Malware Removal Help and Assistance Requested

[MauiFaka]

Aloha,
    I am looking to do a Malware removal on my XP desktop and have begun the early process laid down by evilfantasy. I am currently stumped on Step 2. After d/l CCleaner - Slim, I open d/l and select 'Run', after a quick delay, a window pops up. The window header reads, 'NSIS Error' with the body stating...

'Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installer's author to obtain a new copy.

More information at:
http://nsis.sf.net/NSIS_Error

I have tried both links and both have the same return. I looked to contact Piriform's support center but they offered no link to start an account to ask the above question. I'm hoping that this issue is not unique and there is a solution to this to continue forward with the Malware removal process. Any help or guidance on this issue would be greatly appreciated. Thank you.

[Allan]

Try downloading from here: http://www.filehippo.com/download_ccleaner/
If still no joy, just proceed with the rest of the steps and a malware specialist will be along to help out.

[MauiFaka]

Thank you Allan. That link was successful for me.

[MauiFaka]

Ok, it appears that whatever I have on/in my system has begun to cripple my abilities to download required programs for this Malware removal process. After trying several sites and versions(older) of Superantispyware, I get this recurring pop-up when opening downloaded file for installation, 'Corrupt installation detected, check source media or re-download'. What would be a go-around for this dilemma?

Same thing is happening with Malwarebytes Anti-Malware. When installing, the following appears...

'An error occurred while trying to copy a file:
The source file is corrupted.'

A separate issue, upon firing up my rig this morning, newly installed PC Tools Firewall Plus displayed a window with the following...

'Generic Host Process for Win32 Services appears to act as a local proxy.
 
Is this application a local proxy?'

-Below are the details of this issue with PC Tools-

Generic Host Process for Win32 Services

Connecting Application's PID : 2292
Connecting Application's Path : C:\Program Files\Dna\Btdna.exe
Connecting Application's Port : 1050
Proxy IP : 127.0.0.1
Proxy PID : 1728
Proxy Path : C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Proxy Port : 2869
Proxy Protocol : TCP
Application Path : c:\windows\system32\svchost.exe

Would I be answering yes or no to this above application? I did a search on this and came back with a variety of explanations on it.

Again, any help on any one of these concerns would be greatly appreciated.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
You could try booting in Safe Mode with Networking and download these programs. If that doesn't work, please use the above method to download SAS and MBAM on a clean computer and transfer them to your computer. Please post the logs.

Safe Mode

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
******************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[MauiFaka]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/23/2011 at 02:36 AM

Application Version : 4.51.1000

Core Rules Database Version : 6903
Trace Rules Database Version: 4715

Scan type       : Complete Scan
Total Scan Time : 02:09:53

Memory items scanned      : 695
Memory threats detected   : 0
Registry items scanned    : 5759
Registry threats detected : 0
File items scanned        : 102147
File threats detected     : 1

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt

[MauiFaka]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/23/2011 3:10:19 AM
mbam-log-2011-04-23 (03-10-19).txt

Scan type: Quick scan
Objects scanned: 148039
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[MauiFaka]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:49:00 AM, on 4/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EPSON WorkForce 500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238481082031
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 10107 bytes

[MauiFaka]

Aloha Super Dave, thank you very much in advance for your time and help with this. A few notes after using Computer Hope HijackThis process tool.

I'm currently running two firewalls, Windows Firewall and PC Tools Firewall Plus.

I'm currently also running what I believe is the latest version of HijackThis, v2.0.4

From what my research shows on the unknown files shows they are harmless and/or required for the health of computer. Hopefully I have provided accurate info for a correct assessment. Once again, thank you for your time and assistance on this matter.

[SuperDave]

P2P - I see you have P2P software installed on your machine (BitTorrent DNA). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*****************************************

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
**********************************************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
***********************************************

I'm currently running two firewalls, Windows Firewall and PC Tools Firewall Plus.

That is a no-no. One will have to be disabled or uninstalled
********************************************************
This next tool that I want to use will not run with AVG on your computer. Please choose one of the other free AV's from the link below,download and install it. Then, uninstall AVG. MicroSoft Security Essentials is a good one with no hassles.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
********************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[MauiFaka]

Super Dave, thank you for the time once again. I personally do not use P2P software. I acquired this computer with many of these programs already installed and am looking forward to deleting programs associated with P2P and then what you have also advised following the deletions. Thank you.

