Explore topic-wise InterviewSolutions in .

Hi!

We've got a laptop that's running Vista that has picked up a virus. There's a pop up stating it's from 'West Yorkshire Police' which covers the whole screen stating that the computer has been locked for illegal downloads and that we have to pay £100 to some moody pay site.

I can access safe mode, but there doesn't seem to be a system restore point? I've run spybot search and destroy, malware bytes and hosecall through it and it's still there when I reboot the machine. Any ideas please?

Thanks in advance Hi there!

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button. It will do its scan and save a log on your flash drive.
  
• Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
  
  When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  
• Type exit in the Command Prompt window and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
  
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations:

• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Firefox 15 is hanging and unresponsive. Tried re-installing etc. MB says it is clean and dds and adwcleaner say ok. IExplorer seems to be ok. Below is combo fix.
ComboFix 12-08-31.08 - Cesare 01/09/2012 12:52:46.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2815.1325 [GMT 1:00]
Running from: c:\users\Cesare\Downloads\ComboFix.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\packardbell.ico
c:\programdata\FullRemove.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-01 to 2012-09-01 )))))))))))))))))))))))))))))))
.
.
2012-09-01 12:03 . 2012-09-01 12:03--------d-----w-c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-09-01 12:03 . 2012-09-01 12:03--------d-----w-c:\users\Default\AppData\Local\temp
2012-09-01 08:11 . 2012-09-01 08:11--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 08:11 . 2012-07-03 12:4624904----a-w-c:\windows\system32\drivers\mbam.sys
2012-09-01 07:15 . 2012-07-13 13:08504136----a-w-c:\windows\system32\EasyRedirect64.dll
2012-09-01 07:15 . 2012-07-13 13:08364360----a-w-c:\windows\SysWow64\EasyRedirect.dll
2012-09-01 07:14 . 2012-09-01 07:14--------d-----w-c:\program files\Easy-Hide-IP
2012-08-31 17:52 . 2012-08-23 08:269310152----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FBA07272-DF88-43EC-9087-B27B39FA6B1B}\mpengine.dll
2012-08-31 16:40 . 2012-08-31 16:40--------d-----w-c:\users\Cesare\AppData\Local\adaware
2012-08-31 16:40 . 2012-09-01 08:03--------d-----w-c:\programdata\Ad-Aware Browsing Protection
2012-08-31 16:40 . 2011-12-19 11:4460536----a-w-c:\windows\system32\drivers\sbhips.sys
2012-08-31 16:40 . 2011-12-19 12:2145936----a-w-c:\windows\system32\sbbd.exe
2012-08-31 16:40 . 2011-10-26 13:2357976----a-w-c:\windows\system32\drivers\sbredrv.sys
2012-08-31 16:40 . 2012-08-31 16:40--------d-----w-c:\programdata\Lavasoft
2012-08-31 16:40 . 2012-08-31 17:17--------d-----w-c:\program files (x86)\Ad-Aware Antivirus
2012-08-31 16:39 . 2012-08-31 16:39--------d-----w-c:\users\Cesare\AppData\Local\Downloaded Installations
2012-08-31 16:38 . 2012-08-31 18:25--------d-----w-c:\users\Cesare\AppData\Roaming\Ad-Aware Antivirus
2012-08-31 09:06 . 2012-06-26 10:25773968----a-w-c:\windows\system32\msvcr100.dll
2012-08-31 03:59 . 2009-05-18 12:1734152----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-31 03:59 . 2008-04-17 11:12126312----a-w-c:\windows\system32\GEARAspi64.dll
2012-08-31 03:59 . 2008-04-17 11:12107368----a-w-c:\windows\SysWow64\GEARAspi.dll
2012-08-31 03:58 . 2012-08-31 03:58--------d-----w-c:\program files\iPod
2012-08-31 03:58 . 2012-08-31 03:59--------d-----w-c:\program files\iTunes
2012-08-31 03:58 . 2012-08-31 03:59--------d-----w-c:\program files (x86)\iTunes
2012-08-31 03:18 . 2012-08-31 03:18--------d-----w-c:\program files\Bonjour
2012-08-30 17:56 . 2012-08-30 17:56--------d-----w-c:\programdata\Okidata
2012-08-30 17:53 . 2012-08-23 08:269310152----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-30 17:48 . 2010-09-10 04:4967584----a-w-c:\windows\system32\okis2lna64.dll
2012-08-30 17:48 . 2010-01-27 05:05105984----a-w-c:\windows\system32\okscllna64.dll
2012-08-29 07:24 . 2012-08-29 07:24--------d-----w-c:\users\Cesare\AppData\Roaming\iFunbox_UserCache
2012-08-29 07:24 . 2012-08-29 07:24--------d-----w-c:\program files (x86)\i-Funbox DevTeam
2012-08-28 18:19 . 2012-08-28 18:19--------d-----w-c:\users\Cesare\AppData\Local\Macromedia
2012-08-28 18:04 . 2012-08-28 18:04--------d-----w-c:\program files (x86)\Common Files\IVA
2012-08-28 18:04 . 2012-08-28 18:04--------d-----w-c:\program files (x86)\Common Files\Nuance
2012-08-28 18:02 . 2012-08-28 18:02--------d-----w-c:\programdata\Macrovision
2012-08-28 17:35 . 2012-08-28 17:35--------d-----w-c:\program files (x86)\Creative
2012-08-28 12:29 . 2012-08-28 12:29--------d-----w-c:\users\Default\AppData\Local\Microsoft Help
2012-08-28 12:26 . 2012-08-28 12:26--------d-----w-c:\program files (x86)\Microsoft Security Client
2012-08-28 12:00 . 2003-11-10 17:14729088----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-08-28 12:00 . 2003-11-10 17:1369715----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-08-28 12:00 . 2003-11-10 17:12266240----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-08-28 12:00 . 2003-11-10 17:12192512----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-08-28 12:00 . 2003-11-10 17:115632----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-08-28 12:00 . 2012-08-28 12:00311428----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-08-28 12:00 . 2012-08-28 12:00188548----a-w-c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-08-28 11:59 . 2012-08-28 11:59--------d-----w-C:\Live! Cam
2012-08-28 11:59 . 2007-06-14 08:5499328----a-w-c:\windows\CtDrvIns.exe
2012-08-28 11:59 . 2007-02-15 12:26811008----a-w-c:\windows\SysWow64\cximage.dll
2012-08-28 11:59 . 2005-07-07 00:0725088----a-w-c:\windows\system32\CtCamMgr.dll
2012-08-28 10:33 . 2012-08-28 10:33--------d-----w-c:\program files (x86)\Enigma Software Group
2012-08-28 10:31 . 2012-08-31 15:50--------d-----w-c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-28 10:31 . 2012-08-28 10:31--------d-----w-c:\program files (x86)\Common Files\Wise Installation Wizard
2012-08-28 10:26 . 2012-08-28 12:17426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-28 10:24 . 2012-08-28 10:24--------d-----w-c:\users\Cesare\AppData\Local\Scansoft
2012-08-28 10:17 . 2012-02-09 13:17927800------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-28 10:17 . 2012-02-09 13:17927800------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E6383379-76B9-4ABD-AAAB-7777CCF30B6D}\gapaengine.dll
2012-08-28 10:05 . 2012-08-28 10:05--------d-----w-c:\windows\Temp250F8E53-DD37-B6DA-3FAD-F7846A9417EE-Signatures
2012-08-28 10:00 . 2012-03-01 06:4623408----a-w-c:\windows\system32\drivers\fs_rec.sys
2012-08-28 10:00 . 2012-03-01 06:3381408----a-w-c:\windows\system32\imagehlp.dll
2012-08-28 10:00 . 2012-03-01 05:33159232----a-w-c:\windows\SysWow64\imagehlp.dll
2012-08-28 10:00 . 2012-03-01 06:38220672----a-w-c:\windows\system32\wintrust.dll
2012-08-28 10:00 . 2012-03-01 06:285120----a-w-c:\windows\system32\wmi.dll
2012-08-28 10:00 . 2012-03-01 05:37172544----a-w-c:\windows\SysWow64\wintrust.dll
2012-08-28 10:00 . 2012-03-01 05:295120----a-w-c:\windows\SysWow64\wmi.dll
2012-08-28 09:30 . 2012-05-04 09:59514560----a-w-c:\windows\SysWow64\qdvd.dll
2012-08-28 09:30 . 2012-05-04 11:00366592----a-w-c:\windows\system32\qdvd.dll
2012-08-28 09:09 . 2012-08-28 09:09--------d-----w-c:\program files (x86)\Common Files\Skype
2012-08-28 09:04 . 2012-03-03 06:351544704----a-w-c:\windows\system32\DWrite.dll
2012-08-28 09:04 . 2012-03-03 05:311077248----a-w-c:\windows\SysWow64\DWrite.dll
2012-08-28 09:04 . 2012-05-05 08:36503808----a-w-c:\windows\system32\srcore.dll
2012-08-28 09:04 . 2012-05-05 07:4643008----a-w-c:\windows\SysWow64\srclient.dll
2012-08-28 09:03 . 2011-10-01 05:45886784----a-w-c:\program files\Common Files\System\wab32.dll
2012-08-28 09:03 . 2011-10-01 04:37708608----a-w-c:\program files (x86)\Common Files\System\wab32.dll
2012-08-28 09:03 . 2011-10-26 05:251572864----a-w-c:\windows\system32\quartz.dll
2012-08-28 09:03 . 2011-10-26 04:321328128----a-w-c:\windows\SysWow64\quartz.dll
2012-08-28 09:02 . 2012-01-04 10:44509952----a-w-c:\windows\system32\ntshrui.dll
2012-08-28 09:02 . 2012-01-04 08:58442880----a-w-c:\windows\SysWow64\ntshrui.dll
2012-08-28 09:01 . 2011-11-17 06:35395776----a-w-c:\windows\system32\webio.dll
2012-08-28 09:01 . 2011-11-17 05:35314880----a-w-c:\windows\SysWow64\webio.dll
2012-08-28 09:01 . 2012-06-06 06:062004480----a-w-c:\windows\system32\msxml6.dll
2012-08-28 09:01 . 2012-06-06 06:061881600----a-w-c:\windows\system32\msxml3.dll
2012-08-28 09:01 . 2012-06-06 05:051390080----a-w-c:\windows\SysWow64\msxml6.dll
2012-08-28 09:01 . 2012-06-06 05:051236992----a-w-c:\windows\SysWow64\msxml3.dll
2012-08-28 09:01 . 2010-06-26 03:552048----a-w-c:\windows\system32\msxml3r.dll
2012-08-28 09:01 . 2010-06-26 03:242048----a-w-c:\windows\SysWow64\msxml3r.dll
2012-08-28 09:00 . 2011-10-26 05:2143520----a-w-c:\windows\system32\csrsrv.dll
2012-08-28 09:00 . 2011-12-30 06:26515584----a-w-c:\windows\system32\timedate.cpl
2012-08-28 09:00 . 2011-12-30 05:27478720----a-w-c:\windows\SysWow64\timedate.cpl
2012-08-28 09:00 . 2012-02-11 06:43751104----a-w-c:\windows\system32\win32spl.dll
2012-08-28 08:59 . 2012-02-11 06:36559104----a-w-c:\windows\system32\spoolsv.exe
2012-08-28 08:59 . 2012-02-11 06:3667072----a-w-c:\windows\splwow64.exe
2012-08-28 08:59 . 2012-02-11 05:43492032----a-w-c:\windows\SysWow64\win32spl.dll
2012-08-28 08:58 . 2012-08-28 08:58--------d-----w-c:\programdata\InstallShield
2012-08-28 08:58 . 2012-08-28 08:58--------d-----w-c:\users\Cesare\AppData\Roaming\ScanSoft
2012-08-28 08:58 . 2012-06-09 05:4314172672----a-w-c:\windows\system32\shell32.dll
2012-08-28 08:58 . 2012-08-28 08:58--------d-----w-c:\program files (x86)\ScanSoft
2012-08-28 08:56 . 2012-05-01 05:40209920----a-w-c:\windows\system32\profsvc.dll
2012-08-28 08:55 . 2012-05-04 11:065559664----a-w-c:\windows\system32\ntoskrnl.exe
2012-08-28 08:55 . 2012-05-04 10:033968368----a-w-c:\windows\SysWow64\ntkrnlpa.exe
2012-08-28 08:55 . 2012-05-04 10:033913072----a-w-c:\windows\SysWow64\ntoskrnl.exe
2012-08-28 08:54 . 2011-08-17 05:26613888----a-w-c:\windows\system32\psisdecd.dll
2012-08-28 08:54 . 2011-08-17 04:24465408----a-w-c:\windows\SysWow64\psisdecd.dll
2012-08-28 08:54 . 2011-08-17 04:1975776----a-w-c:\windows\SysWow64\psisrndr.ax
2012-08-28 08:54 . 2011-08-17 05:25108032----a-w-c:\windows\system32\psisrndr.ax
2012-08-28 08:53 . 2012-04-28 03:55210944----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-08-28 08:53 . 2011-12-28 03:59498688----a-w-c:\windows\system32\drivers\afd.sys
2012-08-28 08:52 . 2012-03-17 07:5875120----a-w-c:\windows\system32\drivers\partmgr.sys
2012-08-28 08:52 . 2012-04-07 12:313216384----a-w-c:\windows\system32\msi.dll
2012-08-28 08:52 . 2012-04-07 11:262342400----a-w-c:\windows\SysWow64\msi.dll
2012-08-28 08:52 . 2012-04-24 05:371462272----a-w-c:\windows\system32\crypt32.dll
2012-08-28 08:52 . 2012-04-24 05:37184320----a-w-c:\windows\system32\cryptsvc.dll
2012-08-28 08:52 . 2012-04-24 05:37140288----a-w-c:\windows\system32\cryptnet.dll
2012-08-28 08:52 . 2012-04-24 04:36140288----a-w-c:\windows\SysWow64\cryptsvc.dll
2012-08-28 08:52 . 2012-04-24 04:361158656----a-w-c:\windows\SysWow64\crypt32.dll
2012-08-28 08:52 . 2012-04-24 04:36103936----a-w-c:\windows\SysWow64\cryptnet.dll
2012-08-28 08:51 . 2012-07-04 22:1359392----a-w-c:\windows\system32\browcli.dll
2012-08-28 08:51 . 2012-07-04 22:13136704----a-w-c:\windows\system32\browser.dll
2012-08-28 08:51 . 2012-07-04 22:1673216----a-w-c:\windows\system32\netapi32.dll
2012-08-28 08:51 . 2012-07-04 21:1441984----a-w-c:\windows\SysWow64\browcli.dll
2012-08-28 08:50 . 2011-12-16 08:46634880----a-w-c:\windows\system32\msvcrt.dll
2012-08-28 08:50 . 2011-12-16 07:52690688----a-w-c:\windows\SysWow64\msvcrt.dll
2012-08-28 08:49 . 2012-07-18 18:153148800----a-w-c:\windows\system32\win32k.sys
2012-08-28 08:48 . 2012-05-14 05:26956928----a-w-c:\windows\system32\localspl.dll
2012-08-28 08:48 . 2011-08-27 05:37861696----a-w-c:\windows\system32\oleaut32.dll
2012-08-28 08:48 . 2011-08-27 05:37331776----a-w-c:\windows\system32\oleacc.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 12:17 . 2011-06-15 13:2570344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-03 03:27 . 2011-06-15 08:0262134624----a-w-c:\windows\system32\MRT.exe
2012-06-25 15:04 . 2012-06-25 15:041394248----a-w-c:\windows\SysWow64\msxml4.dll
2012-06-06 07:49 . 2012-06-06 07:491070152----a-w-c:\windows\SysWow64\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty ENTRIES & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{73A89C60-CF59-4EC7-9215-9B7EF05ECEA4}]
2012-07-18 18:26195448----a-w-c:\program files (x86)\Nuance\NaturallySpeaking12\Program\ieshim.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:3694208----a-w-c:\users\Cesare\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:3694208----a-w-c:\users\Cesare\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:3694208----a-w-c:\users\Cesare\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:3694208----a-w-c:\users\Cesare\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-28 39408]
"Easy-Hide-IP"="c:\program files\Easy-Hide-IP\easy-hide-ip.exe" [2012-07-13 4612424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Cesare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cesare\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files (x86)\Stickies\stickies.exe [2008-1-16 1122304]
Wi-Fire Connection Manager.lnk - c:\program files (x86)\hField Technologies, Inc\Wi-Fire Connection Manager\Wi-Fire Connection Manager.exe [2011-8-25 417792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
R2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-07-12 1239952]
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-28 135664]
R2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 250056]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

