but it is still running this morning. It says that is is only 23% complete and this is the rest:

Item in progress: c:\windows\installer\275bd898.msp[unk_4165] (it is still counting)
Files scanned: 542764
Files infected: 3
Suspicious files detected: 2
Vulnerabilities detected: 0

Do I need to just allow it to keep going?The computer just shut down while it was scanning, and I was doing some work. The security essentials popped up and said the computer was not protected and then the screen went blank and then came back up saying it was shutting down but hung up in the process. I turned it off and back on, but have now lost the scan. This should work better.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click FINISH.

In your next reply please include the ESET Online Scan LogI went ahead and re-ran the panda scan, and for whatever reason it made it way through it. It only picked up 2 files vs 3 when it shut down, but I am posting the log. Thank You for all your help.

;*********************************************************************************************
ANALYSIS: 2010-02-18 18:23:52
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 2
;*********************************************************************************************
PROTECTIONS
Description Version Active Updated
;==================================================================================
Microsoft Security Essentials 2.0.6212.0 Yes Yes
;==================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;==================================================================================
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{728d2b6c-ef40-5718-e9f9-d749100268b3}-acssetup.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{6b6dd3c2-8578-db28-2ff5-d6fa577e5b20}-acssetup.exe
;==================================================================================
SUSPECTS
Sent Location
;==================================================================================
No c:\documents and settings\sean and wylene\my documents\antivirus\spiceworks.exe
No c:\system volume information\_restore{38619354-a30c-4aa1-999e-c6e4474b633e}\rp10\a0001944.dll
;==================================================================================
VULNERABILITIES
Id Severity Description
;==================================================================================That's a false positive so nothing to worry about.

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant AMOUNT of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.I appreciate everything that you all have done to help me. This has been one of the best experiences that I have ever had, and to imagine it was all free. In the computer world where most peoples knowledge is limited it is hard to trust anyone to give you advice let alone free advice. You all take it to another level and ad the service as well. Not sure I understand the business model, but I hope that you all are getting everything you are looking for, and if there is anything that I can help you with to return the favor please just ask.

I will definitely make sure anyone that I come across that needs help in the computer world is given the information to your site. I wish you all the best in your endeavors.

Hands down the best experience in service and advice that I have ever experienced.

SRoseYour very welcome.

Safe surfing...

