ThinkPoint?

[BigMac100]

Developed a virus call "ThinkPoint" about a week ago. I could not get on internet or even shut computer down. Ran computer under safe mode to end process but still having issues. Cannot open a desktop icon to a link without  pop up window asking "choose the program you want to use to open this file". Computer running slow and have to restart just to get on internet. Please help. Ran AVG, program boggs system down.

[BigMac100]

Sorry, Service pack 2

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.
 
Now download and Run exeHelper.

Please download exeHelper from Raktor to your desktop.

• Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
  
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
  ************************************************
  SUPERAntiSpyware
  
  If you already have SUPERAntiSpyware be sure to check for updates before scanning!
  
  Download SuperAntispyware Free Edition (SAS)
  * Double-click the icon on your desktop to run the installer.
  * When asked to Update the program definitions, click Yes
  * If you encounter any problems while downloading the updates, manually download and unzip them from here
  * Next click the Preferences button.
  
  •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
  * Click the Scanning Control tab.
  * Under Scanner Options make sure only the following are checked:
  
  •Close browsers before scanning
  •Scan for tracking cookies
  •Terminate memory threats before quarantining
  •Please leave the others unchecked
  
  •Click the Close button to leave the control center screen.
  
  * On the main screen click Scan your computer
  * On the left check the box for the drive you are scanning.
  * On the right choose Perform Complete Scan
  * Click Next to start the scan. Please be patient while it scans your computer.
  * After the scan is complete a summary box will appear. Click OK
  * Make sure everything in the white box has a check next to it, then click Next
  * It will quarantine what it found and if it asks if you want to reboot, click Yes
  
  •To retrieve the removal information please do the following:
  •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  •Click Preferences. Click the Statistics/Logs tab.
  
  •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  
  •It will open in your default text editor (preferably Notepad).
  •Save the notepad file to your desktop by clicking (in notepad) File > Save As...
  
  * Save the log somewhere you can easily find it. (normally the desktop)
  * Click close and close again to exit the program.
  *Copy and Paste the log in your post.
  *******************************************
  Please download Malwarebytes Anti-Malware from here.
  
  Double Click mbam-setup.exe to install the application.
  
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
    
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
    
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
  Extra Note:
  
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  **************************************************
  Download DDS from HERE or HERE and save it to your desktop.
  
  Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
  
  * XP users Double click on dds to run it.
  * If your antivirus or firewall try to block DDS then please allow it to run.
  * When finished DDS will open two (2) logs.
  
  1) DDS.txt
  2) Attach.txt
  
  * Save both logs to your desktop.
  * Please copy and paste the entire contents of both logs in your next reply.
  
  Note: DDS will instruct you to post the Attach.txt log as an attachment.
  Please just post it as you would any other log by copy and pasting it into the reply.
  

[BigMac100]

exeHelper by Raktor
Build 20100414
Run at 18:40:18 on 12/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[SuperDave]

Were you able to run the other scans after you rebooted the computer? I need to see the logs.

[BigMac100]

Sorry it took so long. I was unable to reboot. Had to go to safe mode to compile the info for you. Computer would not go to windows, just a black screen.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2010 at 09:14 PM

Application Version : 4.46.1000

Core Rules Database Version : 5934
Trace Rules Database Version: 3746

Scan type       : Complete Scan
Total Scan Time : 02:20:58

Memory items scanned      : 467
Memory threats detected   : 0
Registry items scanned    : 6444
Registry threats detected : 6
File items scanned        : 90972
File threats detected     : 53

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@ru4[2].txt
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D27KGRZX ]
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@hitbox[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
   media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]

Trojan.Agent/Gen
   C:\WINDOWS\system32\lowsec\local.ds
   C:\WINDOWS\system32\lowsec\user.ds
   C:\WINDOWS\system32\lowsec\user.ds.lll
   C:\WINDOWS\system32\lowsec

Backdoor.Bot[ZBot]
   HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
   HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
   HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}
   HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}

Malware.Trace
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network#uid [ HOME-GE8G9I9WSN_B75BA27F2A0474F3 ]
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#USERINIT

Trojan.Agent/Gen-IEFake
   C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\H\IEXPLORE.EXE
   C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\IEXPLORE.EXE

Trojan.Agent/Gen-IExplorer[Fake]
   C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147977.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147978.EXE

Trojan.Agent/Gen-SDRA
   C:\WINDOWS\SYSTEM32\SDRA64.EXE

[BigMac100]

Dave,

The in the next step I'm to "please download Malwarebytes Anti-Malware from here"

This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.