i reported a malware problem earlier, as a guest, but have since become a registered user. i'm being prompted to allow the installation of an ask toolbar. i removed everything "ask" related using revo uninstaller, but continued to RECEIVE the prompt. i followed the steps in the "malware removal guide" and am submitting the requested logs for review. also, i'm confused regarding step 6. i ran HJT, but took no action when i received the results of the scan. how do i proceed in regards to the scan results? thanks for all your help, you guys are doing a great job!

[recovering disk space - old attachment deleted by admin]Hello jpb759.

You have way too MUCH real-time antispyware running. This actually giving you less protection rather than more.

Winpatrol
SpySweeper
Malwarebytes

Disable either SpySweeper or Malwarebytes and just use it as an on-demand scanner. Winpatrol should be fine as it does not interfere with anything like the others do.

----------

Disable SpySweeper so it does not block any fixes.

You can re-enable it after we're done.

To disable SpySweeper:

• Open Spysweeper and click Options over to the left thenProgram Options and uncheck Load at windows startup
  
• Over to the left click Shields and uncheckeverything.
  
• UncheckHome page shield
  
• UncheckAutomatically restore default without notification

My friend gave me a lap top computer. It is an HP PAVILION dv6000. I can't tell you much else about it because it doesn't even TURN on. He said that it was locking up on him, and he gave it to someone that supposedly makes a living fixing computers, but after 6 weeks he gave it back and now it doesn't do anything. Is there something that I can do to try and get it working again.

Thank You,
SeanGo to Google and search for:
HP Pavilion dv6000 service

There are many sites that offer advice on HP products. Be aware that many of these are NOT free. And be very CAREFUL about downloading anything, EXPECT the service manual.
http://www.ebooksquad.com/2009/03/25/hp-pavilion-dv1600-service-manual-and-maintenance.html

My best guess is the battery is shot. But why didn't they catch that?