Discussion

4544.	Solve : infected atapi.sys file?
Answer» received a warning from avg that atapi.sys had a trojan horse rootkit agent EF this was not found by malwarebyte. checked http://virusscan.jotti.org/ and found this file had several infections. now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd ) or is their an easier way to replace this file using combofix (already used this to clean file but still infected). any help greatly appreciatedQuote now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd ) DO NOT delete it! Your computer will no longer boot. If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix*thanks for reply here is combofix log (had already downloaded version from where you suggested earlier today) ComboFix 10-02-19.04 - Owner 0-Feb-2010 15:25:29.1.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\BITS c:\documents and settings\Owner\Application Data\BITS\BITS.ini c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat c:\documents and settings\Owner\Application Data\BITS\pl.dat c:\documents and settings\Owner\Application Data\BITS\ProxyList.ini c:\documents and settings\Owner\Application Data\FlashGetBHO c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm c:\documents and settings\Owner\Start Menu\Programs\Mafia C:\Documents C:\System c:\windows\Downloaded Program Files\dlhelper.dll c:\windows\Mafia c:\windows\struct~.ini c:\windows\system32\18467.exe c:\windows\system32\6334.exe c:\windows\system32\iAlmcoin.dll c:\windows\system32\ps2.bat c:\windows\system32\secustat.dat D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NET_MESSAGE_SERVICE ((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 ))))))))))))))))))))))))))))))) . 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-20 15:10 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-02-06 17:05916480----a-w-c:\windows\system32\wininet.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ------- Sigcheck ------- [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys [-] 2008-04-13 18:40 . B0FBED8C149D3D9E08962A8E8E864F79 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys [-] 2003-09-23 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallQ331958$\atapi.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-08-19 . DE891AD282E856ACFD40990094A63B6F . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TudouVAStart HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?] S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . - - - - ORPHANS REMOVED - - - - BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) MSConfigStartUp-goxtRTinQ - setrsptb.exe MSConfigStartUp-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe MSConfigStartUp-xFEj33O - shlhupnp.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-20 15:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sprz.sys >>UNKNOWN [0x82EA8938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\Genie"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(896) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1432) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . *********************************************************************** . Completion time: 2010-02-20 15:48:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-20 15:48 Pre-Run: 31,553,204,224 bytes free Post-Run: 31,483,396,096 bytes free - - End Of File - - C3400B7FC6FEF597D794892895B05586 Please go to Jotti's malware scan** (If more than one file needs scanned they must be done separately and logs posted for each one) * Copy the file path in the below Code box: Code: [Select]c:\windows\system32\drivers\xrhdbctp.sys* At the upload site, click once inside the window next to Browse. * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. * Next click Submit file * Your file will possibly be entered into a queue which normally takes less than a minute to clear. * This will perform a scan across multiple different virus scanning engines. * Important: Wait for all of the scanning engines to complete. * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply. Also scan this file and post the link to the results. Code: [Select]c:\windows\system32\drivers\etqmhlnl.sys ---------- Download GMER Rootkit Detector and save it your desktop. * EXTRACT it to your desktop and double-click GMER.exe * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All". * Click the Rootkit tab and then Scan. * Don't check the Show All box while scanning in progress! * When scanning is finished click Copy. * This copies the log to clipboard * Post the log in your reply.tried doing what u suggested but on that website it just says that ive specified one or more files that could not be found. those two files dont exist anymore - have no idea why searching them only finds C:\WINDOWS\system32\MpEngineStore\RebootActions\xrhdbctp.dat - did a check on this filepath - http://virusscan.jotti.org/en-GB/scanresult/90cfb4f593083172c1c9abf7cb5d557ebb7c7dd7 and the second one is exactly the same C:\WINDOWS\system32\MpEngineStore\RebootActions\etqmhlnl.dat - http://virusscan.jotti.org/en-GB/scanresult/237b4d2126087569093d75d59bfbed8e07d3ece1 both scans reveal nothing found as for the GMER log -- have started scan - hopefully wont take much longer will post log shortly thanks for your help its much appreciated! How is the GMER scan coming? Be sure to do this. Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".ok so while i was doing the gmer scan the power for the whole neighbourhood went out - great now eventually here is the log obvious issue with atapi.sys which i.m still getting warnings about hope you can help (will be offline for a few hours while i get some sleep (2am in uk) GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-21 01:46:28 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgtdapoc.sys ---- System - GMER 1.0.15 ---- SSDT spit.sys ZwCreateKey [0xF837E0E0] SSDT spit.sys ZwEnumerateKey [0xF839CCA4] SSDT spit.sys ZwEnumerateValueKey [0xF839D032] SSDT spit.sys ZwOpenKey [0xF837E0C0] SSDT spit.sys ZwQueryKey [0xF839D10A] SSDT spit.sys ZwQueryValueKey [0xF839CF8A] SSDT spit.sys ZwSetValueKey [0xF839D19C] INT 0x62 ? 82EF6BF8 INT 0x82 ? 82EF6BF8 INT 0x83 ? 82C4CBF8 INT 0xA4 ? 82C4CBF8 INT 0xB4 ? 82C4CBF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [CC, 39, F8] {INT 3 ; CMP EAX, EDI} ? spit.sys The system cannot find the file specified. ! .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF83057A4] .text USBPORT.SYS!DllUnload F78588AC 5 Bytes JMP 82C4C1D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82EF82D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F83AFC4C] spit.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F83AFCA0] spit.sys IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C4C2D8 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F838EE9C] spit.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82EF51F8 Device \FileSystem\Fastfat \FatCdrom 82C041F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{B9CCBD70-9E0C-484E-9FF4-5963A29B4F59} 82B16500 Device \Driver\usbuhci \Device\USBPDO-0 82C4B1F8 Device \Driver\usbuhci \Device\USBPDO-1 82C4B1F8 Device \Driver\usbuhci \Device\USBPDO-2 82C4B1F8 Device \Driver\usbehci \Device\USBPDO-3 82C29500 Device \Driver\NetBT \Device\NetBT_Tcpip_{FD9B5674-C527-4B71-ABEA-C86624BE26AD} 82B16500 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\prodrv06 \Device\ProDrv06 E1D06008 Device \Driver\Ftdisk \Device\HarddiskVolume1 82E891F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 82E891F8 Device \Driver\Cdrom \Device\CdRom0 82B431F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E1008360 Device \Driver\NetBT \Device\NetBt_Wins_Export 82B16500 Device \Driver\NetBT \Device\NetbiosSmb 82B16500 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBFDO-0 82C4B1F8 Device \Driver\usbuhci \Device\USBFDO-1 82C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 829581F8 Device \Driver\usbuhci \Device\USBFDO-2 82C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 829581F8 Device \Driver\usbehci \Device\USBFDO-3 82C29500 Device \Driver\Ftdisk \Device\FtControl 82E891F8 Device \FileSystem\Fastfat \Fat 82C041F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 823DB1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- Quote hope you can help (will be offline for a few hours while i get some sleep (2am in uk) No worries. Get some rest so you can have a clear head. I'll be around whenever you get back to it. 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: FCopy:: c:\windows\$NtServicePackUninstall$\atapi.sys \| c:\windows\system32\drivers\atapi.sys c:\windows\$NtServicePackUninstall$\tcpip.sys \| c:\windows\system32\dllcache\tcpip.sys c:\windows\$NtServicePackUninstall$\tcpip.sys \| c:\windows\system32\drivers\tcpip.sys 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze =---------- RootRepeal - Rootkit Detector * Download the following tool: RootRepeal - Rootkit Detector * Direct download link is here: RootRepeal.zip * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. * Click this link to see a list of such programs and how to disable them. * Extract the program file to a new folder such as C:\RootRepeal * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button. * Select ALL of the checkboxes and then click OK and it will start scanning your system. * If you have multiple drives you only need to check the C: drive or the one Windows is installed on. * When done, click on Save Report * Save it to the same location where you ran it from, such as C:RootRepeal * Save it as rootrepeal.txt * Then open that log and select all and copy/paste it back on your next reply please. * Close RootRepeal. ---------- Next post please add: New ComboFix log RootRepeal log ok so the atapi.sys file seems to be clean now after that combo fix tried doing the rootrepeal exactly as you showed but grey block comes up saying please wait, initializing - this stays the same for over 20 mins (i gave up) page file maxxes out and cpu usage is 100% for all this time - so maybe i need to be more patient but it seemed unneccessary to hog so much resources for all that time (could have gone on forever) i hope you can tell me if there's anything else i can do as an alternative, and whether the combofix log below shows up any other problems. thanks again. ComboFix 10-02-19.04 - Owner 1-Feb-2010 9:37.2.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 ))))))))))))))))))))))))))))))) . 2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys 2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-20 19:03 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?] S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-21 09:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82EF61F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\Genie"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(576) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1592) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . *********************************************************************** . Completion time: 2010-02-21 09:57:19 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-21 09:57 ComboFix2.txt 2010-02-20 15:48 Pre-Run: 31,761,469,440 bytes free Post-Run: 31,720,009,728 bytes free - - End Of File - - 7325B3571794845FC4525A152B369C4AI left something out of the fix. Sorry... 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: etqmhlnl xrhdbctp DDS:: Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze*ok so here is the latest combofix log- ComboFix 10-02-19.04 - Owner 1-Feb-2010 19:17:47.3.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_etqmhlnl -------\Service_xrhdbctp ((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 ))))))))))))))))))))))))))))))) . 2010-02-21 10:12 . 2010-02-21 10:13--------d-----w-C:\RootRepeal 2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys 2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-21 19:08 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-31 16:50 . 2003-01-01 15:41353792----a-w-c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2003-01-01 22:38343040----a-w-c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2003-01-01 22:3733280----a-w-c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2003-01-01 22:382189184------w-c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2002-08-29 08:042066048------w-c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2003-01-01 15:40455424----a-w-c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:11 . 2003-05-30 16:001291776----a-w-c:\windows\system32\quartz.dll 2009-11-27 17:11 . 2003-01-01 09:3217920----a-w-c:\windows\system32\msyuv.dll 2009-11-27 16:07 . 2003-01-01 22:3828672----a-w-c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-18 05:368704----a-w-c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2003-01-01 22:3811264----a-w-c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2003-01-01 22:3684992----a-w-c:\windows\system32\avifil32.dll 2009-11-27 16:07 . 2001-08-18 05:3648128----a-w-c:\windows\system32\iyuv_32.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Shortcut to avgtray.exe.lnk - c:\program files\AVG\AVG9\avgtray.exe [2009-11-10 2033432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-21 19:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82E881F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\Genie"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1360) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1048) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\program files\AVG\AVG9\avgnsx.exe c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . ************************************************************************* . Completion time: 2010-02-21 19:37:14 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-21 19:37 ComboFix2.txt 2010-02-21 09:57 ComboFix3.txt 2010-02-20 15:48 Pre-Run: 29,495,021,568 bytes free Post-Run: 29,456,936,960 bytes free - - End Of File - - 7DAE080EA2C29390E10A5EC440EFD8CC Hopefully we are about done. * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For ALTERNATE browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan Log this is the esetscan log C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.virWin32/Olmarik.RF virusdeleted - quarantined so i checked the box to have eset remove this quarantined file the uninstall combofix didnt seem to get rid off qoobox so i guess i should just delete the qoobox folder is there anything else i need to do thanks again for the helpYes you can delete the qoobox folder manually. It isn't removed automatically like the other files are. Final suggestions. Use the Secunia Software Inspector to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a RISKY website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