[BigMac100]

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5241

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/3/2010 7:07:45 PM
mbam-log-2010-12-03 (19-07-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 241191
Time elapsed: 56 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AE68DCDA-8750-2C94-BD9A-9EE9347F3964} (Spyware.Passwords.XGen) -> Value: {AE68DCDA-8750-2C94-BD9A-9EE9347F3964} -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rcudadi (Trojan.Hiloti.Gen) -> Value: Rcudadi -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{BCF5C73A-CE2B-6071-3164-85F31BB12C73} (Trojan.ZbotR.Gen) -> Value: {BCF5C73A-CE2B-6071-3164-85F31BB12C73} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Owner\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d} (Trojan.Swisyn) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Owner\application data\Qerie\itlu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\cdrcph4.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\725140.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\725141.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\734218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\734219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\762218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\762219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\tmp50116e99\r.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147958.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147979.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0150999.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\0.12006703198118596.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\kzdwuvqpfuwaane.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Owovy\ewow.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully.

[BigMac100]

DDS (Ver_10-11-27.01) - NTFSx86 
Run by Owner at 20:38:22.44 on Fri 12/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.74 [GMT -5:00]

FW: AVG Firewall *disabled*   {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\364IVJ9Z\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.columbus.rr.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [Webroot Desktop Firewall] c:\program files\webroot\webroot desktop firewall\WDF.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\netzero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\netzero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.na.avon.com/dwa7W.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.leaguelineup.com/XUpload.ocx
Filter: text/html - {fa3b1927-c810-48b5-ac12-120ccacb512d} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-2-28 18944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-8 38224]

=============== Created Last 30 ================

2010-11-30 23:50:14   --------   d-----w-   c:\docume~1\owner\applic~1\Qerie
2010-11-30 23:50:14   --------   d-----w-   c:\docume~1\owner\applic~1\Owuvw
2010-11-30 22:06:32   --------   d-----w-   c:\docume~1\owner\locals~1\applic~1\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
2010-11-30 21:09:15   230   ----a-w-   C:\agtyjkj.bat
2010-11-27 19:47:04   --------   d-----w-   c:\docume~1\owner\applic~1\Ysez
2010-11-27 19:47:04   --------   d-----w-   c:\docume~1\owner\applic~1\Xiurz
2010-11-27 19:19:18   --------   d-----w-   c:\docume~1\owner\applic~1\Owovy
2010-11-27 19:19:18   --------   d-----w-   c:\docume~1\owner\applic~1\Edgubo
2010-11-25 21:06:05   --------   d-----w-   c:\windows\system32\drivers\AVG
2010-11-25 02:56:29   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56:29   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45:52   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2010-11-25 01:45:52   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-11-24 23:59:49   --------   d-----w-   c:\program files\Loaris
2010-11-09 19:13:46   --------   d--h--w-   C:\$AVG
2010-11-08 22:29:39   --------   d-----w-   c:\docume~1\owner\applic~1\AVG10
2010-11-08 22:23:59   --------   d--h--w-   c:\docume~1\alluse~1\applic~1\Common Files
2010-11-08 22:19:59   --------   d-----w-   c:\docume~1\alluse~1\applic~1\AVG10
2010-11-08 22:18:52   --------   d-----w-   c:\program files\AVG
2010-11-08 22:11:59   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 22:11:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-11-08 22:11:50   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-11-08 21:36:35   --------   d-----w-   c:\docume~1\owner\locals~1\applic~1\Temp
2010-11-08 21:15:19   4526   ----a-w-   c:\windows\system32\PerfStringBackup.TMP
2010-11-08 20:44:59   --------   d-----w-   c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M  ====================