Took most of last night and today to sift through posts, google searches and to get my THOUGHTS together...so here goes.

2 weeks ago bought a verbatim 500G usb drive to use between my 3 machines, a desktop, a laptop and a netbook.
Yesterday I first noticed that I couldn't get to any hidden files with the laptop. Each time I tried to reset the folder options to show hidden files, it WOULD go right back to not show them. Tried with my desktop and same problem.
Checked my netbook and all was ok with hidden files, so I plugged in my USB drive and bang! Immediately lost the ability to see them. It then occured to me that it had to be spread thru the USB drive.

Since then I have identified 2 what I think are trojans on my machines, one named ca.exe and one named nodqq.exe. I'll cover one machine at a time and post the logs for each. The post is going to get waaay long, but I want to include as much info as might be necessary.

First thing I did was update all virus protection to Norton internet security 2010 and run scans. (All 3 machines)

First the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:45 AM, on 5/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\InstaVerse\InstaVerse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=laptop
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\HomePro\Application Data\Mozilla\Firefox\Profiles\z4mprbi8.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [InstaVerse] C:\Program Files\InstaVerse\InstaVerse.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\Newsflsh.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269371081812
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe

--
End of file - 8464 bytes





Norton Internet Security 2010 Logs

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action
5/1/2010 7:33 AM,High,ca.exe (ca.exe) DETECTED by SONAR,Quarantined,Resolved - No Action
5/1/2010 7:25 AM,High,nodqq.exe (nodqq.exe) detected by SONAR,Quarantined,Resolved - No Action
5/1/2010 1:34 AM,High,nodqq0.dll (Trojan.Packed.NsAnti) detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:27 AM,High,p.exe (Trojan Horse) detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:25 AM,High,plugin-newplayer.pdf (Bloodhound.PDF!gen) detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:20 AM,High,nmdfgds0.dll (Trojan Horse) detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:13 AM,Low,Tracking Cookies detected by Virus scanner,Removed,Resolved - No Action
5/1/2010 12:11 AM,High,5c244c96-38b87354 (Downloader) detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action
5/1/2010 12:06 AM,High,cdaudio.sys (Infostealer.Gampass) detected by Virus scanner,Quarantined,Resolved - No Action


Category: SONAR Activity
Date & Time,Risk,Activity,Status,Recommended Action
5/1/2010 7:33 AM,High,ca.exe (ca.exe) detected by SONAR,Quarantined,Resolved - No Action
5/1/2010 7:25 AM,High,nodqq.exe (nodqq.exe) detected by SONAR,Quarantined,Resolved - No Action



After scanning 3 TIMES and restarting each time, the SONAR from Norton picked up on nodqq.exe first and then ca.exe and quarantined them.

These items never showed up in the task manager, but nodqq.exe showed up in the start up list of msconfig. I deleted it from there and dumped the recycle bin. I then ran a search for them by Start>Search>filename and found nodqq.dll. I deleted and dumped that too.
I restarted and was able to reset folder options, so now I can see hidden files. I still have some issues though. In msconfig I have 1 blank line thats checked with no name and no command. Not sure if that's an issue. Also if I try to make any changes, I get an "access denied error" and says I should sign in as an administrator. Theres only 1 user on this machine which is an admin.
Not sure if I still have issues with this machine, But I'll also need to kill and remove these fro m the drive.
I appreciate any thoughts, It is a huge help that so many people take the time to share their expertise.



Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your DESKTOP.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
**************************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  Quote

  KillAll::
  
  DirLook::
  
  C:\.Trash-999
  
  

• SAVE this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

The ones I don't recognize as programs I use are:
Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (2924) -
Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (1612)

I'm curious about what the rest of this scan means, if you care to educate me a bit.

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

Is there any cleanup that I should do to uninstall some of these programs we've used to scour these bugs away? These programs you recommended to use in this process seem pretty tiny - is there any danger of leaving them installed?

When I ran the uninstall to Combofix, it didn't disappear the .exe file that was on my desktop where I'd downloaded it. So does that mean the uninstall program uninstalled ComboFix, but left the original file that installed ComboFix alone... and if I clicked on the .exe file of ComboFix I would reinstall it again?

Another one of the things that changed because of the attack was how the list of currently running programs is displayed on my task bar. These currently running programs used to be in a menu that took up a half an inch of space on my lower right corner. Since the attack, these programs are in a line, taking up three inches instead of a half inch. Also, I imagine I can replace the icons that used to be next to my "start" button by dragging them onto the task bar on the other side, but there used to be an icon there signifying "show desktop" that I'd like to have back too. I think that I'm remembering this change happened when I ran the "unhide" program.

I have some pretty strong suspicions of others messing around with my machine. Im not going to get into detail of who is doing it or for whatever reasons because in truth I dont know and because it will take a long long time.
Below is a picture of a supposedly freshly formatted Solid state drive. Whenever I format the drive it tells me that it has space used as you can see. The amount of space varies by filesystem it is the same drive under different filesystems. This does not only happen with this hard drive but with all of the drives I own.
So what I did today was to install windows XP and look for rootkits via a utility called TDSSKiller. To my surprise It found over 174 rootkits but I knew something was up from the start.. I really don't want to touch any Microsoft operating system anymore. The hole gets deeper tough when I attempt to run the program DBAN I cant use it. It tells me that the Hard DISKS might contain bad sectors yet in on other computer I can use the software. One possibility that I am getting that error might be hardware related issues but by any chance can a motherboard become infected?

What I will attempt is to run DBAN once again but am expecting the same result since Ive done it before I installed windows XP and found the rootkits.



[year+ old attachment deleted by admin]Quote from: Forward on July 01, 2012, 06:32:15 PM

Whenever I format the drive it tells me that it has space used as you can see. The amount of space varies by filesystem it is the same drive under different filesystems. This does not only happen with this hard drive but with all of the drives I own.

So what I did today was to install windows XP and look for rootkits via a utility called TDSSKiller. To my surprise It found over 174 rootkits but I knew something was up from the start..

The hole gets deeper tough when I attempt to run the program DBAN I cant use it. It tells me that the Hard disks might contain bad sectors yet in on other computer I can use the software. One possibility that I am getting that error might be hardware related issues but by any chance can a motherboard become infected?

What I will attempt is to run DBAN once again but am expecting the same result since Ive done it before I installed windows XP and found the rootkits.

I was stupidly downloading music and I must have come to some site that GAVE me a virus. I'm not TOO familiar with computers REALLY. Any help would be very APPRECIATED. This (possible) virus is really making me angry.

Is there something maybe I could do easily, because I'm at a point where I PROBABLY GOT the virus about five minutes before I got on this board. Is there a way to "quickly destroy" this virus?

Thanks in advance. Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Hello:
I am new to this community, am GLAD it exist. from reading the posts it seem that there are some serious help is available here. Well i need help, I really do.
I am running win 7 profetional on my Laptop(Dell Vostro 1700). I do run Adaware live, but iguess it is not good enough to catch what I have. My symtoms are that i keep getting notices from os saying I have been infected(See clip1 and 2 Attached) and the adaware is crippled, can't run task manager, it popsup for a sec and disappears and I keep getting this window(see clip3)wanting me to purchase anti malware from this site (*LINK REMOVED*). I also have in my icon and notification window(Clip4) a file labeled as Vfuxnrxtssd.exe that I have no idea what it is. I also have lost the use of dos window(cmd). So As you can see I need so serious help.
In most posts I have seen Super Dave(SD) who seem to be having very detailed help instructions and succcesses with people, So SD if you are out there I really need your help

Ardy



[recovering disk space - old attachment deleted by admin]Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.Hello DragonMaster Jay:
Thanks for the reply and help.... . it took me while. The infection is crippling...... it changes IE settings to proxy and keeps giving me all kinds of problems....any how ran combofix. it finished all stages and was deleting some files and backing up others when the OS gave me the blue screen of deth. I booted in safe mode and ran CF again this time it finished. here is the log file....