4544.

Solve : infected atapi.sys file?

Answer»

received a warning from avg that atapi.sys had a trojan horse rootkit agent EF

this was not found by malwarebyte. checked http://virusscan.jotti.org/ and found this file had several infections.
now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )
or is their an easier way to replace this file using combofix (already used this to clean file but still infected).
any help greatly appreciatedQuote

now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )

DO NOT delete it! Your computer will no longer boot.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixthanks for reply

here is combofix log (had already downloaded version from where you suggested earlier today)

ComboFix 10-02-19.04 - Owner 0-Feb-2010 15:25:29.1.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\BITS
c:\documents and settings\Owner\Application Data\BITS\BITS.ini
c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat
c:\documents and settings\Owner\Application Data\BITS\pl.dat
c:\documents and settings\Owner\Application Data\BITS\ProxyList.ini
c:\documents and settings\Owner\Application Data\FlashGetBHO
c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
c:\documents and settings\Owner\Start Menu\Programs\Mafia
C:\Documents
C:\System
c:\windows\Downloaded Program Files\dlhelper.dll
c:\windows\Mafia
c:\windows\struct~.ini
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\system32\secustat.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NET_MESSAGE_SERVICE

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 15:10 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-02-06 17:05916480----a-w-c:\windows\system32\wininet.dll
2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . B0FBED8C149D3D9E08962A8E8E864F79 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-09-23 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallQ331958$\atapi.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-08-19 . DE891AD282E856ACFD40990094A63B6F . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TudouVAStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28577536----a-w-c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]

2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-goxtRTinQ - setrsptb.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-xFEj33O - shlhupnp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 15:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sprz.sys >>UNKNOWN [0x82EA8938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\System32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-20 15:48:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 15:48

Pre-Run: 31,553,204,224 bytes free
Post-Run: 31,483,396,096 bytes free

- - End Of File - - C3400B7FC6FEF597D794892895B05586
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:
Code: [Select]c:\windows\system32\drivers\xrhdbctp.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Also scan this file and post the link to the results.