=================== ROOTKIT  ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.3.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x812DC446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x812e2504]; MOV EAX, [0x812e2580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81367030]
3 CLASSPNP[0xF92A305B] -> nt!IofCallDriver[0x804E37D5] -> [0x812FE550]
\Driver\atapi[0x81359468] -> IRP_MJ_CREATE -> 0x812DC446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP;  }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________3.16____#4a33395641354a3
3202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x812DC292
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:40:58.51 ===============

[BigMac100]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/10/2005 12:42:10 AM
System Uptime: 12/3/2010 8:33:34 PM (0 hours ago)

Motherboard: Dell Computer Corp. |  | 0C2425
Processor:               Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2525/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 49.456 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1441: 9/2/2010 3:54:43 PM - System Checkpoint
RP1442: 9/3/2010 4:22:20 PM - System Checkpoint
RP1443: 9/4/2010 4:48:39 PM - System Checkpoint
RP1444: 9/5/2010 5:21:23 PM - System Checkpoint
RP1445: 9/6/2010 5:48:49 PM - System Checkpoint
RP1446: 9/7/2010 6:50:48 PM - System Checkpoint
RP1447: 9/8/2010 3:00:24 AM - Software Distribution Service 3.0
RP1448: 9/9/2010 3:24:05 AM - System Checkpoint
RP1449: 9/10/2010 4:24:06 AM - System Checkpoint
RP1450: 9/11/2010 5:24:04 AM - System Checkpoint
RP1451: 9/12/2010 5:31:18 AM - System Checkpoint
RP1452: 9/13/2010 6:24:08 AM - System Checkpoint
RP1453: 9/14/2010 7:24:07 AM - System Checkpoint
RP1454: 9/15/2010 3:00:33 AM - Software Distribution Service 3.0
RP1455: 9/16/2010 3:20:35 AM - System Checkpoint
RP1456: 9/17/2010 3:34:33 AM - System Checkpoint
RP1457: 9/18/2010 3:43:54 AM - System Checkpoint
RP1458: 9/19/2010 4:34:33 AM - System Checkpoint
RP1459: 9/20/2010 5:12:04 AM - System Checkpoint
RP1460: 9/21/2010 6:00:57 AM - System Checkpoint
RP1461: 9/22/2010 6:02:18 AM - System Checkpoint
RP1462: 9/23/2010 6:49:58 AM - System Checkpoint
RP1463: 9/24/2010 7:49:57 AM - System Checkpoint
RP1464: 9/25/2010 8:49:58 AM - System Checkpoint
RP1465: 9/26/2010 8:51:28 AM - System Checkpoint
RP1466: 10/3/2010 4:27:04 PM - System Checkpoint
RP1467: 10/4/2010 3:00:28 AM - Software Distribution Service 3.0
RP1468: 10/5/2010 3:02:24 AM - System Checkpoint
RP1469: 10/5/2010 6:04:29 PM - Restore Operation
RP1470: 10/6/2010 3:00:29 AM - Software Distribution Service 3.0
RP1471: 10/7/2010 3:05:44 AM - System Checkpoint
RP1472: 10/8/2010 4:05:43 AM - System Checkpoint
RP1473: 10/9/2010 4:14:58 AM - System Checkpoint
RP1474: 10/10/2010 5:05:43 AM - System Checkpoint
RP1475: 10/11/2010 6:05:41 AM - System Checkpoint
RP1476: 10/12/2010 6:12:54 AM - System Checkpoint
RP1477: 10/13/2010 7:07:19 AM - System Checkpoint
RP1478: 10/14/2010 3:00:42 AM - Software Distribution Service 3.0
RP1479: 10/15/2010 3:07:17 AM - System Checkpoint
RP1480: 10/16/2010 3:18:26 AM - System Checkpoint
RP1481: 10/17/2010 4:18:26 AM - System Checkpoint
RP1482: 10/18/2010 5:18:31 AM - System Checkpoint
RP1483: 10/19/2010 6:18:26 AM - System Checkpoint
RP1484: 10/20/2010 6:18:59 AM - System Checkpoint
RP1485: 10/21/2010 7:19:03 AM - System Checkpoint
RP1486: 10/22/2010 7:39:39 AM - System Checkpoint
RP1487: 10/23/2010 8:39:40 AM - System Checkpoint
RP1488: 10/24/2010 8:40:45 AM - System Checkpoint
RP1489: 10/25/2010 9:39:40 AM - System Checkpoint
RP1490: 10/26/2010 10:39:40 AM - System Checkpoint
RP1491: 10/27/2010 11:54:12 AM - System Checkpoint
RP1492: 10/28/2010 11:54:32 AM - System Checkpoint
RP1493: 10/29/2010 11:55:17 AM - System Checkpoint
RP1494: 10/30/2010 12:08:52 PM - System Checkpoint
RP1495: 10/31/2010 12:56:23 PM - System Checkpoint
RP1496: 11/1/2010 1:05:31 PM - System Checkpoint
RP1497: 11/2/2010 1:55:18 PM - System Checkpoint
RP1498: 11/3/2010 3:08:22 PM - System Checkpoint
RP1499: 11/4/2010 3:27:06 PM - System Checkpoint
RP1500: 11/5/2010 3:27:37 PM - System Checkpoint
RP1501: 11/6/2010 4:23:07 PM - System Checkpoint
RP1502: 11/7/2010 7:07:32 PM - System Checkpoint
RP1503: 11/8/2010 4:09:44 PM - Restore Operation
RP1504: 11/8/2010 4:20:07 PM - Removed SUPERAntiSpyware Free Edition
RP1505: 11/8/2010 4:34:56 PM - avast! Free Antivirus Setup
RP1506: 11/8/2010 4:55:37 PM - avast! Free Antivirus Setup
RP1507: 11/8/2010 5:18:49 PM - Installed AVG 2011
RP1508: 11/8/2010 5:19:38 PM - Installed AVG 2011
RP1509: 11/9/2010 6:27:55 PM - System Checkpoint
RP1510: 11/10/2010 7:02:18 PM - System Checkpoint
RP1511: 11/11/2010 3:00:56 AM - Software Distribution Service 3.0
RP1512: 11/12/2010 3:02:23 AM - System Checkpoint
RP1513: 11/13/2010 4:02:22 AM - System Checkpoint
RP1514: 11/14/2010 5:02:19 AM - System Checkpoint
RP1515: 11/15/2010 5:12:44 AM - System Checkpoint
RP1516: 11/15/2010 9:58:10 PM - Removed AVG 2011
RP1517: 11/15/2010 10:00:31 PM - Removed AVG 2011
RP1518: 11/16/2010 10:51:00 PM - System Checkpoint
RP1519: 11/17/2010 10:56:11 PM - System Checkpoint
RP1520: 11/18/2010 11:50:59 PM - System Checkpoint
RP1521: 11/20/2010 12:51:03 AM - System Checkpoint
RP1522: 11/21/2010 1:51:00 AM - System Checkpoint
RP1523: 11/22/2010 2:51:01 AM - System Checkpoint
RP1524: 11/23/2010 4:41:13 PM - System Checkpoint
RP1525: 11/24/2010 8:44:13 PM - Restore Operation
RP1526: 11/25/2010 5:33:15 PM - Removed AVG 2011
RP1527: 11/25/2010 5:37:20 PM - Removed AVG 2011
RP1528: 11/25/2010 6:18:58 PM - Advanced Registry Optimizer 2010 - Before Installation
RP1529: 11/25/2010 6:20:22 PM - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP1530: 11/25/2010 6:32:34 PM - Software Distribution Service 3.0
RP1531: 11/25/2010 6:46:04 PM - Software Distribution Service 3.0
RP1532: 11/30/2010 4:54:23 PM - System Checkpoint

