Application can not be executed. the file *****.exe is infected.

[tlaine]

This happened to me on my netbook runninc windows xp. from the forums it seems like it works best if theres a malware expert to help step by step so i was hoping someone could help me. thanks

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

====================================

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

=================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==================================

Please download: HiJackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

[tlaine]

I have attached the three logs.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

In the future, please do not attach the logs; copy and paste them in your reply.

I see you are running Poker Stars. Poker Stars has a history of distributing spyware in their products. However, security experts still question this program as good or bad. I recommend to remove it to prevent spyware, but it is up to you to decide if you want to keep it.

If you would like to uninstall it, do so as follows:

Press Start, and navigate to the Control Panel. When in the control panel enter Add or Remove programs. Search for and locate PokerStars, and either click Change/Remove or Remove.

==============================

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

==================================

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double-click on ComboFix to run it or right-click and select Open.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[tlaine]

ComboFix 10-07-11.03 - Anthony Laine 07/11/2010  23:08:40.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1012.641 [GMT -4:00]
Running from: c:\documents and settings\Anthony Laine\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Anthony Laine\Application Data\1AD4074F606FBCF779B041B777E3A73E
c:\documents and settings\Anthony Laine\Application Data\1AD4074F606FBCF779B041B777E3A73E\enemies-names.txt
c:\documents and settings\Anthony Laine\Application Data\1AD4074F606FBCF779B041B777E3A73E\local.ini
c:\documents and settings\Anthony Laine\Application Data\1AD4074F606FBCF779B041B777E3A73E\lsrslt.ini
c:\documents and settings\Anthony Laine\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Anthony Laine\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Anthony Laine\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
C:\restore

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-06-12 to 2010-07-12  )))))))))))))))))))))))))))))))
.

2010-07-09 22:33 . 2010-07-09 22:33   --------   d-s---w-   c:\documents and settings\Anthony Laine\UserData
2010-07-09 22:23 . 2010-07-09 22:23   388096   ----a-r-   c:\documents and settings\Anthony Laine\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-09 22:23 . 2010-07-09 22:23   --------   d-----w-   c:\program files\TrendMicro
2010-07-09 22:17 . 2010-07-09 22:17   --------   d-----w-   c:\program files\Common Files\Java
2010-07-09 22:16 . 2010-07-09 22:16   503808   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\msvcp71.dll
2010-07-09 22:16 . 2010-07-09 22:16   499712   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\jmc.dll
2010-07-09 22:16 . 2010-07-09 22:16   348160   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\msvcr71.dll
2010-07-09 22:16 . 2010-07-09 22:16   61440   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6241b8d0-n\decora-sse.dll
2010-07-09 22:16 . 2010-07-09 22:16   12800   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6241b8d0-n\decora-d3d.dll
2010-07-09 22:16 . 2010-07-09 22:15   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-09 22:15 . 2010-07-09 22:15   --------   d-----w-   c:\program files\Java
2010-07-09 21:53 . 2010-07-09 21:53   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\Malwarebytes
2010-07-09 21:52 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 21:52 . 2010-07-09 21:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-09 21:52 . 2010-07-09 21:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 21:52 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-09 21:15 . 2010-07-09 21:15   --------   d-s---w-   c:\documents and settings\NetworkService\UserData
2010-07-09 20:13 . 2010-07-09 20:13   63488   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-09 20:13 . 2010-07-09 20:13   52224   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-09 20:13 . 2010-07-09 20:13   117760   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\OnlineArmor
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-07-09 18:49 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-07-09 18:49 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-07-09 18:49 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\program files\Emsisoft
2010-07-08 18:01 . 2010-07-08 18:01   --------   d-----w-   C:\spoolerlogs
2010-07-08 18:01 . 2010-07-09 21:56   --------   d-----w-   c:\documents and settings\Anthony Laine\Local Settings\Application Data\vosbhcjbt
2010-07-04 02:01 . 2010-07-10 05:57   --------   d-----w-   c:\program files\PokerStars.NET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 20:08 . 2009-09-19 17:13   --------   d-----w-   c:\program files\CCleaner
2010-07-08 18:09 . 2009-11-07 19:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-07-03 23:02 . 2009-02-25 08:28   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\.purple
2010-07-03 04:41 . 2009-12-05 17:12   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-11 20:53 . 2008-08-15 18:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 17:57 . 2009-04-03 13:35   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-06-11 17:57 . 2009-04-03 13:35   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-07 16:55 . 2010-05-07 16:55   255472   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-02 05:22 . 2008-04-15 03:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-15 03:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2007-08-14 01:54   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-15 03:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
.