Code: [Select]c:\windows\system32\drivers\etqmhlnl.sys
----------

Download GMER Rootkit Detector and save it your desktop.

* EXTRACT it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.tried doing what u suggested but on that website it just says that ive specified one or more files that could not be found.
those two files dont exist anymore - have no idea why
searching them only finds C:\WINDOWS\system32\MpEngineStore\RebootActions\xrhdbctp.dat - did a check on this filepath - http://virusscan.jotti.org/en-GB/scanresult/90cfb4f593083172c1c9abf7cb5d557ebb7c7dd7

and the second one is exactly the same C:\WINDOWS\system32\MpEngineStore\RebootActions\etqmhlnl.dat
- http://virusscan.jotti.org/en-GB/scanresult/237b4d2126087569093d75d59bfbed8e07d3ece1

both scans reveal nothing found

as for the GMER log -- have started scan - hopefully wont take much longer
will post log shortly

thanks for your help
its much appreciated! How is the GMER scan coming?

Be sure to do this. Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".ok so while i was doing the gmer scan the power for the whole neighbourhood went out - great

now eventually here is the log
obvious issue with atapi.sys which i.m still getting warnings about
hope you can help (will be offline for a few hours while i get some sleep (2am in uk)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 01:46:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgtdapoc.sys

---- System - GMER 1.0.15 ----

SSDT spit.sys ZwCreateKey [0xF837E0E0]
SSDT spit.sys ZwEnumerateKey [0xF839CCA4]
SSDT spit.sys ZwEnumerateValueKey [0xF839D032]
SSDT spit.sys ZwOpenKey [0xF837E0C0]
SSDT spit.sys ZwQueryKey [0xF839D10A]
SSDT spit.sys ZwQueryValueKey [0xF839CF8A]
SSDT spit.sys ZwSetValueKey [0xF839D19C]

INT 0x62 ? 82EF6BF8
INT 0x82 ? 82EF6BF8
INT 0x83 ? 82C4CBF8
INT 0xA4 ? 82C4CBF8
INT 0xB4 ? 82C4CBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [CC, 39, F8] {INT 3 ; CMP EAX, EDI}
? spit.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF83057A4]
.text USBPORT.SYS!DllUnload F78588AC 5 Bytes JMP 82C4C1D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82EF82D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F83AFC4C] spit.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F83AFCA0] spit.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C4C2D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F838EE9C] spit.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82EF51F8
Device \FileSystem\Fastfat \FatCdrom 82C041F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{B9CCBD70-9E0C-484E-9FF4-5963A29B4F59} 82B16500
Device \Driver\usbuhci \Device\USBPDO-0 82C4B1F8
Device \Driver\usbuhci \Device\USBPDO-1 82C4B1F8
Device \Driver\usbuhci \Device\USBPDO-2 82C4B1F8
Device \Driver\usbehci \Device\USBPDO-3 82C29500
Device \Driver\NetBT \Device\NetBT_Tcpip_{FD9B5674-C527-4B71-ABEA-C86624BE26AD} 82B16500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\prodrv06 \Device\ProDrv06 E1D06008
Device \Driver\Ftdisk \Device\HarddiskVolume1 82E891F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82E891F8
Device \Driver\Cdrom \Device\CdRom0 82B431F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1008360
Device \Driver\NetBT \Device\NetBt_Wins_Export 82B16500
Device \Driver\NetBT \Device\NetbiosSmb 82B16500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 82C4B1F8
Device \Driver\usbuhci \Device\USBFDO-1 82C4B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 829581F8
Device \Driver\usbuhci \Device\USBFDO-2 82C4B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 829581F8
Device \Driver\usbehci \Device\USBFDO-3 82C29500
Device \Driver\Ftdisk \Device\FtControl 82E891F8
Device \FileSystem\Fastfat \Fat 82C041F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 823DB1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Quote

hope you can help (will be offline for a few hours while i get some sleep (2am in uk)

No worries. Get some rest so you can have a clear head. I'll be around whenever you get back to it.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

FCopy::
c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

=----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

----------

Next post please add:

New ComboFix log
RootRepeal log

ok so the atapi.sys file seems to be clean now after that combo fix

tried doing the rootrepeal exactly as you showed but grey block comes up saying please wait, initializing - this stays the same for over 20 mins (i gave up) page file maxxes out and cpu usage is 100% for all this time - so maybe i need to be more patient but it seemed unneccessary to hog so much resources for all that time (could have gone on forever)

i hope you can tell me if there's anything else i can do as an alternative, and whether the combofix log below shows up any other problems.

thanks again.

ComboFix 10-02-19.04 - Owner 1-Feb-2010 9:37.2.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys
2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9
2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 19:03 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll
2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28577536----a-w-c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]

2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 09:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82EF61F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\System32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-21 09:57:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 09:57
ComboFix2.txt 2010-02-20 15:48

Pre-Run: 31,761,469,440 bytes free
Post-Run: 31,720,009,728 bytes free

- - End Of File - - 7325B3571794845FC4525A152B369C4AI left something out of the fix. Sorry...