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player
Adobe SVG Viewer 3.0
aiofw
aioocr
aioprnt
aioscnnr
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
center
Conexant D850 56K V.9x DFVc Modem
Cyber Security
Dell ResourceCD
FaxTools
FrostWire 4.13.5
Google Toolbar for Internet Explorer
Help_CTR
helptut
helpug
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
iTunes
Java(TM) 6 Update 16
KODAK All-in-One Printer Software
ksdip
Logitech Desktop Messenger
Logitech SetPoint
Malwarebytes' Anti-Malware
MapSend DirectRoute North America
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft Streets and Trips 2004
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
netbrdg
QuickTime
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
SFR
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware
TomTom HOME 2.7.5.2014
TomTom HOME Visual Studio Merge Modules
TWC Customer Controls
Uninstall Dual Mode Camera
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Walmart MP3 Music Downloads
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/3/2010 7:11:29 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  IntelIde
12/3/2010 5:26:35 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Fips intelppm OMCI SASDIFSV SASKUTIL
12/3/2010 5:25:23 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/1/2010 9:45:42 PM, error: Service Control Manager [7023]  - The iPod Service service terminated with the following error:  Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized.
12/1/2010 6:40:48 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
12/1/2010 6:40:48 PM, error: Service Control Manager [7000]  - The iPod Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
12/1/2010 6:40:06 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
11/30/2010 5:05:35 PM, error: DCOM [10000]  - Unable to start a DCOM Server: {D0AAD3D6-EB93-4363-A24E-2C3D80CDBAC7}. The error: "%5" Happened while starting this command: "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe" -Embedding
11/30/2010 5:05:33 PM, error: Service Control Manager [7001]  - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error:  Access is denied.
11/30/2010 5:05:31 PM, error: Service Control Manager [7000]  - The HTTP service failed to start due to the following error:  Access is denied.
11/30/2010 4:10:34 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
11/30/2010 4:10:34 PM, error: Service Control Manager [7000]  - The Apple Mobile Device service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
11/30/2010 4:09:58 PM, error: Service Control Manager [7034]  - The TomTomHOMEService service terminated unexpectedly.  It has done this 1 time(s).
11/30/2010 4:09:58 PM, error: Service Control Manager [7034]  - The Kodak AiO Device Service service terminated unexpectedly.  It has done this 1 time(s).
11/30/2010 4:09:58 PM, error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/30/2010 4:09:49 PM, information: Windows File Protection [64001]  - File replacement was attempted on the protected system file mstsc.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 4.20.0.0, the version of the system file is 5.1.2600.2180.
11/27/2010 9:59:51 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/27/2010 8:05:44 PM, error: Service Control Manager [7022]  - The WebClient service hung on starting.
11/27/2010 5:31:17 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================

