Virus has taken control

[diggerdave]

I am currently unable to run spybot,malwarebytes or superantispyware. I am able to run AVG, but it shows nothing. Any internet sites that reference the above antivirus programs are redirected. I disabled teatimer, ran ccleaner and updated java. I am attaching the hijackthis log.

[recovering disk space - old attachment deleted by admin]

[diggerdave]

I was able to run superantivirus and spybot from safe mode. superantivirus found nothing. Spybot found and removed win32.fraudload. I was unable to run malwarebytes. It produced the error message "mbam_error_expanding_varriables_(0,9). I removed it and reinstalled it, but the result is the same.

[diggerdave]

After reboot I was able to reinstall malwarebytes and run it. I found and removed trojan.fakealert and trojan.agent. I ran hijackthis again and have attached the log.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please do not attach the logs. Copy and paste them in your replies.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

==================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {69D72956-317C-44bd-B369-8E44D4EF9801} - (no file
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

===================================

Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

[diggerdave]

Neither of the 09 entries were shown in hijackthis.

ComboFix 10-07-15.01 - David 07/15/2010  18:15:59.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1983.1211 [GMT -7:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David\Application Data\996cb2e5.exe
C:\Tmp3C.tmp
c:\windows\desktop
c:\windows\system32\gotomon.log

.
(((((((((((((((((((((((((   Files Created from 2010-06-16 to 2010-07-16  )))))))))))))))))))))))))))))))
.

2010-07-15 16:41 . 2010-07-15 16:41   813336   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 16:41 . 2010-07-15 16:41   624920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 16:41 . 2010-07-15 16:41   1690464   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 16:41 . 2010-07-15 16:41   1038688   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-14 23:05 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 15:38 . 2010-04-29 22:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 15:38 . 2010-07-14 17:29   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-14 15:38 . 2010-04-29 22:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-14 04:37 . 2010-07-14 04:37   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-14 04:36 . 2010-07-14 04:36   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Stardock
2010-07-13 23:08 . 2010-07-13 23:08   388096   ----a-r-   c:\documents and settings\David\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-13 23:05 . 2010-07-13 23:05   --------   d-----w-   c:\program files\Common Files\Java
2010-07-13 23:00 . 2010-07-13 23:00   503808   ----a-w-   c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7bf4aee4-n\msvcp71.dll
2010-07-13 23:00 . 2010-07-13 23:00   61440   ----a-w-   c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-45efd0f3-n\decora-sse.dll
2010-07-13 23:00 . 2010-07-13 23:00   499712   ----a-w-   c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7bf4aee4-n\jmc.dll
2010-07-13 23:00 . 2010-07-13 23:00   348160   ----a-w-   c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7bf4aee4-n\msvcr71.dll
2010-07-13 23:00 . 2010-07-13 23:00   12800   ----a-w-   c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-45efd0f3-n\decora-d3d.dll
2010-07-13 22:59 . 2010-07-13 22:59   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-13 22:59 . 2010-07-13 22:59   --------   d-----w-   c:\program files\Java
2010-07-13 20:39 . 2010-07-13 20:39   61752   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-07-13 20:39 . 2010-07-13 20:39   24400   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-07-10 17:01 . 2010-07-10 17:01   --------   d-----w-   c:\documents and settings\David\Local Settings\Application Data\Identity Finder
2010-07-10 16:59 . 2010-07-10 17:01   --------   d-----w-   c:\program files\Identity Finder 4
2010-07-02 19:58 . 2010-07-02 19:58   --------   d-----w-   c:\temp\MotoConnectTemp
2010-07-02 19:11 . 2010-07-02 19:11   --------   d-----w-   c:\documents and settings\David\Application Data\CheckPoint
2010-07-02 19:11 . 2010-06-09 06:00   52224   ----a-w-   c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}\components\FFExternalAlert.dll
2010-07-02 19:11 . 2010-06-09 06:00   101376   ----a-w-   c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}\components\RadioWMPCore.dll
2010-07-02 19:10 . 2010-07-02 19:10   --------   d-----w-   c:\documents and settings\David\Local Settings\Application Data\Conduit
2010-07-02 19:10 . 2010-07-02 19:10   --------   d-----w-   c:\program files\Conduit
2010-07-02 19:10 . 2010-07-02 19:10   --------   d-----w-   c:\program files\ZoneAlarm
2010-07-02 19:10 . 2010-07-02 19:10   --------   d-----w-   c:\documents and settings\David\Local Settings\Application Data\ZoneAlarm
2010-07-02 19:10 . 2010-07-02 19:10   --------   d-----w-   c:\program files\CheckPoint
2010-07-02 19:10 . 2010-06-23 20:51   69120   ----a-w-   c:\windows\system32\zlcomm.dll
2010-07-02 19:10 . 2010-06-23 20:51   103936   ----a-w-   c:\windows\system32\zlcommdb.dll
2010-06-27 14:27 . 2010-06-27 14:27   --------   d-----w-   c:\program files\Smilebox