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
etqmhlnl
xrhdbctp

DDS::
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeok so here is the latest combofix log-

ComboFix 10-02-19.04 - Owner 1-Feb-2010 19:17:47.3.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_etqmhlnl
-------\Service_xrhdbctp

((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 10:12 . 2010-02-21 10:13--------d-----w-C:\RootRepeal
2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys
2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9
2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 19:08 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2003-01-01 15:41353792----a-w-c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2003-01-01 22:38343040----a-w-c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-01-01 22:3733280----a-w-c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2003-01-01 22:382189184------w-c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 08:042066048------w-c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2003-01-01 15:40455424----a-w-c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2003-05-30 16:001291776----a-w-c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2003-01-01 09:3217920----a-w-c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2003-01-01 22:3828672----a-w-c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 05:368704----a-w-c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-01-01 22:3811264----a-w-c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-01-01 22:3684992----a-w-c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-18 05:3648128----a-w-c:\windows\system32\iyuv_32.dll
2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to avgtray.exe.lnk - c:\program files\AVG\AVG9\avgtray.exe [2009-11-10 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28577536----a-w-c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]

2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82E881F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\windows\System32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1048)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-21 19:37:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 19:37
ComboFix2.txt 2010-02-21 09:57
ComboFix3.txt 2010-02-20 15:48

Pre-Run: 29,495,021,568 bytes free
Post-Run: 29,456,936,960 bytes free

- - End Of File - - 7DAE080EA2C29390E10A5EC440EFD8CC
Hopefully we are about done.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For ALTERNATE browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
this is the esetscan log

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.virWin32/Olmarik.RF virusdeleted - quarantined

so i checked the box to have eset remove this quarantined file

the uninstall combofix didnt seem to get rid off qoobox so i guess i should just delete the qoobox folder

is there anything else i need to do

thanks again for the helpYes you can delete the qoobox folder manually. It isn't removed automatically like the other files are.

Final suggestions.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a RISKY website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

4545.	Solve : Virus Problems?
Answer» every few MINUTES something pops up on my computer telling me i have some kind of virus and need to fix them.. but everytime I go to the programs they ARENT free.. how can i GET rid of all these viruses and get a free anitvirus programI think everyone GETS a pop up once in awhile that advertises about something but once you close them they go away. The problem is when you can't close them or get rid of them. Then you may have a problem. For info security info look at this http://www.mywot.com/ to get some ideas.Start here: Please read this before requesting malware removal help. Following the steps in the Guide will ALLOW for us to quickly help you with specific fixes for your system. When you have completed those steps post the logs back here. If one or more of the tools will not run just keep going and let me know what would not run and what happened.