[MauiFaka]

Super Dave, I'm looking to install MicroSoft Security Essentials, it is asking me to uninstall my current antivirus and antispyware programs before continuing with the wizard. Your instructions were to uninstall AVG after MSE installation, making no mention of antispyware. Should I uninstall AVG and Superantispyware now and proceed w/ wizard or just AVG and proceed w/ wizard or finish installation and then uninstall one or both programs upon install completion? Please explain this step.

I'm sorry, I just want to be sure I'm following this correctly.

[MauiFaka]

Super Dave,
   Ok, after several tries of trying to install and update the various antivirus programs, I was finally able to successfully install and update the Avira program.

[MauiFaka]

ComboFix 11-04-23.01 - Owner 04/23/2011  12:17:21.1.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3326.2668 [GMT -10:00]
Running from: D:\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-23 to 2011-04-23  )))))))))))))))))))))))))))))))
.
.
2011-04-23 21:43 . 2011-04-23 21:43   --------   d-----w-   c:\program files\Avira
2011-04-23 21:43 . 2011-04-23 21:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2011-04-23 21:43 . 2011-03-05 02:11   137656   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2011-04-23 21:43 . 2011-03-05 00:37   61960   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2011-04-23 21:43 . 2010-06-18 00:27   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2011-04-23 21:43 . 2010-06-18 00:27   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2011-04-23 21:12 . 2011-04-23 21:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2011-04-23 13:21 . 2011-04-23 13:21   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 13:21 . 2011-04-23 13:21   --------   d-----w-   c:\program files\Trend Micro
2011-04-23 12:54 . 2011-04-23 12:54   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-23 12:52 . 2010-12-21 04:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-23 12:52 . 2011-04-23 12:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-23 12:52 . 2011-04-23 12:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-04-23 12:52 . 2010-12-21 04:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-23 10:08 . 2011-04-23 10:08   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-04-23 09:18 . 2011-04-23 09:20   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-23 08:55 . 2011-04-23 08:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-23 08:55 . 2011-04-23 08:55   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-04-23 00:51 . 2011-04-23 00:51   --------   d-----w-   c:\program files\Muiltmedia keyboard utility
2011-04-22 23:45 . 2011-04-22 23:45   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-21 13:40 . 2011-04-22 05:45   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-21 08:42 . 2011-04-21 08:43   --------   d-----w-   c:\documents and settings\Owner\Application Data\PCToolsFirewallPlus
2011-04-21 08:42 . 2010-11-25 20:53   160448   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-21 08:42 . 2010-03-29 21:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2011-04-21 08:42 . 2010-11-17 20:19   249616   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2011-04-21 08:41 . 2011-04-23 21:03   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2011-04-21 08:41 . 2011-04-21 08:42   --------   d-----w-   c:\program files\Common Files\PC Tools
2011-04-21 08:41 . 2010-11-24 19:18   89192   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2011-04-21 08:41 . 2010-07-08 19:49   57536   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2011-04-21 08:41 . 2010-02-05 19:26   32808   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2011-04-21 08:41 . 2010-11-25 20:42   124992   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2011-04-21 08:41 . 2011-04-21 08:52   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2011-04-18 06:00 . 2011-04-18 06:27   --------   d-----w-   c:\documents and settings\Owner\Application Data\vlc
2011-04-17 01:14 . 2011-04-17 01:54   --------   d-----w-   C:\Vids 2 b transferred
2011-04-17 01:11 . 2011-04-18 07:26   --------   d-----w-   C:\Recovered
2011-04-17 00:39 . 2008-04-14 00:11   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2011-04-17 00:39 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\hidserv.dll
2011-04-16 22:51 . 2011-04-16 22:51   --------   d-----w-   c:\program files\Recuva
2011-04-15 21:30 . 2011-04-20 23:11   --------   d-----w-   C:\pics
2011-04-15 04:11 . 2011-04-16 21:49   --------   d-----w-   C:\ITunes Music
2011-04-09 05:33 . 2011-04-09 05:34   --------   d-----w-   C:\dvd rips
2011-04-08 01:42 . 2011-04-18 20:55   --------   d-----w-   C:\YT Ready
2011-04-06 09:08 . 2011-04-06 09:08   --------   d-----w-   c:\program files\Yahoo!
2011-04-06 00:50 . 2011-04-06 00:50   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 22:05 . 2011-04-20 07:36   --------   d-----w-   C:\DVR *censored*
2011-04-05 21:51 . 2011-04-05 21:51   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\VHS to DVD
2011-04-05 21:37 . 2008-04-13 18:46   15232   -c--a-w-   c:\windows\system32\dllcache\mpe.sys