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 01:06 . 2009-02-07 20:11   --------   d-----w-   c:\program files\Trend Micro
2010-07-16 01:03 . 2008-06-24 03:38   5013   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-07-16 00:51 . 2010-02-26 21:13   0   ----a-w-   c:\documents and settings\David\Local Settings\Application Data\prvlcl.dat
2010-07-16 00:27 . 2008-11-26 01:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\pdf995
2010-07-15 23:41 . 2008-06-26 04:59   --------   d-----w-   c:\documents and settings\David\Application Data\Canon
2010-07-15 11:32 . 2008-05-21 22:31   4212   ---ha-w-   c:\windows\system32\zllictbl.dat
2010-07-13 20:07 . 2008-06-27 02:27   --------   d-----w-   c:\documents and settings\David\Application Data\uTorrent
2010-07-13 19:39 . 2010-01-08 05:55   52224   ----a-w-   c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-13 19:39 . 2009-04-01 02:30   117760   ----a-w-   c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-13 19:39 . 2009-02-07 18:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-08 12:43 . 2008-05-21 23:40   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-08 12:40 . 2008-10-01 13:44   9032188   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2010-06-23 20:51 . 2009-01-30 02:02   1238528   ----a-w-   c:\windows\system32\zpeng25.dll
2010-06-14 14:31 . 2008-05-21 13:53   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-06 16:20 . 2010-06-06 16:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\CitrixLogs
2010-06-06 16:19 . 2008-12-15 05:47   7046096   ----a-w-   c:\documents and settings\David\gosetup.exe
2010-06-06 12:37 . 2008-08-08 14:16   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-02 16:33 . 2008-05-21 22:48   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-06-02 16:33 . 2008-05-21 22:48   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-31 14:20 . 2009-02-05 16:50   --------   d-----w-   c:\program files\Common Files\Motorola Shared
2010-05-31 14:19 . 2009-02-05 16:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\BVRP Software
2010-05-23 19:26 . 2009-02-12 18:53   --------   d-----w-   c:\program files\Defraggler
2010-05-06 10:41 . 2004-08-04 00:56   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-03 23:17   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-23 20:39 . 2010-04-30 23:49   557056   ----a-w-   c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\[email protected]\plugins\np_fastbid.dll
2010-04-20 05:30 . 2004-08-04 00:56   285696   ----a-w-   c:\windows\system32\atmfd.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
2010-05-09 18:50   2517088   ----a-w-   c:\program files\ZoneAlarm\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 04:09   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 04:09   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 04:09   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"WinPatrol"="g:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"AVG9_TRAY"="g:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"ZoneAlarm Client"="g:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "g:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 17:32   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03   916240   ----a-w-   g:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
2003-07-07 18:29   729088   ----a-r-   g:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 20:00   49152   ----a-w-   g:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 22:28   577536   ----a-w-   c:\windows\soundman.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2212:TCP"= 2212:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2008 3:48 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2008 3:48 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]
R2 avg9wd;AVG Free WatchDog;g:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:32 AM 308064]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [5/26/2010 6:35 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [5/26/2010 6:35 AM 493032]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [1/27/2009 6:36 PM 72672]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/4/2009 8:18 PM 91392]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 1:00 AM 316992]
S2 gupdate1c9b885aa1caf1c;Google Update Service (gupdate1c9b885aa1caf1c);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2009 1:07 PM 133104]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2/5/2009 9:50 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2/5/2009 9:50 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/4/2009 8:18 PM 23936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]
S3 XE103Sp50;XE103Sp50 NDIS Protocol Driver;c:\windows\system32\drivers\XE103Sp50.sys [11/28/2006 10:46 PM 27072]
S4 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 5:56 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-05-17 19:13]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 20:10]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 20:10]

2010-07-12 c:\windows\Tasks\Groundhog to Flash.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

2010-07-02 c:\windows\Tasks\Media.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

2010-07-11 c:\windows\Tasks\Pictures.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

2010-07-15 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- g:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-09 23:31]

2010-07-15 c:\windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
- g:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-02-09 23:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {F40CF67E-BB36-4052-BE6F-CB36E4254311} = 208.67.220.220,208.67.222.222
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
FF - component: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}\components\RadioWMPCore.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: g:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\extensions\[email protected]\plugins\np_fastbid.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('capability.policy.localfilelinks.checkl oaduri.enabled', 'allAccess');FF - user.js: yahoo.homepage.dontask - trueg:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
MSConfigStartUp-GoToMyPC - c:\program files\Citrix\GoToMyPC\g2svc.exe
MSConfigStartUp-mumservice - c:\program files\Motorola\Software Update\mumservice.exe
MSConfigStartUp-P2kAutostart - c:\p2kcommander\P2kAutostart.exe
MSConfigStartUp-SunJavaUpdateSched - g:\program files\Java\jre6\bin\jusched.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3648.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3648.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(532)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-07-15  18:23:49
ComboFix-quarantined-files.txt  2010-07-16 01:23

Pre-Run: 5,847,277,568 bytes free
Post-Run: 5,827,342,336 bytes free

- - End Of File - - 58960F1FEC9F7E70EA02431E7B548114

[SuperDave]

Neither of the 09 entries were shown in hijackthis.

They were taken out when you ran the previous program.

It appears from the ComboFix log that you're running two Anti-Virus programs on your computer: AVG and ZoneAlarm AV which is a no-no. One will have to be disabled.

P2P - I see you have P2P software installed on your machine. (uTorrent) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

==================================

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[diggerdave]

C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL   a variant of Win32/Toolbar.MyWebSearch application

[SuperDave]

Ok. That looks good. If there are no other issues, it's time for some clean-up

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

==============================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===========================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

==============================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[diggerdave]

Thank you. I really appreciate the time and effort you put in.