Discussion

4546.	Solve : Your system is infected! (Please help if you can)?
Answer» Here they are, the active scan results: ;*************************************************************************** ANALYSIS: 2010-02-18 11:21:33 PROTECTIONS: 1 MALWARE: 4 SUSPECTS: 2 ;************************************************************************* PROTECTIONS Description Version Active Updated ;==================================================================== AVG Anti-Virus Free 8.5 No No ;==================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;==================================================================== 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\[emailprotected][2].txt 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001951.exe 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0000466.exe 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp10\a0003173.dll 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\windows\system32\msls50.dll 05898765 Trj/Nabload.DPS Virus/Trojan No 0 No No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp11\a0003505.exe[32788r22fwjfw\catchme.cfxxe] 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000445.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0000469.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000424.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001483.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000410.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000366.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001887.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001942.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001950.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000435.exe 05977738 Adware/ISecurity2010 Adware No 0 Yes No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0001471.exe ;==================================================================== SUSPECTS Sent Location ;==================================================================== No c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001900.dll No c:\windows\system32\msls51.dll ;==================================================================== VULNERABILITIES Id Severity Description ;==================================================================== 216839 HIGH MS10-001 215938 HIGH MS09-072 215935 HIGH MS09-069 215048 HIGH MS09-065 214076 HIGH MS09-059 971486 HIGH MS09-058 214074 HIGH MS09-057 214073 HIGH MS09-056 214072 HIGH MS09-055 214071 HIGH MS09-054 213109 HIGH MS09-046 212494 HIGH MS09-042 212493 HIGH MS09-041 212490 HIGH MS09-038 212530 HIGH MS09-034 211784 HIGH MS09-032 211781 HIGH MS09-029 210625 HIGH MS09-026 210624 HIGH MS09-025 210621 HIGH MS09-022 210618 HIGH MS09-019 208380 HIGH MS09-015 208379 HIGH MS09-014 208378 HIGH MS09-013 208377 HIGH MS09-012 206981 HIGH MS09-007 206980 HIGH MS09-006 205735 HIGH MS09-002 204670 HIGH MS09-001 203806 HIGH MS08-078 203508 HIGH MS08-073 203505 HIGH MS08-071 202465 HIGH MS08-068 201683 HIGH MS08-067 201258 HIGH MS08-066 201256 HIGH MS08-064 201255 HIGH MS08-063 201253 HIGH MS08-061 201250 HIGH MS08-058 209275 HIGH MS08-049 209273 HIGH MS08-045 196455 MEDIUM MS08-037 194862 HIGH MS08-032 194860 HIGH MS08-030 191618 HIGH MS08-025 191616 HIGH MS08-023 191614 HIGH MS08-021 191613 HIGH MS08-020 187733 HIGH MS08-008 184380 MEDIUM MS08-002 184379 MEDIUM MS08-001 182046 HIGH MS07-067 179553 HIGH MS07-061 176383 HIGH MS07-058 170911 HIGH MS07-050 170907 HIGH MS07-046 170904 HIGH MS07-043 164915 HIGH MS07-035 164911 HIGH MS07-031 157262 HIGH MS07-022 157261 HIGH MS07-021 157260 HIGH MS07-020 157259 HIGH MS07-019 156477 HIGH MS07-017 150249 HIGH MS07-013 150248 HIGH MS07-012 150247 HIGH MS07-011 150243 HIGH MS07-008 150242 HIGH MS07-007 150241 MEDIUM MS07-006 ;==================================================================== Download OTM by OldTimer to your desktop. Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator*. Save it to your Desktop. * Double-click OTM.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :services :reg :files c:\windows\system32\msls50.dll c:\windows\system32\msls51.dll :Commands [resethosts] [purity] [start explorer] [Reboot] * Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. * Close OTM Note: If a file or FOLDER cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway. I did as instructed, however I couldn't get the results as it rebooted immediately after it finished. After the re-BOOT as I kept getting this warning: userinit.exe - Unable to Locate Component This application has failed to start because msls51.dll was not found. Re-installing the application may fix this problem. Now only the desktop background is visible, I can open task manager but that's all, there's no toolbar or desktop icons or anything. Manually shut down the computer and then start it again.Done. It's still the same, giving the same warning constantly. The background is the only thing there. I can open task manager and that's it.Restart the computer. This time as it is loading up tap the F8 key until you get to the boot menu. Choose Last Known Good Configuration. Let me know how that goes.Didn't go well, it's still the same, same warning about msls51.dll not found.Do you have your desktop BACK?Nothing there at all except the background picture. No desktop icons, toolbar, nothing. On the Keyboard press (all at the same time) CTRL ALT Delete When the Task Manager cones up go to File > New Task > then type in explorer.exe and click OK. Did your desktop come up?Explorer appeared briefly in the 'Applications' box of Tast Manager, with writing saying 'unable to locate component', then it dissapeared. My desktop did not come up. The msls51.dll box came up about 5 more times in the process.On the Keyboard press (all at the same time) CTRL ALT Delete When the Task Manager cones up go to File > New Task > then type in rstrui.exe and click OK. Do you get the System restore window?'Windows cannot find 'rstrui.exe'. Make sure you typed the name correctly, and then try again.' That's what happens each time I try.Do you have your XP CD?No, it already had XP installed when I got it (over 3 years ago) and did not come with a backup XP DISC.

Discussion

4547.	Solve : Trojan.FakeAV - I removed this but...?
Answer» now I am only able to get on line using either ftp or https...http will not connect...any thoughts would be apreciated.Download TrendMicro HijackThis.exe (HJT) to the DESKTOP. * Double-click on HJTInstall. * Click on the Install button. * It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. * Upon install, HijackThis should open for you. * Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator * Click on the Do a system SCAN and save a log file button * HijackThis will scan and then a log will open in notepad. * Copy and then paste the entire contents of the log in your post. * Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.I am unable to access the web via http://?? only ftp:// or https://trying to use a FLASH drive to take it from the laptop to the desk topLogfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:07:25 PM, on 1/26/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140141522249 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141697703484 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe (file missing) O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 8471 bytes Here it is...again, I can get on the internet with ftp and https but not http Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:07:25 PM, on 1/26/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140141522249 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141697703484 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe (file missing) O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 8471 bytes Quote Here it is...again, I can get on the internet with ftp and https but not http I don't completely understand this. Are there only a few sties you can visit or do you have to change the URL to FTP or HTTPS?Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe . Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix ---------- 1. Close all open Web browsers. 2. From the Start menu in Windows select Control Panel. 3. Select Add or Remove Programs. 4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different) - Ask.com - Ask Bar - Ask Desktop Search - Ask Search - Ask Toolbar - Ask Jeeves 5. Click Change/Remove for each and uninstall all found. ---------- Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply**. Exit out of MessengerDisable then delete the two files that were put on the desktop.

4547.

Solve : Trojan.FakeAV - I removed this but...?

Answer»

now I am only able to get on line using either ftp or https...http will not connect...any thoughts would be apreciated.Download TrendMicro HijackThis.exe (HJT) to the DESKTOP.