ComboFix 10-04-21.01 - Ardy 04/23/2010 21:23:23.2.2 - x86 MINIMAL
Running from: c:\users\Ardy\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-1361614194-4143690539-4151942459-1002
c:\$recycle.bin\S-1-5-21-1361614194-4143690539-4151942459-500
c:\$recycle.bin\S-1-5-21-2826133206-2312993737-4083541239-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
C:\Images
c:\users\Ardy\AppData\Roaming\xolehlpy.dll
c:\windows\system32\win.ini
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-24 04:30 . 2010-04-24 04:30--------d-----w-c:\users\Default\AppData\Local\temp
2010-04-24 04:22 . 2010-04-24 04:22--------d-----w-C:\32788R22FWJFW
2010-04-24 02:53 . 2010-04-24 02:53--------d-----w-c:\users\Ardy\AppData\Local\ktrfptpku
2010-04-23 17:01 . 2010-04-23 17:33--------d-----w-c:\temp\virus-tools
2010-04-23 14:55 . 2010-04-23 14:5561184----a-w-c:\users\Ardy\AppData\Local\syssvc.exe
2010-04-23 14:53 . 2010-04-23 14:53--------d-----w-c:\users\Ardy\AppData\Local\inngnjoss
2010-04-22 14:41 . 2010-04-23 02:07--------d-----w-c:\users\Ardy\AppData\Local\ewkjldovf
2010-04-22 14:25 . 2010-04-22 14:28--------d-----w-c:\temp\AllwaysSync
2010-04-22 02:31 . 2010-04-22 02:31--------d-----w-c:\temp\TFTP-Program
2010-04-16 01:17 . 2009-12-29 06:55172032----a-w-c:\windows\system32\wintrust.dll
2010-04-16 01:17 . 2010-02-27 07:32221696----a-w-c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 01:17 . 2010-02-27 07:3295744----a-w-c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 01:17 . 2010-02-27 07:32123392----a-w-c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 01:17 . 2010-02-27 12:073954568----a-w-c:\windows\system32\ntkrnlpa.exe
2010-04-16 01:17 . 2010-02-27 12:073899280----a-w-c:\windows\system32\ntoskrnl.exe
2010-04-16 01:17 . 2010-03-08 21:33427520----a-w-c:\windows\system32\vbscript.dll
2010-04-16 01:17 . 2010-01-09 06:52132608----a-w-c:\windows\system32\cabview.dll
2010-04-13 21:26 . 2010-04-21 18:01193872----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\lib7zip.dll
2010-04-13 21:26 . 2010-04-21 18:011000784----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\lgpl.dll
2010-04-11 05:37 . 2010-04-11 05:38--------d-----w-c:\programdata\SSScanAppDataDir
2010-04-11 05:37 . 2010-04-11 05:37--------d-----w-c:\programdata\MSScanAppDataDir
2010-04-10 16:36 . 2010-04-10 16:36--------d-----w-c:\program files\Common Files\AnswerWorks 5.0
2010-04-10 16:32 . 2010-04-10 16:32--------d-----w-c:\users\Ardy\AppData\Local\IsolatedStorage
2010-04-10 16:26 . 2010-04-10 16:26--------d-----w-c:\program files\TurboTax
2010-04-10 16:10 . 2010-02-23 07:56977920----a-w-c:\windows\system32\wininet.dll
2010-04-07 23:30 . 2010-04-07 23:30--------d-----w-c:\users\Ardy\.jagex_cache_32
2010-04-03 15:33 . 2010-04-03 15:33--------d-----w-c:\program files\FileZilla FTP Client
2010-04-03 15:22 . 2010-04-06 17:18--------d-----w-c:\temp\TomCat_6.0.26
2010-04-03 14:54 . 2010-04-03 15:33--------d-----w-c:\temp\Filzilla-Ftp
2010-04-02 16:37 . 2010-04-02 16:370----a-w-c:\users\Ardy\jagex__preferences3.dat
2010-03-30 15:49 . 2010-03-30 15:4917632----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-03-29 01:52 . 2010-04-22 03:211366----a-w-c:\users\Ardy\SDM-2.5-877W-c870-advipservicesk9-mz.124-15.T12.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 03:10 . 2008-11-19 05:08--------d-----w-c:\programdata\Google Updater
2010-04-23 19:53 . 2008-04-15 06:01--------d-----w-c:\users\Ardy\AppData\Roaming\ESRI
2010-04-22 15:33 . 2009-11-11 19:34--------d-----w-c:\program files\Allway Sync
2010-04-21 05:42 . 2010-03-17 00:50--------d-----w-c:\users\Ardy\AppData\Roaming\Skype
2010-04-21 00:51 . 2009-01-22 02:39--------d-----w-c:\users\Ardy\AppData\Roaming\skypePM
2010-04-16 02:24 . 2010-01-16 19:08--------d-----w-c:\programdata\WebEx
2010-04-16 02:07 . 2010-01-21 02:55--------d-----w-c:\users\Ardy\AppData\Roaming\webex
2010-04-16 02:07 . 2010-01-21 02:552211840----a-w-c:\programdata\WebEx\WebEx\924\atpdmod.dll
2010-04-16 02:07 . 2010-01-21 02:5598304----a-w-c:\programdata\WebEx\WebEx\924\atplayim.dll
2010-04-16 02:07 . 2010-01-21 02:55364544----a-w-c:\programdata\WebEx\WebEx\924\atarm.dll
2010-04-16 02:07 . 2010-01-21 02:5553248----a-w-c:\programdata\WebEx\WebEx\924\atcarmcl.dll
2010-04-16 02:07 . 2010-01-21 02:5524576----a-w-c:\programdata\WebEx\WebEx\924\atmemmgr.dll
2010-04-16 01:23 . 2007-11-12 02:34--------d-----w-c:\programdata\Microsoft Help
2010-04-12 14:34 . 2010-03-24 16:173757392----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\vcore.dll
2010-04-12 14:34 . 2010-03-24 16:17259408----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\remediation.dll
2010-04-12 14:33 . 2010-03-24 16:17226640----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libZip.dll
2010-04-12 14:33 . 2010-03-24 16:17390480----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libVvs.dll
2010-04-12 14:33 . 2010-03-24 16:17173392----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libtd.dll
2010-04-12 14:33 . 2010-03-24 16:17296272----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libRar.dll
2010-04-12 14:33 . 2010-03-24 16:17345424----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libOleA.dll
2010-04-12 14:33 . 2010-03-24 16:17206160----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libNSIS.dll
2010-04-12 14:33 . 2010-03-24 16:17177488----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libMsi.dll
2010-04-12 14:33 . 2010-03-24 16:17283984----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libEmail.dll
2010-04-12 14:33 . 2010-03-24 16:17206160----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\libCHM.dll
2010-04-10 16:37 . 2010-02-16 02:44147784----a-w-c:\users\Ardy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-10 16:36 . 2008-08-08 06:12--------d-----w-c:\users\Ardy\AppData\Roaming\Intuit
2010-04-10 16:33 . 2008-08-08 05:51--------d-----w-c:\programdata\Intuit
2010-04-10 16:32 . 2008-08-08 03:21--------d-----w-c:\program files\Common Files\Intuit
2010-04-09 17:50 . 2009-10-07 21:15--------d-----w-c:\users\Ardy\AppData\Roaming\FileZilla
2010-04-08 01:16 . 2009-08-07 21:1241----a-w-c:\users\Ardy\jagex_runescape_preferences.dat
2010-04-08 01:00 . 2009-09-07 14:2569----a-w-c:\users\Ardy\jagex_runescape_preferences2.dat
2010-04-06 14:11 . 2009-12-20 16:42966104----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 14:11 . 2009-12-20 16:381265264----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-01 03:54 . 2008-09-27 22:43--------d-----w-c:\program files\AirPort
2010-03-22 22:37 . 2010-03-22 22:370---ha-w-c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-03-18 03:22 . 2010-01-20 05:371662----a-w-c:\users\Ardy\SDM-2.5-877W-c870-advipservicesk9-mz.124-2.T5.bin
2010-03-17 00:50 . 2010-03-17 00:49--------d-----r-c:\program files\Skype
2010-03-17 00:49 . 2010-03-17 00:49--------d-----w-c:\program files\Common Files\Skype
2010-03-17 00:49 . 2009-01-22 02:37--------d-----w-c:\programdata\Skype
2010-03-13 01:24 . 2010-03-24 16:1783280----a-w-c:\programdata\Lavasoft\Ad-Aware\Defs\Extended\kbu.dll
2010-03-09 00:15 . 2008-11-21 05:51--------d-----w-c:\program files\RegCure
2010-03-08 04:12 . 2010-03-08 04:1295024----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-08 04:12 . 2009-10-27 17:2795024----a-w-c:\windows\system32\drivers\SBREDrv.sys
2010-03-08 04:12 . 2010-03-08 04:12566608----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-08 04:12 . 2009-12-21 01:2115880----a-w-c:\windows\system32\lsdelete.exe
2010-03-08 04:12 . 2009-12-20 16:4715880----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-08 04:12 . 2010-01-27 22:471230160----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-08 04:12 . 2010-01-27 22:47247120----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-08 04:11 . 2009-12-20 16:426330848----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-08 04:11 . 2010-03-08 04:1117480----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-08 04:10 . 2010-03-08 04:10735008----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-03-08 04:10 . 2009-12-21 16:502270720----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\ToolBox\LT\HostFileEditor.exe
2010-03-08 04:10 . 2010-03-08 04:1269936----a-w-c:\windows\system32\drivers\sbapifs.sys
2010-03-08 04:10 . 2010-03-08 04:1077616----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\i386\sbapifsl.sys
2010-03-08 04:10 . 2010-03-08 04:1069936----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\i386\sbapifs.sys
2010-03-08 04:10 . 2010-03-08 04:1013360----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\i386\sbaphd.sys
2010-03-08 04:10 . 2009-12-21 16:492038272----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\ToolBox\LT\ProcessWatch.exe
2010-03-08 04:10 . 2009-12-21 16:49104960----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\ToolBox\AutoStart Manager\SO.dll
2010-03-03 22:54 . 2009-12-20 16:413803208----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-27 20:11 . 2010-02-27 20:11--------d-----w-c:\programdata\PC Drivers HeadQuarters
2010-02-25 22:16 . 2010-01-16 19:08743224----a-w-c:\programdata\WebEx\WebEx\932\atsccust.dll
2010-02-25 22:16 . 2010-01-16 19:08356352----a-w-c:\programdata\WebEx\WebEx\932\sccustres.dll
2010-02-25 22:16 . 2010-01-16 19:0853248----a-w-c:\programdata\WebEx\WebEx\932\atcarmcl.dll
2010-02-25 22:16 . 2010-01-16 19:08364544----a-w-c:\programdata\WebEx\WebEx\932\atarm.dll
2010-02-25 22:16 . 2010-01-16 19:0824576----a-w-c:\programdata\WebEx\WebEx\932\atmemmgr.dll
2010-02-22 03:40 . 2010-02-22 03:41720896----a-w-c:\windows\iun6002.exe
2010-02-15 23:09 . 2010-02-15 23:0921316----a-w-c:\windows\system32\emptyregdb.dat
2010-02-15 19:54 . 2007-07-27 09:064268----a-w-c:\windows\bthservsdp.dat
2010-02-02 17:02 . 2010-01-27 22:48348160----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\msvcr71.dll
2010-02-02 17:02 . 2010-01-27 22:48503808----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\msvcp71.dll
2010-02-02 07:45 . 2010-02-27 15:232048----a-w-c:\windows\system32\tzres.dll
2010-01-27 22:49 . 2009-12-20 16:468----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2007-07-27 09:18 . 2007-07-27 09:1876--sha-r-c:\windows\CT4CET.bin
2009-06-10 21:26 . 2009-07-14 02:049633792--sha-r-c:\windows\Fonts\StaticCache.dat
2007-11-11 05:03 . 2007-11-11 05:038--sha-r-c:\windows\System32\84463728C9.sys
2007-11-12 02:30 . 2007-11-11 05:032672--sha-w-c:\windows\System32\KGyGaAvL.sys
2009-07-14 01:14 . 2009-07-13 23:42396800--sha-w-c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOMERunner.exe" [2009-11-13 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-14 65024]
"Allway Sync"="c:\program files\Allway Sync\Bin\syncappw.exe" [2010-03-23 102168]
"qrwaffgj"="c:\users\Ardy\AppData\Local\inngnjoss\vfuxnrxtssd.exe" [2010-04-23 272640]
"ygwsslvv"="c:\users\Ardy\AppData\Local\ktrfptpku\dcowjmatssd.exe" [2010-04-24 272640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"EC Software TNT"="c:\program files\TNT\tnt.exe" [2004-04-05 4051456]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-08-19 92704]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-09-21 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SMART Board Service"="c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe" [2007-11-02 1283336]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"WinSSHD Activation State Checker"="c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe" [2009-12-02 216832]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-11 02:262356088----a-w-c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2008-08-02 1431440]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-01-16 43920]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-06 1265264]
R2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2010-03-08 69936]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2008-07-11 328992]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME\TomTomHOMEService.exe [2009-11-13 92008]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2006-10-20 37296]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 Ser2rs;Radioshack USB to Serial Driver;c:\windows\system32\DRIVERS\ser2rs.sys [2007-06-25 76288]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-09-23 64288]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-03-08 95024]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcsREG_MULTI_SZ w3svc was
apphostREG_MULTI_SZ apphostsvc
WindowsMobileREG_MULTI_SZ wcescomm rapimgr
LocalServiceRestrictedREG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-19 02:10]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 05:05]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 05:05]