2011-04-05 21:37 . 2008-04-13 18:46   15232   ----a-w-   c:\windows\system32\drivers\MPE.sys
2011-04-05 21:36 . 2008-04-14 00:12   56832   ----a-w-   c:\windows\system32\MSDvbNP.ax
2011-04-05 21:36 . 2008-04-14 00:12   33280   ----a-w-   c:\windows\system32\PsisRndr.ax
2011-04-05 21:36 . 2008-04-14 00:12   18432   ----a-w-   c:\windows\system32\BdaPlgIn.ax
2011-04-05 21:36 . 2008-04-14 00:12   363520   -c--a-w-   c:\windows\system32\dllcache\psisdecd.dll
2011-04-05 21:36 . 2008-04-14 00:12   363520   ----a-w-   c:\windows\system32\PsisDecd.dll
2011-04-05 21:36 . 2008-04-13 18:46   11776   -c--a-w-   c:\windows\system32\dllcache\bdasup.sys
2011-04-05 21:36 . 2008-04-13 18:46   11776   ----a-w-   c:\windows\system32\drivers\BdaSup.sys
2011-04-05 21:28 . 2007-06-23 03:59   479232   ----a-w-   c:\windows\system32\drivers\emBDA.sys
2011-04-05 21:28 . 2007-06-23 03:57   106496   ----a-w-   c:\windows\system32\emPRP.ax
2011-04-05 21:28 . 2007-02-07 02:38   28288   ----a-w-   c:\windows\system32\drivers\emOEM.sys
2011-04-05 21:28 . 2006-12-16 02:54   61440   ----a-w-   c:\windows\emMON.exe
2011-04-05 21:28 . 2011-04-05 21:28   --------   d-----w-   c:\program files\VIDBOX NW03
2011-04-05 21:25 . 2011-04-05 21:25   --------   d-----w-   c:\program files\honestech
2011-04-05 21:25 . 2011-04-05 21:25   --------   d-----w-   c:\program files\honestech VHS to DVD 4.0 Plus
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-03-31 03:20   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00   1857920   ----a-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00   455936   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00   357888   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 05:59   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00   290432   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 10:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 10:00   978944   ----a-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2011-02-03 07:40 . 2010-04-24 09:07   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-03 05:19 . 2010-04-24 09:07   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-03-31 03:19   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-03-31 03:19   677888   ----a-w-   c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-29 16132608]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-02-09 210208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-11-14 37656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-30 249064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]
"FLMK08KB"="c:\program files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [2011-04-23 207360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-05 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-08 23:38   524632   ----a-w-   c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 04:07   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/1/2009 1:38 PM 64160]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/23/2011 11:00 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/23/2011 11:00 AM 307288]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [4/20/2011 10:42 PM 249616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 8:25 AM 12872]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2011 11:43 AM 135336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 9:06 AM 1029456]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [4/20/2011 10:41 PM 89192]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [4/20/2011 10:41 PM 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [4/20/2011 10:41 PM 124992]
S1 SASKUTIL;SASKUTIL;

S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [4/20/2011 10:42 PM 160448]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [11/15/2007 6:05 PM 151552]
S3 gstkbus;3Gstick USB Composite Device (WDM);c:\windows\system32\drivers\gstkbus.sys [3/15/2011 9:38 PM 98560]
S3 gstkserd;3Gstick Diagnostic Port Driver;c:\windows\system32\drivers\gstkserd.sys [3/15/2011 9:38 PM 100352]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [4/20/2011 10:41 PM 57536]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSNX
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:38]
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uijvqo7y.default\
FF - prefs.js: browser.startup.homepage - hxxp://74.125.93.104/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: [email protected] - c:\progra~1\AVASTS~1\Avast\WebRep\FF
FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Owner\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-PC Tools AntiVirus Free - D:\avinstall.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 12:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1036)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(5312)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-23  12:36:13
ComboFix-quarantined-files.txt  2011-04-23 22:36
.
Pre-Run: 101,898,731,520 bytes free
Post-Run: 102,177,054,720 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AE55C4F0A284DDA87171E4A4F4ABDB50

[SuperDave]

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.