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.
* Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator
* Click on the Do a system SCAN and save a log file button
* HijackThis will scan and then a log will open in notepad.
* Copy and then paste the entire contents of the log in your post.
* Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.I am unable to access the web via http://?? only ftp:// or https://trying to use a FLASH drive to take it from the laptop to the desk topLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:25 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140141522249
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141697703484
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8471 bytes
Here it is...again, I can get on the internet with ftp and https but not http

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:25 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140141522249
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141697703484
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8471 bytes
Quote

Here it is...again, I can get on the internet with ftp and https but not http

I don't completely understand this. Are there only a few sties you can visit or do you have to change the URL to FTP or HTTPS?Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O4 - HKLM\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe
O4 - HKCU\..\Run: [ajhkxwac] C:\Documents and Settings\Owner\Local Settings\Application Data\ojmkqe\wpwusysguard.exe

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar
- Ask Jeeves

5. Click Change/Remove for each and uninstall all found.

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Discussion

4548.	Solve : I can't go on to Facebook, I get a wierd restricted message????
Answer» I attached the files to my last post? They aren't there, apparently...will try again. The hijack this log is the one I ran last night, or do I need to do it again after running combofix today? [Saving space, attachment DELETED by admin]QUOTE When finished, ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. The logs look good. There were a few problems but I'm quite sure they're fixed now. Let's do one more scan. ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click FINISH. In your next reply please include the ESET Online Scan LogNow I can't print or scan anything again. I had to go back and download the driver, the full download instead of the basic, because I couldn't use my scanner without the full. So 2+ hours later, I installed the new driver, and now I can't do anything. It says that my printer isn't connected, when it is. It's one censored thing after another. Can you help me with this too? Bc programmer: I can read. I did post a new log. Here's the ESET log. [Saving space, attachment deleted by admin]Quote from: mcummings36 on January 26, 2010, 06:34:36 PM Bc programmer: I can read. I did post a new log. hey... you asked Hi. Your ESET scan took out anything that was left. As for the printer, this is the first time I've seen anyone having problems with a printer after doing scans. Perhaps you should start another thread in the software or hardware forums to resolve this problem. If there are not other issues (other than the printer) it's time for some clean-up. You can uninstall HJT and ESET. You can keep SAS and MBAM, if you wish. Update them and run them every once in a while. * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ------------------------------------------------------------------------- Download OTC by OldTimer and save it to your desktop. 1. Double-click OTC to run it. 2. Click the CleanUp! button. 3. Select Yes when the "Begin cleanup Process?" prompt appears. 4. If you are prompted to Reboot during the cleanup, select Yes 5. OTC should delete itself once it finishes, if not delete it yourself. ------------------------------------------------------------------------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. --------------------------------------------------------------------------------- Looking over your log it seems you don't have any evidence of a third party firewall. Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors. REMEMBER only install ONE firewall 1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one) 2) Online Armor 3) Agnitum Outpost 4) PC Tools Firewall Plus If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time. --------------------------------------------------------------------------------------- Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you SAFE from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Safe Surfing!

4548.

Solve : I can't go on to Facebook, I get a wierd restricted message????

Answer»

I attached the files to my last post? They aren't there, apparently...will try again. The hijack this log is the one I ran last night, or do I need to do it again after running combofix today?

[Saving space, attachment DELETED by admin]QUOTE

When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

The logs look good. There were a few problems but I'm quite sure they're fixed now. Let's do one more scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click FINISH.

In your next reply please include the ESET Online Scan LogNow I can't print or scan anything again. I had to go back and download the driver, the full download instead of the basic, because I couldn't use my scanner without the full. So 2+ hours later, I installed the new driver, and now I can't do anything. It says that my printer isn't connected, when it is. It's one *censored* thing after another. Can you help me with this too? Bc programmer:
I can read. I did post a new log. Here's the ESET log.

[Saving space, attachment deleted by admin]Quote from: mcummings36 on January 26, 2010, 06:34:36 PM

Bc programmer:
I can read. I did post a new log.

hey... you asked Hi. Your ESET scan took out anything that was left. As for the printer, this is the first time I've seen anyone having problems with a printer after doing scans. Perhaps you should start another thread in the software or hardware forums to resolve this problem. If there are not other issues (other than the printer) it's time for some clean-up. You can uninstall HJT and ESET. You can keep SAS and MBAM, if you wish. Update them and run them every once in a while.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-------------------------------------------------------------------------

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

-------------------------------------------------------------------------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

---------------------------------------------------------------------------------

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

REMEMBER only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

---------------------------------------------------------------------------------------

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you SAFE from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!