------- Sigcheck -------

[7] 2008-04-15 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-11 2065248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-25 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 14:53   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony Laine^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Anthony Laine\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42   36272   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40   53248   ------w-   c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-15 03:00   208952   ----a-w-   c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-15 03:00   59392   ----a-w-   c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-15 03:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-15 03:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Anthony Laine\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Anthony Laine\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:35 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:35 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/9/2010 2:49 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/9/2010 2:49 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/9/2010 2:49 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 10:53 AM 308064]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/25/2009 10:50 AM 10384]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [7/9/2010 2:49 PM 1283400]
R3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\NetDirect.sys [8/20/2007 1:52 AM 24576]
S2 NetDirectService;NetDirectService ;c:\program files\Nortel NetDirect Client\NetDirectService.exe [6/14/2008 5:16 PM 24576]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/25/2009 6:23 AM 96856]
S3 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [7/9/2010 2:49 PM 3364680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219689751-1163904332-3694362882-1006Core.job
- c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-29 14:27]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219689751-1163904332-3694362882-1006UA.job
- c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-29 14:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://exchange.wpi.edu/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Anthony Laine\Application Data\Mozilla\Firefox\Profiles\9jl2q7bx.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Anthony Laine\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Anthony Laine\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 23:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{21BA8B9A-DDC6-4FA1-8C66-3A5987A267C3}\00Tcpip\\Parameters\\Interfaces\\{71E173C0-ACB2-46C3-A829-CC37F70D5A89}\00\00"
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:9a,8b,ba,21,c6,dd,a1,4f,8c,66,3a,59,87,a2,67,c3,c0,73,e1,71,
   b2,ac,c3,46,a8,29,cc,37,f7,0d,5a,89

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{ACE8FC8B-312B-4A38-9977-C86D826519A0}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{ACE8FC8B-312B-4A38-9977-C86D826519A0}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B177F6D1-B797-4837-90B9-11FED540FF22}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B177F6D1-B797-4837-90B9-11FED540FF22}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{DD06682C-87DE-422F-AC80-B2416FBA6276}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{DD06682C-87DE-422F-AC80-B2416FBA6276}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21BA8B9A-DDC6-4FA1-8C66-3A5987A267C3}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{291CE2AF-11DB-4A42-A1AC-9ADDC5F495B6}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71E173C0-ACB2-46C3-A829-CC37F70D5A89}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B2EFB668-CCFF-4C28-9228-04ED7315EFF8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E271D4AA-9E4F-43BA-8998-E974677F149D}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000004\00\00"
"DhcpClassIdBin"=hex:
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-07-11  23:16:42
ComboFix-quarantined-files.txt  2010-07-12 03:16

Pre-Run: 73,257,082,880 bytes free
Post-Run: 73,306,562,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 62A4B97DB6B91A53CBCEB5B9D6BED91F

[SuperDave]

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  MIA::
  c:\windows\System32\ctfmon.exe
  
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:5577
  
  Rootkit::
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

=================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[tlaine]

ComboFix 10-07-12.02 - Anthony Laine 07/12/2010  23:01:20.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1012.474 [GMT -4:00]
Running from: c:\documents and settings\Anthony Laine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Anthony Laine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\ctfmon.exe was missing
Restored copy from - c:\windows\system32\dllcache\ctfmon.exe

.
(((((((((((((((((((((((((   Files Created from 2010-06-13 to 2010-07-13  )))))))))))))))))))))))))))))))
.