2010-04-24 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 19:25]

2010-04-18 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]

2010-04-24 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]

2010-04-24 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]

2010-04-24 c:\windows\Tasks\User_Feed_Synchronization-{1D769DAF-DFF1-46DC-B064-2A61CE487549}.job
- c:\windows\system32\msfeedssync.exe [2009-07-13 01:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pesare-darya.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: intuit.com\ttlc
DPF: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A} - hxxp://ecare4a.netopia.com/techsupport/ecare4/components/CobAgent_4.2.1.319.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{a298ed31-d405-40e2-880f-b7511948e582} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKLM-RunOnce- - (no file)
AddRemove-AnswerWorks - c:\program files\WexTech\AnswerWorks\Uninst.isu


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\SECURITY]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-23 21:32:34
ComboFix-quarantined-files.txt 2010-04-24 04:32

Pre-Run: 77,355,212,800 bytes free
Post-Run: 77,202,366,464 bytes free

- - End Of File - - 472B97925779E27AA20601FAAC0EFB90
Please do not attach logs. Instead, copy and paste them in to the post.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make SURE a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select DELETE on the pop up
  
• Select OK
• Select Delete

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

I am having trouble opening any files, especially .exe files or update my virus protection, etc. Please help!

SuperDave, you commented on a similar problem a while back, post titled: Application cannot be executed. The file *** is infected. on: November 16, 2009, 09:44:38 AM

I am reluctant to follow suggestions without expert advice.... Thanks in advance!Hello.

RKill by Grinler
Link #1
Link #2
Link #3

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
• If the tool does not run from any of the links tell me about it.

• Start TASK Manager (Ctrl+Alt+Delete)
• Then find the following two processes:

• Once found, right-click on each of them and select End Process
  
  
• Once done. Then, try the tools again.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

If I enetr a search topic and then click on a link it takes me to E bay or some other site not connected to where I want to go, how do I prevent this? it started about 5 days ago thanks in advanceHello and welcome to COMPUTER Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to UPDATE the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose PERFORM Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log SOMEWHERE you can EASILY find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Here is the ESET Log

[emailprotected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=58554bdb09dce644811fbe806f8fc97c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-03 12:16:40
# local_time=2012-07-03 01:16:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 107290 107290 0 0
# compatibility_mode=768 16777215 100 0 75885219 75885219 0 0
# compatibility_mode=6401 16777213 66 100 348807 2879305 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=120787
# found=0
# cleaned=0
# scan_time=9941


The computer seems to be running fine now with the exception of a missing RUNDLL file upon start up. I have mentioned this before in my original post and in my shortend version.

Quote from: benni9000 on June 24, 2012, 02:14:36 PM

I got Metropolitan Police malware on my laptop. I followed the "read this before requesting malware removal help" post which seems to have stopped it, Now I just need to get rid of the damage? I think there are still some files left on my laptop from the malware and I am missing a RUNDLL file from the windows directory.

Unfortunatly I don't have the XP CD. I got the lap top with an XP downgrade as I didn't want Windows Vista. I have the Vista CD though.

I followed the FSC /Scannow instructions. It went through it all. There was no message after it finished so I assume everything was ok.

My computer has a trojan virus. There are so many pop-ups..and it randomly shuts down every half hour. how do i REMOVE this virus?Please visit this webpage for a tutorial on downloading and running ComboFix:

HTTP://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when DONE, POST the LOG back here.

APR (ARP Poison Routing) is a main feature of the program. It enables sniffing on switched networks and the hijacking of IP traffic between hosts. The name "ARP Poison Routing" derives from the two steps needed to PERFORM such unusual network sniffing: an ARP Poison Attack and routing packets to the correct destination. ...
http://www.oxid.it/ca_um/topics/apr.htm

Looking for some help on getting CONTROL of my computer back!! I am currently getting fake security warnings and am unable to run ANY program with the message "application cannot be executed". I was trying to install some removal tools but safe mode will not let me, and I can do nothing after a normal boot. Any help/knowledge is greatly appreciated!
-JeffPlease reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to LOAD and select the Safe Mode with Networking option from the menu).

Please visit this webpage for a tutorial on downloading and running COMBOFIX:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the AREA: Using ComboFix, and when DONE, post the log back here.

Hi everyone

I got infected with various things. I ran malware bytes and hijack and think most is gone but would appreciate an expert review my logs

Here is malware logs

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3947

Windows 5.1.2600 Service PACK 2
Internet Explorer 6.0.2900.2180

4/24/10 10:36:08 AM
mbam-log-2010-04-24 (10-36-08).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 254838
Time elapsed: 1 hour(s), 54 minute(s), 7 second(s)

Memory PROCESSES Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 6
Registry DATA Items Infected: 7
Folders Infected: 10
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> Quarantined and DELETED successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezlife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\gtsou\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\gtsou\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\gtsou\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0 (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\gtsou\Local Settings\Temp\waxsecrmon.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\RarSFX0\hor0410e.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0\uninstall.exe (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.2.0\uninstall.exe (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsFFxSHot.xpt (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\Qmm.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\gtsou\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\gtsou\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
and here is the hijack log...attachednot sure if the attachment worked and can't SEEM to paste text of hijack log

Testsorry...PLEASE IGNORE

I believe this is a virus but it may be something wrong with the files on the computer. It may be tl;dr but I need to list all the details.
Basically, I turned my pc on this morning and it came up with an error (can't remember what it said and I didn't think it was serious so didn't write it down. Anyway, there was a countdown and it said save any work before the computer is turned off. When I rebooted, the windows theme had reverted to CLASSIC rather than xp and when I tried to change this back in the control panel windows classic was the only option.
Another problem was I can't open ie and firefox can't find any webpages. My wireless connection is also down (this is probs the CAUSE of firefox failing) and the INTERNET connections page is blank when I try to view it. Sometimes a window called BTTray pops up and says "ERROR: Unable to start the Bluetooth stack service". Due to the lack of connection I'm on a DIFFERENT computer now.
Also, copy and paste is impossible so I cannot download files to fix it and TRANSFER them from computer to computer (unless drag works?).
I ran CCleaner to clean the registry and then tried to open Malwarebytes.
This comes up with "Run-time error '372':
Failed to load control 'vbalGrid' from vbalgrid6.ocx. Your version of vbalgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.
Could this may Vundo?