Discussion

4549.	Solve : Worm Maybe??
Answer» Sorry about that. Try this one ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe Its back again, so it looks as if I can't send the Dr. Web log at all. Please advise. Can you just post the log in the thread? Don't forget to run the F-Secure also.Hope this is within the max. I'll be back later with F-Secure. Thanks again. Bill 86412.exe;c:\documents and settings\owner\local settings\temp;Trojan.Packed.181;Deleted.; 65304.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Packed.181;Deleted.; d1b49.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Packed.181;Deleted.; A0001341.dll;C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP26;Adware.NavHelper;Incurable.Deleted.; A0001342.exe;C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP26;Adware.NavHelper;Incurable.Deleted.; A0002913.exe;C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP32;Trojan.Packed.181;Deleted.; A0004973.dll;C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP39;Adware.Msearch;Incurable.Deleted.; DateManager.exe;D:\Program Files\Date Manager;Adware.Gator;Invalid path to file ; f3Setup1.exe;D:\Program Files\FunWebProducts\Installr;Adware.Funweb;Invalid path to file ; F3EZSETP.DLL;D:\Program Files\FunWebProducts\Installr\1.bin;Adware.Funweb;Invalid path to file ; MWSSRCAS.DLL;D:\Program Files\MyWebSearch\SrchAstt\1.bin;Adware.Websa;Invalid path to file ; F3POPSWT.DLL;D:\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;Invalid path to file ; M3OUTLCN.DLL;D:\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;Invalid path to file ; MWSBAR.DLL;D:\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;Invalid path to file ; MWSOEMON.EXE;D:\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;Invalid path to file ; NHUninstaller.exe;D:\Program Files\NavExcel\NavHelper\v2.0.4;Adware.NavHelper;Invalid path to file ; NHUpdater.exe;D:\Program Files\NavExcel\NavHelper\v2.0.4;Adware.NavHelper;Invalid path to file ; NHelper.dll;D:\Program Files\NavExcel\NavHelper\v2.0.4;Adware.NavHelper;Invalid path to file ; newdotnet5_40.dll\data002;D:\Program Files\NewDotNet\newdotnet5_40.dll;Adware.NewDotNet;; newdotnet5_40.dll;D:\Program Files\NewDotNet;Archive contains infected objects;Invalid path to file ; YO Evil: F-Secure finished downloading and scanning [showing 10 bad ones] but at the final page I read Show Report, which does nothing when I click it. There is a "Finish" link but I am AFRAID to click it for fear the whole thing ends and I would have to start the entire 3 hour F-Secure process again. Do I dare click "Finish" when I have no respone from Show Report? Please advise. If you can't get the report to show then that is that. Go ahead and post a new Hijackthis log. Let us know how the computer is now.OK Evil. Here comes the Hijack This log. So far no virus action, so I THINK maybe with your considerable help, we appear to have knocked off the Trojan Horse. Praise the Lord! Please let me know what the attached log seems to reveal. By the way, Hijack reported 10 objects caught on its log before it was lost and I am very sure one was the Trojan. Thanks very much. Indeed, bunches! Bill S. [file cleanup - saving space - attachment deleted by admin]The log looks fine. To learn more about how to protect yourself while on the internet read this ARTICLE by Tony Klien: So how did I get infected in the first place? If anything else comes up then let us know. Thank you so much! Your help was indeed appreciated. Bill S.

Discussion

4550.	Solve : mcaffe help?
Answer» i uninstalled macffe security CENTER. when i tryed to install the avg free trial it gave me a message that i still had anitspyware/anti-virus still in my COMPUTER. i RAN the macffe installer and i tryed to install avg again same error i don't know what to do PLZ helpMcAfee Uninstaller

Discussion

‹ 1 … 89 90 91 92 93 … 97 ›

Explore topic-wise InterviewSolutions in .

Solve : Application cannot be executed, Security Warning, Antivirus popups?

Solve : Potential Malware Virus Problem?

Solve : again: Application cannot be executed. The file ..... *grmpfl*?

Solve : "Application has been executed" problem.?

Solve : My computer's security??

Solve : PAGE REDIRECT VIRUS????

Solve : How do I completely remove virus??

Solve : Another "application cannot be executed" infection?

Solve : "application cannot be executed" virus/trojan? help please!?

Solve : '---' file is infected.?

Solve : Malware attack?

Solve : Application cannot be executed. The file ____.exe is infected.?

Solve : Help please! I cant get rid of this thing! Logs attached and updated in post?

Solve : trojan virus cleaned with instructions?

Solve : Redirected: C:\windows\system32\sshnas21.dll (trouble accessing and running?)?

Solve : "Application cannot be executed. The file ****** is infected"?

Solve : computer slow...signing in internet is slow and hanging up.?

Solve : Super AntiSpyware Problem?

Solve : Handed neighbor's laptop with a plea of help?

Solve : disable Java & ActiveX??

Solve : Is this malware, hardware, or just windows being windows??

Solve : My computer is running extremly slow...?

Solve : Uniblue (liutilities.com) can be misleading?

Solve : Can Someone Help with an Execessive Error message?

Solve : Best FREE anti-spyware program? (must be conflict-free with avast! home)?

Solve : Do I have good PC security??

Solve : Application has been infected....?

Solve : Does my computer have too many security programs??

Solve : atapi.sys infected with rootkit?

Solve : Java a security risk??

Solve : I think I have a virus?

Solve : Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed?

Solve : Sysvxd.exe Error?

Solve : Trojan Propogator.?

Solve : csrssc.exe and csrcs.exe [NOT csrss.exe]?

Solve : Computer Spyware Malware Problem?

Solve : Is this enough to keep me reasonable safe??

Solve : trojan keeps coming back.?

Solve : APPInet dll?

Solve : Plz check my log for glitch?

Solve : insufficient system error?

Solve : Virus\Malware Problem?

Solve : Computer opportunities?

Solve : infected atapi.sys file?

Solve : Virus Problems?

Solve : Your system is infected! (Please help if you can)?

Solve : Trojan.FakeAV - I removed this but...?

Solve : I can't go on to Facebook, I get a wierd restricted message????

Solve : Worm Maybe??

Solve : mcaffe help?

Solve : again: Application cannot be executed. The file ..... grmpfl?