2010-07-13 03:05 . 2008-04-15 03:00   15360   -c--a-w-   c:\windows\system32\dllcache\ctfmon.exe
2010-07-13 03:05 . 2008-04-15 03:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe
2010-07-09 22:33 . 2010-07-09 22:33   --------   d-s---w-   c:\documents and settings\Anthony Laine\UserData
2010-07-09 22:23 . 2010-07-09 22:23   388096   ----a-r-   c:\documents and settings\Anthony Laine\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-09 22:23 . 2010-07-09 22:23   --------   d-----w-   c:\program files\TrendMicro
2010-07-09 22:17 . 2010-07-09 22:17   --------   d-----w-   c:\program files\Common Files\Java
2010-07-09 22:16 . 2010-07-09 22:16   503808   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\msvcp71.dll
2010-07-09 22:16 . 2010-07-09 22:16   499712   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\jmc.dll
2010-07-09 22:16 . 2010-07-09 22:16   348160   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64a1f27c-n\msvcr71.dll
2010-07-09 22:16 . 2010-07-09 22:16   61440   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6241b8d0-n\decora-sse.dll
2010-07-09 22:16 . 2010-07-09 22:16   12800   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6241b8d0-n\decora-d3d.dll
2010-07-09 22:16 . 2010-07-09 22:15   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-09 22:15 . 2010-07-09 22:15   --------   d-----w-   c:\program files\Java
2010-07-09 21:53 . 2010-07-09 21:53   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\Malwarebytes
2010-07-09 21:52 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 21:52 . 2010-07-09 21:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-09 21:52 . 2010-07-09 21:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 21:52 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-09 21:15 . 2010-07-09 21:15   --------   d-s---w-   c:\documents and settings\NetworkService\UserData
2010-07-09 20:13 . 2010-07-09 20:13   63488   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-09 20:13 . 2010-07-09 20:13   52224   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-09 20:13 . 2010-07-09 20:13   117760   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\SUPERAntiSpyware.com
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-09 20:12 . 2010-07-09 20:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\OnlineArmor
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-07-09 18:49 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-07-09 18:49 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-07-09 18:49 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-07-09 18:49 . 2010-07-09 18:49   --------   d-----w-   c:\program files\Emsisoft
2010-07-08 18:01 . 2010-07-08 18:01   --------   d-----w-   C:\spoolerlogs
2010-07-08 18:01 . 2010-07-09 21:56   --------   d-----w-   c:\documents and settings\Anthony Laine\Local Settings\Application Data\vosbhcjbt
2010-07-04 02:01 . 2010-07-12 04:03   --------   d-----w-   c:\program files\PokerStars.NET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 20:08 . 2009-09-19 17:13   --------   d-----w-   c:\program files\CCleaner
2010-07-08 18:09 . 2009-11-07 19:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-07-03 23:02 . 2009-02-25 08:28   --------   d-----w-   c:\documents and settings\Anthony Laine\Application Data\.purple
2010-07-03 04:41 . 2009-12-05 17:12   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-11 20:53 . 2008-08-15 18:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 17:57 . 2009-04-03 13:35   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-06-11 17:57 . 2009-04-03 13:35   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-07 16:55 . 2010-05-07 16:55   255472   ----a-w-   c:\documents and settings\Anthony Laine\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-02 05:22 . 2008-04-15 03:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-15 03:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2007-08-14 01:54   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-15 03:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-07-12_03.14.49   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 03:07 . 2010-07-13 03:07   16384              c:\windows\temp\Perflib_Perfdata_5e8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-11 2065248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-25 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 14:53   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony Laine^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Anthony Laine\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42   36272   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40   53248   ------w-   c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-15 03:00   208952   ----a-w-   c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-15 03:00   59392   ----a-w-   c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-15 03:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-15 03:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Anthony Laine\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Anthony Laine\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:35 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:35 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/9/2010 2:49 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/9/2010 2:49 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/9/2010 2:49 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 10:53 AM 308064]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/25/2009 10:50 AM 10384]
R2 NetDirectService;NetDirectService ;c:\program files\Nortel NetDirect Client\NetDirectService.exe [6/14/2008 5:16 PM 24576]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [7/9/2010 2:49 PM 1283400]
R3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\NetDirect.sys [8/20/2007 1:52 AM 24576]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/25/2009 6:23 AM 96856]
S3 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [7/9/2010 2:49 PM 3364680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219689751-1163904332-3694362882-1006Core.job
- c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-29 14:27]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219689751-1163904332-3694362882-1006UA.job
- c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-29 14:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://exchange.wpi.edu/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Anthony Laine\Application Data\Mozilla\Firefox\Profiles\9jl2q7bx.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Anthony Laine\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Anthony Laine\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Anthony Laine\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{21BA8B9A-DDC6-4FA1-8C66-3A5987A267C3}\00Tcpip\\Parameters\\Interfaces\\{71E173C0-ACB2-46C3-A829-CC37F70D5A89}\00\00"
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:9a,8b,ba,21,c6,dd,a1,4f,8c,66,3a,59,87,a2,67,c3,c0,73,e1,71,
   b2,ac,c3,46,a8,29,cc,37,f7,0d,5a,89

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{ACE8FC8B-312B-4A38-9977-C86D826519A0}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{ACE8FC8B-312B-4A38-9977-C86D826519A0}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B177F6D1-B797-4837-90B9-11FED540FF22}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B177F6D1-B797-4837-90B9-11FED540FF22}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{DD06682C-87DE-422F-AC80-B2416FBA6276}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{DD06682C-87DE-422F-AC80-B2416FBA6276}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21BA8B9A-DDC6-4FA1-8C66-3A5987A267C3}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{291CE2AF-11DB-4A42-A1AC-9ADDC5F495B6}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71E173C0-ACB2-46C3-A829-CC37F70D5A89}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A5617EB1-426F-4749-B02A-BF4A8D3F06D5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B2EFB668-CCFF-4C28-9228-04ED7315EFF8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CA06BA2D-E427-48EB-85B0-88848A6D9F07}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DE620591-3001-4E4D-BAE5-B588DE6BB204}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E271D4AA-9E4F-43BA-8998-E974677F149D}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EC39CBED-ED6F-46E3-97F5-CDD3879E9572}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000004\00\00"
"DhcpClassIdBin"=hex:
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3284)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\docume~1\ANTHON~1\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2010-07-12  23:12:17 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-13 03:12
ComboFix2.txt  2010-07-12 03:16

Pre-Run: 73,235,390,464 bytes free
Post-Run: 73,222,639,616 bytes free

- - End Of File - - 65C1CB9B7A703DFF58370BFA30C8745C


 Results of screen317's Security Check version 0.99.4 
 Windows XP Service Pack 3 
 Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG Free 9.0   
 Online Armor 4.0   
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 21 
 Out of date Java installed!
 Adobe Flash Player 10.0.45.2 
Adobe Reader 9.3.2
 Mozilla Firefox (3.0.10) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Tall Emu Online Armor OAcat.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[SuperDave]

How's your computer running now?

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[tlaine]

It seems to be working much better.

heres the ESET log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir   Win32/Olmarik.ZC trojan   cleaned - quarantined

[SuperDave]

Ok. That looks good. If there are no other issues, it's time for some clean-up.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

============================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===============================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

==============================

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

=================================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!