Thanks for any help.I also cannot open Windows searchPlease visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Hey fellas,

A little bit help will be very appreciated

I've got some sort of virus which they want to open some sort of website
However, it got blocked by Malwarebytes

So, every few minutes, there will be this popup


I've tried scanning with both Bit defender and MBAM
And the virus keep on doing this

Here's the result from Hijackit
Code: [Select]Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nitro PDF\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Raxco Perfect Disk 2008\PD91Agent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [url]http://www.bitdefender.com[/url] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco Perfect Disk 2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco Perfect Disk 2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 8137 bytes

Please advise what I'm supposed to do....Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.I have used the ComboFix

And here's the result...
Code: [Select]ComboFix 10-04-21.01 - G 24/04/2010 11:10:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.314 [GMT 10:00]
Running from: d:\downloads\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Galih\Application Data\chrtmp
c:\windows\Fjamea.exe
c:\windows\Fjameb.exe
c:\windows\system32\OGACheckControl.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-23 12:33 . 2010-04-23 12:33 -------- d-----w- c:\program files\MSXML 4.0
2010-04-23 08:30 . 2010-04-23 08:30 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-23 08:30 . 2010-04-23 08:30 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-23 08:21 . 2010-04-23 08:21 -------- d-----w- c:\documents and settings\Galih\Application Data\BitDefender
2010-04-23 08:20 . 2010-04-23 08:20 -------- d-----w- C:\Binaries
2010-04-23 08:19 . 2010-04-23 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-23 08:19 . 2010-04-23 08:20 -------- d-----w- c:\program files\BitDefender
2010-04-23 08:16 . 2010-04-23 08:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-23 05:35 . 2010-04-23 05:35 70656 --sha-r- c:\windows\system32\ialmuHUNT.dll
2010-04-23 05:32 . 2010-04-23 05:32 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-04-23 05:32 . 2010-04-23 05:32 104960 --sh--r- c:\documents and settings\Galih\Application Data\wayh.exe
2010-04-23 05:26 . 2010-04-23 05:26 -------- d-----w- c:\documents and settings\Galih\Application Data\Nitro PDF
2010-04-23 05:11 . 2009-12-15 23:50 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-04-23 05:11 . 2009-12-15 23:50 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2010-04-23 05:11 . 2010-04-23 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2010-04-23 05:11 . 2010-04-23 05:32 -------- d-----w- c:\program files\Nitro PDF
2010-04-23 05:10 . 2010-04-23 05:10 -------- d-----w- c:\documents and settings\Galih\Application Data\Downloaded Installations
2010-04-17 12:11 . 2010-04-17 12:11 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 02:21 . 2010-04-13 02:21 -------- d-----w- c:\program files\Disable Spyware
2010-04-12 15:06 . 2010-04-23 13:45 -------- d-----w- c:\program files\Farm Mania 2
2010-04-12 15:05 . 2010-04-12 15:05 -------- d-----w- c:\program files\ReflexiveArcade
2010-04-11 10:45 . 2010-04-11 10:45 131 ----a-w- C:\DeletePrintJobs.cmd
2010-04-10 06:22 . 2010-04-10 06:22 -------- d-----w- c:\windows\system32\Futuremark
2010-04-10 06:22 . 2008-09-17 05:14 27672 ----a-r- c:\windows\system32\drivers\Entech.sys
2010-04-10 06:22 . 2010-04-10 06:22 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2010-04-06 11:43 . 2010-04-06 11:43 -------- d-----w- c:\documents and settings\Galih\Local Settings\Application Data\Cranium_Consulting_and_Cu
2010-03-31 13:02 . 2010-03-31 13:02 -------- d-----w- c:\program files\iPod
2010-03-31 13:02 . 2010-04-06 11:45 -------- d-----w- c:\program files\iTunes
2010-03-31 13:02 . 2010-03-31 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 12:58 . 2010-03-31 12:59 -------- d-----w- c:\program files\QuickTime
2010-03-31 12:54 . 2010-03-31 12:54 -------- d-----w- c:\program files\Bonjour
2010-03-31 12:51 . 2010-03-31 12:51 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-31 09:20 . 2010-03-31 09:20 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 09:20 . 2010-03-31 09:20 503808 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\msvcp71.dll
2010-03-31 09:20 . 2010-03-31 09:20 499712 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\jmc.dll
2010-03-31 09:20 . 2010-03-31 09:20 348160 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\msvcr71.dll
2010-03-31 09:20 . 2010-03-31 09:20 12800 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7801014c-n\decora-d3d.dll
2010-03-31 09:20 . 2010-03-31 09:20 61440 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7801014c-n\decora-sse.dll
2010-03-26 10:30 . 2010-03-26 10:30 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-03-26 10:19 . 2010-03-26 10:23 -------- d-----w- c:\program files\VS Revo Group
2010-03-26 10:08 . 2010-03-26 10:09 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 00:54 . 2009-02-15 01:41 -------- d-----w- c:\documents and settings\Galih\Application Data\DMCache
2010-04-23 08:42 . 2009-02-15 01:39 -------- d-----w- c:\program files\Internet Download Manager
2010-04-23 08:24 . 2009-02-15 01:40 -------- d-----w- c:\program files\Avast
2010-04-23 05:27 . 2009-03-18 11:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-22 12:51 . 2009-02-15 01:53 -------- d-----w- c:\documents and settings\Galih\Application Data\mIRC
2010-04-22 12:45 . 2009-02-15 01:53 -------- d-----w- c:\program files\mIRC
2010-04-18 02:29 . 2010-03-19 10:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:56 . 2009-02-15 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 06:22 . 2009-02-15 00:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 11:50 . 2010-03-16 13:27 -------- d-----w- c:\program files\iPhone Folders
2010-03-31 13:02 . 2009-02-16 08:27 -------- d-----w- c:\program files\Common Files\Apple
2010-03-31 09:18 . 2009-02-16 06:42 -------- d-----w- c:\program files\Java
2010-03-29 14:46 . 2010-03-19 10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 14:45 . 2010-03-19 10:18 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 10:34 . 2009-08-11 11:56 -------- d-----w- c:\program files\Westward III Gold Rush
2010-03-26 10:34 . 2009-08-07 13:08 -------- d-----w- c:\program files\Ranch Rush
2010-03-26 10:30 . 2009-04-30 04:27 -------- d-----w- c:\documents and settings\Galih\Application Data\URSoft
2010-03-25 10:01 . 2009-04-08 11:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 13:58 . 2010-03-23 13:58 -------- d-----w- c:\documents and settings\Galih\Application Data\Leawo
2010-03-23 13:46 . 2010-03-23 13:45 9 ----a-w- c:\windows\system32\iPhone Video Converter0902.dat
2010-03-23 13:39 . 2010-03-23 13:39 -------- d-----w- c:\documents and settings\Galih\Application Data\ImTOO Software Studio
2010-03-23 13:19 . 2010-03-23 13:19 -------- d-----w- c:\documents and settings\Galih\Application Data\AnvSoft
2010-03-19 10:18 . 2010-03-19 10:18 -------- d-----w- c:\documents and settings\Galih\Application Data\Malwarebytes
2010-03-19 10:18 . 2010-03-19 10:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 09:36 . 2009-02-16 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2005-01-07 00:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:28 . 2009-02-16 06:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 10:49 . 2010-03-08 10:49 -------- d-----w- c:\program files\Unlocker
2010-03-05 00:59 . 2009-02-15 01:41 -------- d-----w- c:\documents and settings\Galih\Application Data\IDM
2010-03-05 00:59 . 2009-04-21 10:28 198064 ----a-w- c:\documents and settings\Galih\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-03-05 00:43 . 2009-04-21 10:26 3153784 ----a-w- c:\documents and settings\Galih\Application Data\IDM\idmupdt.exe
2010-02-28 10:45 . 2010-02-28 10:45 -------- d-----w- c:\program files\Audacity
2010-02-25 06:24 . 2005-01-07 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-01-07 00:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 04:58 . 2010-02-22 04:58 291352 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-02-16 14:08 . 2005-01-07 00:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-01-07 00:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-01-07 00:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 00:46 . 2010-02-12 00:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 00:46 . 2010-02-12 00:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 12:02 . 2005-01-07 00:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 03:57 . 2010-02-03 03:57 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-03 03:56 . 2010-02-03 03:56 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-03-05 3179952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2005-01-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-01-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-01-07 455168]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-03-18 1123360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\RO\\FeelRO.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [22/09/2009 9:22 AM 83208]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [19/03/2010 8:18 PM 303952]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\NitroPDFDriverService.exe [16/12/2009 10:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [16/12/2009 10:11 AM 65856]
R2 PD91Agent;PD91Agent;c:\program files\Raxco Perfect Disk 2008\PD91Agent.exe [31/12/2008 12:12 PM 693512]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [3/02/2010 1:57 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [4/01/2010 7:41 PM 110984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/03/2010 8:18 PM 20824]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [19/10/2009 5:06 PM 183880]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [24/05/2009 1:31 PM 16512]
S3 cpuz130;cpuz130;\??\c:\docume~1\Galih\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Galih\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 PD91Engine;PD91Engine;c:\program files\Raxco Perfect Disk 2008\PD91Engine.exe [31/12/2008 12:12 PM 910600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1637723038-725345543-1003Core.job
- c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 13:11]