[BigMac100]

Dave, I believe I have done everything as instructed even though I had to reboot twice during the DDS phase. Please let me know if there is anything you need.

Thank you!

[SuperDave]

This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.

Yup. There's something amiss with that link. I'll have to check that out.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
***********************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\agtyjkj.bat
 
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
************************************************
I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
****************************************************
P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
***********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
******************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

:otl
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
dRunOnce: [RunNarrator] Narrator.exe
Trusted Zone: musicmatch.com\online

:COMMANDS
[resethosts]
[purity]
[clearrestorepoints]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.

Note: You may need two or more posts to fit them all in.

****************************************
Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:

Code: [Select]

cd desktop

mbr.exe -f

exit

Post a log (MBR.log).
******************************

[BigMac100]

Dave,

I'm a little confused. When trying to remove Windows Messenger, I click the link you give "Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger". It takes me to Majorgeek.com. When I scroll down I see....


"This utility will allow you to disable Windows Messenger on per-user basis, or on a machine wide basis. Download the ZIP file and extract MessengerDisable.exe to your hard drive. You can either double click the EXE file, or create a shortcut to it, as you prefer. You can, optionally, use this utility to remove Windows Messenger from your machine. You may need Administrator level privileges to run this program."

The words "hard drive" is a link that takes me to an IBM website. When I exit out of it all and go back into it, sometimes there is a like "download" and it takes me to a Sprint site.

What do I do?

[SuperDave]

I tried the link and it works for me. There is no link in "harddrive" when I checked it. Did you actually download the program and run it?
In any case, if you can't get it to work, proceed with the rest of the instructions. It's not a big deal. I'm just trying to be thorough.

[BigMac100]

Thanks Dave for trying to be thorough, No I did not download and run. The phrase "harddrive" is highlighted in green and when I put my cursor on it a pop-up appears and when I click on it, it takes me to a link. Is there something else I can try to rid computer of messenger?

Also, I am having difficulty on the next step also. I can access the link but when I copy the code, it will not allow me to CTRL+V it to the window next to BROWSE.