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1637723038-725345543-1003UA.job
- c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 13:11]
.
.
------- SUPPLEMENTARY Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Galih\Application Data\Mozilla\Firefox\Profiles\u7b16pg3.default\
FF - component: c:\documents and settings\Galih\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - PLUGIN: c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
MSConfigStartUp-CTFMON - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):63,72,23,a9,60,25,5b,06,89,9a,36,83,0c,5e,02,d7,79,17,31,5c,0a,
ac,fd,e8,ce,76,90,19,07,42,c6,43,89,dc,b0,3c,0b,1e,5b,54,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f3b10485-11ca-4f60-b05d-8e59c673246a}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ab
"Therad"=dword:0000001f
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
Completion time: 2010-04-24 11:16:53
ComboFix-quarantined-files.txt 2010-04-24 01:16

Pre-Run: 36,559,245,312 bytes free
Post-Run: 36,781,961,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 07DD5740208AFCFC955E12270F2BCF43
GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

• Then, press Enter, or click OK.
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

Hello,

I have been getting this error since yesterday, and I'm a bit confused on what to do. I am unable to open anything, because every time I try to do so, a pop up appears saying ''File cannot be executed. The file ______ is infected.'' I also get a lot of false antivirus alerts.

Any advice to completely recover my computer would be greatly appreciated.Hello! We need to do some diagnostics to get started.

1. Please download Profiles by noahdfear.

• Save it to your desktop.
• Double-click profiles.exe and post its log when you reply

• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to START.
• It will finish quickly and launch a log.
• Post the contents of it in your next reply.

• Profiles log (1)
• Win32kDiag log (2)
• Cheetah log (3)

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
• If the tool does not run from any of the links tell me about it.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

I ran the sfc scan and it read there were corrup files and was unable to fix some of them. Computer didn't come with any disks, but I DOWNLOADED 2 recovery factory default disc and 1 DRIVER and APPLICATION backup disc from the computer. Do I need to use these on the computer? Also will I lose everthing on the computer? Again I appreciate all your help. Quote

Computer didn't come with any disks, but I downloaded 2 recovery factory default disc and 1 driver and application backup disc from the computer. Do I need to use these on the computer? Also will I lose everthing on the computer?

How do I do just repair. When I loaded first recovery disk it read full recovery or exit, there wasn't an option for repair. Also do I use the application disk? Thanks

I figured since I was having the same problem I would just post here instead of cluttering up the boards with the same problem. I hope you can help DragonMaster Jay.

Like arkainus I couldn't run any programs but the 2nd rkill WORKED for me... here are my logs:

Profiles log (1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1897053417-4063430511-3002617753-1000
ProfileImagePath REG_EXPAND_SZ C:\Users\Mike

ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService
SystemRoot REG_SZ C:\Windows

Cheetah log (3)

Cheetah-Anti-Rogue v1.4.1
by DragonMaster Jay

Microsoft Windows [Version 6.0.6002]
Date: 04/21/2010 - Time: 18:56:35 - Arch.: x86


-- Malware REMOVAL TOOLS check --
Malwarebytes' Anti-Malware


-- Known infection --



Extra message: Detection only.


EOF


The same thing that HAPPENED to arkainus happened to me with the 2nd program, I even GOT the same reply.Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:17:45 PM, on 4/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\pctuneup\PCTuneUp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: Windows LIVE Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [PCTuneUp] C:\Program Files\pctuneup\PCTuneUp.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266679628421
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} (PCMaticVer Class) - http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of FILE - 6702 bytes
Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you NEED help. ~ DragonMaster JayHello, dlrudd66.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263093828140O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265594445281... I know you guys don't like this but... bump. any IDEA whats going on? I still can't post that from my hjt in ONE post. i'm still getting a random NEW tab popup in firefox.

somthing new to add: there are a few files that ll my av/sas/Mbam scans seems to hangup on for quite some TIME, almost like they are huge files to scan; but they never hung up like this before recently.

scans still all come up negative.Do you get any messages from this site's ADMINISTRATION? The key to helping you is to get lots of scans and logs but it's impossible until we get this posting thing sorted out.

Well, after your last message I went into normal mode, and its fine. Was even able to get ONLINE.

Not sure what changed.

Next steps?

Thanks again! You have no idea how greatful I am!!!Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/17/2010 7:32:33 AM
mbam-log-2010-04-17 (07-32-33).txt

Scan type: Quick scan
Objects scanned: 102703
Time ELAPSED: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Do a quick reboot TEST for Normal Mode.

Click Start > Shutdown > Reboot

two times so the machine reboots two times in total.

Let me know how fast it starts, and if it starts successfully.Im assuming by Reboot you mean Restart?

I will do that now. ok, restarted twice, into normal mode successfully. Its not BAD speed wise, could probably be faster, but that might have to do with some of my applications/memory capacity.

What's next? Do we want to continue and do the restore point and CLEAR the things I downloaded?Sure.

Shall we look for Sirefef or end topic?It's been exactly a week since I removed Sirefef.HC, and it hasn't returned yet, so I'd SAY it's highly UNLIKELY it'll come back.

Also, at the end of the MONTH I have my yearly reinstall planned.

So let's just close the topic. I'll mark it as solved.Since this topic appears solved, it is now CLOSED.

Somehow it says i have a virus but it's from those pop ups that aren't from the anti-virus programs that i have installed and they want me to pay for their services so i think they are shady.

I have run anti-spyware and anti-virus and it cannot find anything.

But the pop ups i've been getting say i have this Trojan-Bnk.Win.32. keylogger.Gen. so i'm not sure if it's a real virus.

I also don't know how i got this problem cause i have a firewall and anti-virus installed and i wasn't downloading anything or at a un-safe site.
Hello. Your comment has been removed. Please do not post in this section unless you need help. Thanks! ~DragonMaster JayHello curefreak.

Please visit this WEBPAGE for a TUTORIAL on downloading and running COMBOFIX:

HTTP://www.bleepingcomputer.com/combofix/how-to-use-combofix

Once you have accomplished that, please post the log back here for my review. If ComboFix will not run, please let me know.

Hello:

I just finished removing a rogue av program called "CLEANUP Antivirus" using instructions I found on bleepingcomputer.com which included using rkill and MALWAREBYTES. I see the MALWARE still exists in the msconfig STARTUP and services.msc (and who knows where else) for which I have disabled. I'm wondering if you can tell me where in the registry, or elsewhere, I can get rid of this altogether? The os is Win Vista.

Thanks.Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the AREA: Using ComboFix, and when done, post the log back here.Thanks Jay.

I'll need to do this tomorrow.ok

Spybot found and fixed 2 things Casale-media & DoubleClick.

Do you think we are done at this point?Quote from: dschoellkopf on June 27, 2012, 07:22:28 PM

Spybot found and fixed 2 things Casale-media & DoubleClick.

Do you think we are done at this point?

Thank you so much. Will do on the suggestions.

Re-run MBAM:

Code:
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply..
********************************************************
Please try running ComboFix again and post the log, if successful.
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.04.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
donnakeller :: DONNA [administrator]

Protection: Disabled

4/3/2012 9:40:06 PM
mbam-log-2012-04-03 (21-40-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |

Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227258
Time elapsed: 26 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Finally, a log from Combofix


ComboFix 12-03-30.06 - donnakeller 04/03/2012 22:31:57.1.1 - x86
Microsoft Windows XP Home EDITION 5.1.2600.3.1252.1.1033.18.991.687 [GMT -4:00]
Running from: c:\documents and settings\donnakeller\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\donnakeller\Application Data\Mozilla\Firefox\Profiles\cy3whktf.default\searchplugins\bing-zugo.xml
c:\documents and settings\donnakeller\Application Data\PriceGong
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\1.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\4489.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\83.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\a.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\b.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\c.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\d.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\e.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\f.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\g.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\h.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\i.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\j.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\k.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\l.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\m.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\n.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\o.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\p.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\q.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\r.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\s.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\t.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\u.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\v.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\w.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\x.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\y.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\z.txt
c:\documents and settings\donnakeller\Application Data\Toolbar4
c:\documents and settings\donnakeller\WINDOWS
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\37841a1008243a4c.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\435a26ecf9452ea5.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\8e95f788b664f88b.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bba3e843c2b7b474.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\dd8cff256a1cdad8.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\dds_log_ad13.cmd
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:40 . 2012-03-13 23:156582328----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDE759DC-3945-4FF0-8086-499178D5213E}\mpengine.dll
2012-04-03 00:32 . 2012-04-03 00:32--------d-----w-C:\TDSSKiller_Quarantine
2012-04-03 00:20 . 2012-03-13 23:156582328----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-01 23:54 . 2012-04-01 23:54--------d-----w-c:\program files\Microsoft Security Client
2012-03-30 04:09 . 2012-03-30 04:09--------d-----w-c:\documents and settings\donnakeller\Application Data\SUPERAntiSpyware.com
2012-03-30 04:08 . 2012-03-30 04:09--------d-----w-c:\program files\SUPERAntiSpyware
2012-03-30 04:08 . 2012-03-30 04:08--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-26 04:40 . 2008-04-13 17:4057600-c--a-w-c:\windows\system32\dllcache\redbook.sys
2012-03-26 04:40 . 2008-04-13 17:4057600----a-w-c:\windows\system32\drivers\redbook.sys
2012-03-25 06:53 . 2012-03-25 06:53--------d-----w-c:\documents and settings\donnakeller\Application Data\AVG Secure Search
2012-03-25 06:07 . 2012-03-25 06:07--------d-----w-C:\AVGTemp
2012-03-20 04:40 . 2012-03-20 04:40--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-03-20 03:54 . 2012-03-20 03:54--------d-----w-c:\program files\VS Revo Group
2012-03-20 03:49 . 2010-02-19 03:451079272----a-w-c:\program files\revosetup.exe
2012-03-19 03:02 . 2012-01-11 19:063072-c----w-c:\windows\system32\dllcache\iacenc.dll
2012-03-19 03:02 . 2012-01-11 19:063072------w-c:\windows\system32\iacenc.dll
2012-03-19 02:57 . 2012-03-19 02:57--------d-----w-c:\windows\system32\config\systemprofile\Application Data\IObit
2012-03-19 02:49 . 2012-03-19 02:52--------d-----w-c:\program files\TCPOptimizer
2012-03-18 20:50 . 2011-12-30 21:0321336----a-w-c:\windows\system32\RegistryDefragBootTime.exe
2012-03-18 20:15 . 2012-03-18 20:15--------d-----w-c:\documents and settings\All Users\Application Data\IObit
2012-03-18 20:14 . 2012-03-18 20:14--------d-----w-c:\documents and settings\donnakeller\Application Data\IObit
2012-03-18 20:14 . 2012-03-18 20:14--------d-----w-c:\program files\IObit
2012-03-18 20:03 . 2012-04-01 23:46--------d-----w-c:\documents and settings\donnakeller\Application Data\TeamViewer
2012-03-12 04:32 . 2012-03-12 04:32414368----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-12 03:38 . 2012-03-12 03:38356556----a-w-c:\windows\system32\PerfStringBackup.TMP
2012-03-05 03:59 . 2012-03-05 03:59--------d-----w-c:\documents and settings\donnakeller\Application Data\Malwarebytes
2012-03-05 03:59 . 2012-03-05 03:59--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-05 03:22 . 2012-03-25 07:53--------d-----w-c:\documents and settings\Administrator
2012-03-05 03:20 . 2012-03-13 03:53--------d-----w-c:\documents and settings\All Users\Application Data\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 12:001860096---ha-w-c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2009-10-03 07:48237072------w-c:\windows\system32\MpSigStub.exe
2012-01-09 16:20 . 2007-12-24 14:00139784---ha-w-c:\windows\system32\drivers\rdpwd.sys
2010-08-06 16:31 . 2009-11-15 20:28119808---ha-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-16 49152]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\donnakeller\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-14 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54551296----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 16:3130192---ha-w-c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-12 04:38136176----atw-c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-22 04:3368856---ha-w-c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LIMEWIRE\\LimeWire.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\GPhotos.scr"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Google\\Picasa3\\PicasaUpdater.exe"=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\Documents and Settings\\donnakeller\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\donnakeller\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 5\\ASC.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 5\\AutoUpdate.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\VS Revo Group\\Revo Uninstaller\\revouninstaller.exe"=
.
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [1/28/2009 3:28 PM 2560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [3/18/2012 4:14 PM 497496]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 7:15 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/20/2012 12:40 AM 652360]
S2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/22/2008 12:34 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 7:15 PM 135664]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dladresn
nimcdfxk
isamsmt
mr2kserv
CVPND
E1000
atalk
screadspool
rt73
s716bus
opcenum
rpcnet
FVXSCSI
websensecommunicationagent
mi-raysat_3dsmax9_32
houdiniserver
HPSLPSVC
iksysflt
61883
bvrp_pci
CrystalSysInfo
iaimfp2
w550mdm
wampmysqld
irsir
MxlW2k
TPPWRIF
DfwWebAgent
hwdatacard
CAM1210
bthport
TryAndDecideService
SunkFilt
cis1284
AmeLanPc
PGPdisk
prosync1
sfrem01
RR2Mjpeg
winmtsrv
w800bus
uclauncherservice
ipsraidn
apphostsvc
SNC
TPM
fsbwsys
magictuneengine
HFACSVC
enethusb
areschatserver
asp.net
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:39]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:39]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-573735546-682003330-1004Core.job
- c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-12 04:38]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-573735546-682003330-1004UA.job
- c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-12 04:38]
.
2012-04-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-04 c:\windows\Tasks\User_Feed_Synchronization-{1E05FE6E-10DE-4035-830E-8D851BC6B289}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://home.joobers.com/
uSearchAssistant = hxxp://search.joobers.com/toolbar/SearchAssistant
uCustomizeSearch = hxxp://search.joobers.com/toolbar/CustomizeSearch
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\donnakeller\Application Data\Mozilla\Firefox\Profiles\cy3whktf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3007394&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.basicscan.com/?tmp=nemo_results_removelink&prt=BscscnPB&keywords=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar: [emailprotected] - %profile%\extensions\[emailprotected]
FF - Ext: vShare: [emailprotected] - %profile%\extensions\[emailprotected]
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: PHPNukeEN Community Toolbar: {dd02a4eb-4afd-4d60-99d8-e67f964ca813} - %profile%\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}
FF - Ext: WhiteSmoke Bar Community Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - %profile%\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}
FF - Ext: Java Quick Starter: [emailprotected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Security Toolbar: [emailprotected] - c:\documents and settings\All Users\Application Data\AVG Secure Search\10.0.0.7
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-NWEReboot - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
AddRemove-648f1ec7 - c:\windows\system32\648f1ec7.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 22:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\GPhotos.scr
.
**************************************************************************
.
Completion time: 2012-04-03 22:52:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-04 02:52
.
Pre-Run: 6,865,932,288 bytes free
Post-Run: 6,980,030,464 bytes free
.
- - End Of File - - BE106CED2EAA598FC57971758C7ACBAB
P2P - I see you have P2P software installed on your machine. (LimeWire)We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
***************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

Also I have pending windows updates Ive yet to install because I didnt want to change anything while weve been working at this. Is it safe to do so now? A pop up to upgrade to internet explorer 8 keeps coming up, but according to i.e, im already running i.e 8? The contexual toolbar which was in add/remove programs previously alerted me with threat detections (from avg) everytime i attempted to uninstall it from there. That tool bar is now gone from the add/remove programs which according to a google search, it was not a good file for my computer! Other than that, anything else I can take a look at to see if computer is indeed running better?

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

Am I to delete the
sysprot folder, TDSKILLER, ANTI-MALLWARE BYTES, SPYWARE SWEEPER along with all the setup files for the other programs that I wont be keeping? Are all the logs now safe to delete?

Please run SysProt-AntiRootkit and post the log.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

Google opens a new window now if I open one of my favourite sites up

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The OPTIONAL security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the LATEST critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other BAD sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

• Firefox may be DOWNLOADED from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Usually on the first boot of the day, I get the "Windows Explorer has encountered an error and needs to close" statement. I researched previous entries on the topic, and found an old one from 2008, which pointed to a malware problem.

Is this always the case ? I have been using Avira forever, and periodically run Ad-Aware and Spybot, and lately Advanced System CARE. (I also used CC cleaner last year). I will install a firewall now, because I noticed that Windows firewall is not perfect.

I'm using WinXP 2002 SP3.

I have the TECHNICAL error data for the Explorer problem, if anyone needs that to give me advice.
Thanks in advance (my first POST)Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.Thanks. I ran the Malware removal recommendations and that cured the problem. I will keep your Combofix suggestion for further use.

Thank you very muchActually, don't use ComboFix in the future without supervision of an expert. Come back here for any further problems. If used unsupervised, ComboFix can cause damage to your operating system, and can create other severe issues. Thanks.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

• Then, press Enter, or click OK.
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and RESETS System Restore.

I've just run HJT.
Can you please check the log for unwanted entries and advise as to which ones I should remove.
Thanks

[recovering disk space - old attachment deleted by admin]Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

- O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103470 -\"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.4; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTB5.6)\" -\"htt p://www.miniclip.com/games/tropi-golf/en/\"

- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Go to add remove programs and uninstall anything with Norton, Symantec or Live Update (Symantec Corporation) in the name.

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.

----------

Download Disable/Remove Windows MESSENGER to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------


- How is the computer running now and why did you start this topic?
- Did you have a malware issue?Hi Evil,

Thanks for your help.

I'm running a small network at home and I've receently had problems on one of the computers.
Super Dave has been helping me out which has been brilliant and we've almost resolved everything.
The log I posted here was for another machine which has also been 'playing up'
I was unsure whether to start a NEW THREAD (seeing as though it is a seperate computer) and I thought this would be best so as not to confuse the two issues.

It seems to be better but it still takes an age to boot up and can be very slow when using.
Is there anything else you can suggest to get it moving faster.

Many thanks

DavidHave you done a defrag lately?Yes, still not that great.
Any other suggestions?
ThanksIf you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your ANTIVIRUS and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix