sending emails at 2 am

[mudsud]

my computer started sending emails to a lot of people in my address two days ago.  I ran trend micro and nothing showed up - malwarebyts showed nothing.  How can I fix this problem please?

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[mudsud]

Here are the logs.  Thank you for your help.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/18/2011 at 05:03 PM

Application Version : 4.55.1000

Core Rules Database Version : 7422
Trace Rules Database Version: 5234

Scan type       : Complete Scan
Total Scan Time : 01:32:23

Memory items scanned      : 390
Memory threats detected   : 0
Registry items scanned    : 5979
Registry threats detected : 0
File items scanned        : 55397
File threats detected     : 105

Adware.Tracking Cookie
   C:\Documents and Settings\Elizabeth\Cookies\[email protected][2].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@advertising[1].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@adxpose[1].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@atdmt[2].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@casalemedia[2].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@doubleclick[1].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@gsimedia[1].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@invitemedia[2].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@media6degrees[2].txt
   C:\Documents and Settings\Elizabeth\Cookies\elizabeth@serving-sys[2].txt
   C:\Documents and Settings\Elizabeth\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@2o7[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][3].txt
   C:\Documents and Settings\Pam\Cookies\pam@adbrite[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\pam@advertising[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@adxpose[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@apmebf[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\pam@atdmt[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\pam@bizrate[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@casalemedia[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@chitika[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@collective-media[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][3].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@discounttire[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@dmtracker[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@doubleclick[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@edgeadx[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@fastclick[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@gsimedia[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][3].txt
   C:\Documents and Settings\Pam\Cookies\pam@imrworldwide[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@interclick[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@invitemedia[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@kantarmedia[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@kontera[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@lfstmedia[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@liveperson[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@liveperson[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@liveperson[4].txt
   C:\Documents and Settings\Pam\Cookies\pam@lucidmedia[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@media6degrees[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@mediabrandsww[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@mediaplex[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@overture[1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@pointroll[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@pro-market[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@questionmarket[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@realmedia[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@revsci[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@ru4[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@serving-sys[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@statcounter[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\pam@trafficmp[1].txt
   C:\Documents and Settings\Pam\Cookies\pam@tribalfusion[2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][11].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][1].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][2].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][3].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][4].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][5].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][6].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][7].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][8].txt
   C:\Documents and Settings\Pam\Cookies\[email protected][9].txt
   C:\Documents and Settings\Pam\Cookies\pam@yieldmanager[2].txt
   C:\Documents and Settings\Pam\Cookies\pam@zedo[1].txt


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7194

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/18/2011 6:39:48 PM
mbam-log-2011-07-18 (18-39-48).txt

Scan type: Quick scan
Objects scanned: 203868
Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:58:09 AM, on 7/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290181977203
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6232 bytes

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete any files that were put on the desktop.
*********************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.
************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[mudsud]

thank you Allen,  thank you Dave  -  Do I do what each of you suggest or follow one specific person??
Emails were sent out at 2:01 am this morning again.

[mudsud]

Here are the  dds  logs.
I had the conputer turned off last night so it didn't send emails out at 2 am.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 4:56:23 on 2011-07-20
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.212 [GMT -5:00]
.
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290181977203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DF100436-04E5-4C48-86D3-092AC0F06C52} : DhcpNameServer = 192.168.0.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-22 353168]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-5-21 188272]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-3 821080]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-2-6 64080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-7 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-7 136176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-12 14336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-12 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-6-25 239472]
.
=============== Created Last 30 ================
.
2011-07-19 08:55:32   388096   ----a-r-   c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-18 20:22:57   --------   d-----w-   c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-07-18 20:22:57   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-18 20:22:43   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-07-17 10:11:39   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-07-17 10:11:39   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-07-16 04:06:49   274288   ----a-w-   c:\windows\system32\mucltui.dll
2011-07-16 04:06:49   215920   ----a-w-   c:\windows\system32\muweb.dll
2011-07-16 04:06:49   16736   ----a-w-   c:\windows\system32\mucltui.dll.mui
2011-07-15 19:40:19   --------   d-----w-   c:\program files\common files\Sonic
2011-07-15 19:37:52   --------   d-----w-   c:\program files\common files\Sonic Shared
2011-07-15 19:37:45   87136   ----a-w-   c:\windows\system32\drivers\drvmcdb.sys
2011-07-15 19:37:45   40544   ----a-w-   c:\windows\system32\drivers\drvnddm.sys
2011-07-15 19:37:43   98358   ----a-w-   c:\windows\dla.exe
2011-07-15 19:37:43   61498   ----a-w-   c:\windows\system32\tfswapi.dll
2011-07-15 19:37:43   5627   ----a-w-   c:\windows\system32\drivers\sscdbhk5.sys
2011-07-15 19:37:43   23545   ----a-w-   c:\windows\system32\drivers\ssrtln.sys
2011-07-15 19:37:36   --------   d-----w-   c:\program files\Sonic
2011-07-15 12:06:55   --------   d-sh--w-   c:\windows\ftpcache
2011-07-01 12:19:33   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-07-01 12:19:33   472808   ----a-w-   c:\windows\system32\deployJava1.dll
.
==================== Find3M  ====================
.
2011-07-18 20:06:33   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 00:52:42   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-29 01:48:13   709456   ----a-w-   c:\windows\is-T45LP.exe
2011-05-21 22:53:46   92112   ----a-w-   c:\windows\system32\drivers\tmtdi.sys
2011-05-21 22:53:46   80464   ----a-w-   c:\windows\system32\drivers\tmactmon.sys
2011-05-21 22:53:46   64080   ----a-w-   c:\windows\system32\drivers\tmevtmgr.sys
2011-05-21 22:53:46   189520   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2011-05-02 15:31:52   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19:43   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-04-25 16:11:12   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11:11   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22   385024   ----a-w-   c:\windows\system32\html.iec
2011-04-21 13:37:43   105472   ----a-w-   c:\windows\system32\drivers\mup.sys
.
============= FINISH:  4:57:38.15 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/18/2010 10:07:29 PM
System Uptime: 7/20/2011 4:37:51 AM (0 hours ago)
.
Motherboard: Dell Computer Corp. |  | 0N6381
Processor:               Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 33.906 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Officejet 4500 G510n-z
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: 4500 G510n-z,192.168.1.103
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet 4500 G510n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP228: 5/22/2011 4:53:05 AM - TM works
RP229: 5/22/2011 6:54:01 PM - Installed Windows XP KB2492386.
RP230: 5/24/2011 5:20:38 AM - System Checkpoint
RP231: 7/1/2011 9:46:18 AM - System Checkpoint
RP232: 7/1/2011 9:46:18 AM - System Checkpoint
RP233: 7/1/2011 9:46:17 AM - System Checkpoint
RP234: 7/1/2011 9:46:17 AM - System Checkpoint
RP235: 7/1/2011 9:46:17 AM - System Checkpoint
RP236: 7/1/2011 9:46:17 AM - System Checkpoint
RP237: 7/1/2011 9:46:58 AM - System Checkpoint
RP238: 7/1/2011 9:46:16 AM - System Checkpoint
RP239: 7/1/2011 9:46:16 AM - System Checkpoint
RP240: 7/1/2011 9:46:16 AM - System Checkpoint
RP241: 7/1/2011 9:46:16 AM - System Checkpoint
RP242: 7/1/2011 9:46:15 AM - System Checkpoint
RP243: 7/1/2011 9:46:15 AM - System Checkpoint
RP244: 7/1/2011 9:46:15 AM - System Checkpoint
RP245: 7/1/2011 9:46:15 AM - System Checkpoint
RP246: 7/1/2011 9:46:14 AM - System Checkpoint
RP247: 7/1/2011 9:46:58 AM - System Checkpoint
RP248: 7/1/2011 9:46:58 AM - System Checkpoint
RP249: 7/1/2011 9:46:58 AM - System Checkpoint
RP250: 7/1/2011 9:46:58 AM - System Checkpoint
RP251: 7/1/2011 9:46:58 AM - System Checkpoint
RP252: 7/1/2011 9:46:57 AM - System Checkpoint
RP253: 7/1/2011 9:46:57 AM - Software Distribution Service 3.0
RP254: 7/1/2011 9:46:57 AM - Software Distribution Service 3.0
RP255: 6/19/2011 2:43:09 PM - System Checkpoint
RP256: 7/1/2011 9:46:56 AM - Software Distribution Service 3.0
RP257: 7/1/2011 9:46:56 AM - System Checkpoint
RP258: 7/1/2011 9:46:56 AM - System Checkpoint
RP259: 7/1/2011 9:46:55 AM - System Checkpoint
RP260: 7/1/2011 9:46:55 AM - System Checkpoint
RP261: 6/26/2011 1:14:50 PM - System Checkpoint
RP262: 7/1/2011 9:46:54 AM - System Checkpoint
RP263: 7/1/2011 9:46:54 AM - System Checkpoint
RP264: 6/28/2011 7:08:26 PM - Software Distribution Service 3.0
RP265: 6/29/2011 7:56:47 PM - System Checkpoint
RP266: 6/30/2011 9:00:31 PM - System Checkpoint
RP267: 7/1/2011 7:18:42 AM - Installed Java(TM) 6 Update 26
RP268: 7/2/2011 10:09:08 AM - System Checkpoint
RP269: 7/3/2011 3:21:44 PM - System Checkpoint
RP270: 7/4/2011 4:29:40 PM - System Checkpoint
RP271: 7/5/2011 5:47:05 PM - System Checkpoint
RP272: 7/6/2011 7:24:44 PM - System Checkpoint
RP273: 7/7/2011 8:09:57 PM - System Checkpoint
RP274: 7/9/2011 12:18:35 AM - System Checkpoint
RP275: 7/10/2011 12:49:31 AM - System Checkpoint
RP276: 7/10/2011 7:23:18 PM - Restore Operation
RP277: 7/11/2011 7:41:46 PM - System Checkpoint
RP278: 7/12/2011 6:44:44 PM - Software Distribution Service 3.0
RP279: 7/13/2011 7:29:16 PM - System Checkpoint
RP280: 7/14/2011 7:43:36 PM - System Checkpoint
RP281: 7/15/2011 6:18:28 AM - Installed Microsoft Works
RP282: 7/16/2011 4:52:18 AM - Software Distribution Service 3.0
RP283: 7/16/2011 5:12:04 AM - Software Distribution Service 3.0
RP284: 7/16/2011 3:26:33 PM - Software Distribution Service 3.0
RP285: 7/17/2011 5:09:08 AM - Restore Operation
RP286: 7/18/2011 8:58:20 AM - System Checkpoint
RP287: 7/19/2011 12:31:40 PM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510nz_Help
4500G510nz
4500G510nz_Software_Min
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.0)
Adobe Shockwave Player 11.5
Advanced SystemCare 4
BroadJump Client Foundation
BufferChm
CCleaner
Compatibility Pack for the 2007 Office system
Creative MediaSource
Dell ResourceCD
Destinations
DeviceDiscovery
DocMgr
DocProc
Drivers Install For Linksys Easylink Advisor
Fax
Free and Easy Biorhythm Calculator version 3.02
Google Earth
Google Update Helper
GPBaseService2
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510n-z
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
IObit Malware Fighter
Java Auto Updater
Java(TM) 6 Update 26
JumpStart Kindergarten
Linksys EasyLink Advisor 1.6 (0032)
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
OCR Software by I.R.I.S. 13.0
PowerDVD 5.3
SBC Yahoo! Applications
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
SmartWebPrinting
SolutionCenter
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live! 24-bit
Status
SUPERAntiSpyware
Toolbox
TrayApp
Trend Micro Internet Security
Trend Micro Titanium Internet Security
Trend Micro™ Titanium™ Internet Security
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Visual IP InSight(SBC)
WebFldrs XP
WebReg
What's Running 2.2
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
.
==== End Of File ===========================

[mudsud]

I forgot to post this one with my reply so here it is.


 Results of screen317's Security Check version 0.99.17 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Trend Micro Internet Security   
 Trend Micro Titanium Internet Security 
 Trend Micro™ Titanium™ Internet Security 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 26 
 Adobe Flash Player   
 Adobe Reader X (10.1.0)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 IObit IObit Malware Fighter IMFsrv.exe 
 Trend Micro AMSP coreServiceShell.exe 
 Trend Micro UniClient UiFrmWrk uiWatchDog.exe
 Trend Micro AMSP coreFrameworkHost.exe 
 Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
``````````End of Log````````````

[SuperDave]

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[mudsud]

here it is - I am going to leave computer on tonight to see if it sends out emails again - thanks for your help.


ComboFix 11-07-20.05 - Owner 07/20/2011  17:48:35.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.253 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\email problem\ComboFix.exe
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\drvrtmp
c:\windows\system32\service
c:\windows\system32\service\19112010_TIS17_SfFniAU.log
c:\windows\system32\service\22112010_TIS17_SfFniAU.log
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-20 to 2011-07-20  )))))))))))))))))))))))))))))))
.
.
2011-07-19 08:55 . 2011-07-19 08:55   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-18 20:22 . 2011-07-18 20:22   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-07-18 20:22 . 2011-07-18 20:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-18 20:22 . 2011-07-18 20:23   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-07-17 23:33 . 2011-07-17 23:33   --------   d-----w-   c:\documents and settings\Pam\Application Data\Malwarebytes
2011-07-17 10:11 . 2011-07-17 10:11   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-07-16 04:06 . 2009-08-07 00:23   274288   ----a-w-   c:\windows\system32\mucltui.dll
2011-07-16 04:06 . 2009-08-07 00:23   215920   ----a-w-   c:\windows\system32\muweb.dll
2011-07-15 19:52 . 2011-07-15 19:52   --------   d-----w-   c:\documents and settings\Owner\Application Data\Leadertech
2011-07-15 19:40 . 2011-07-15 19:40   --------   d-----w-   c:\program files\Common Files\Sonic
2011-07-15 19:37 . 2011-07-15 19:38   --------   d-----w-   c:\program files\Common Files\Sonic Shared
2011-07-15 19:37 . 2004-08-13 07:56   40544   ----a-w-   c:\windows\system32\drivers\drvnddm.sys
2011-07-15 19:37 . 2004-08-04 08:21   87136   ----a-w-   c:\windows\system32\drivers\drvmcdb.sys
2011-07-15 19:37 . 2004-08-13 06:05   98358   ----a-w-   c:\windows\dla.exe
2011-07-15 19:37 . 2004-08-13 06:05   61498   ----a-w-   c:\windows\system32\tfswapi.dll
2011-07-15 19:37 . 2004-07-14 16:29   5627   ----a-w-   c:\windows\system32\drivers\sscdbhk5.sys
2011-07-15 19:37 . 2004-07-14 16:28   23545   ----a-w-   c:\windows\system32\drivers\ssrtln.sys
2011-07-15 19:37 . 2011-07-15 19:37   --------   d-----w-   c:\program files\Sonic
2011-07-15 12:16 . 2011-07-15 12:16   --------   d-----w-   c:\documents and settings\Elizabeth\Application Data\Template
2011-07-15 12:06 . 2011-07-15 12:06   --------   d-sh--w-   c:\windows\ftpcache
2011-07-15 12:06 . 2011-07-15 12:06   --------   d-----w-   c:\documents and settings\Pam\Application Data\Template
2011-07-15 11:25 . 2011-07-15 11:25   --------   d-----w-   c:\documents and settings\Owner\Application Data\Template
2011-07-15 11:18 . 2011-07-16 09:54   --------   d-----w-   c:\program files\Microsoft Works
2011-07-01 22:11 . 2011-07-01 22:18   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2011-07-01 12:20 . 2011-07-01 12:20   --------   d-----w-   c:\program files\Common Files\Java
2011-07-01 12:19 . 2011-07-01 12:19   --------   d-----w-   c:\windows\Sun
2011-07-01 12:19 . 2011-07-01 12:19   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-07-01 12:19 . 2011-07-01 12:18   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-07-01 12:18 . 2011-07-01 12:18   --------   d-----w-   c:\program files\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 20:06 . 2011-05-16 00:33   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 00:52 . 2011-05-29 01:45   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-05-29 01:45   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-12 14:09   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-29 01:48 . 2011-05-29 01:48   709456   ----a-w-   c:\windows\is-T45LP.exe
2011-05-21 22:53 . 2011-03-06 22:34   92112   ----a-w-   c:\windows\system32\drivers\tmtdi.sys
2011-05-21 22:53 . 2011-02-06 20:49   80464   ----a-w-   c:\windows\system32\drivers\tmactmon.sys
2011-05-21 22:53 . 2011-02-06 20:49   64080   ----a-w-   c:\windows\system32\drivers\tmevtmgr.sys
2011-05-21 22:53 . 2011-02-06 20:49   189520   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2011-05-02 15:31 . 2010-11-19 04:02   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-12 14:04   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-12 14:00   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-12 14:09   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2004-08-12 13:56   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2004-08-12 14:09   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-12 13:59   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-12 13:58   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-12 13:57   385024   ----a-w-   c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 16:43   57344   ----a-w-   c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16   454784   ----a-w-   c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 15:32   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 15:36   114688   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 15:35   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00   90112   ------w-   c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 4:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/22/2011 6:27 PM 353168]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [5/21/2011 6:04 PM 188272]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/3/2011 6:35 PM 821080]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/6/2011 3:49 PM 64080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/7/2010 1:41 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/7/2010 1:41 PM 136176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/12/2004 9:06 AM 14336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/12/2004 9:06 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/25/2011 1:32 PM 239472]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
WINRM   REG_MULTI_SZ      WINRM
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-07 18:41]
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-07 18:41]
.
2011-07-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-113007714-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-113007714-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-113007714-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-113007714-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-113007714-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-113007714-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
2011-07-20 c:\windows\Tasks\User_Feed_Synchronization-{BFAAFD48-D974-4DEC-A133-C4B2198E1E76}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-20 18:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-20  18:06:35
ComboFix-quarantined-files.txt  2011-07-20 23:06
.
Pre-Run: 36,295,467,008 bytes free
Post-Run: 36,477,050,880 bytes free
.
Here is logfile--- - I am going to leave computer ' on ' tonight to see if it sends out emails again.
thanks for your help.


WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0AB50A2FA6036E9EB0B4CC29B2F6F291

[SuperDave]

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\is-T45LP.exe
 
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*******************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[mudsud]

I cannot seem to get the file into the submit space on Jotti's.  I cannot find a "exe" file in windows either.  There are 3 files in windows but none are 'exe'.  (emails did not go out last night although the computer was left on.)

[SuperDave]

Ok. Please run the other scan.

[mudsud]

Here ya' go Dave.
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EEA6E000
Module End: EEA86000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8A9C000
Module End: F8A9E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: 8205B780
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateMutant
Address: 822CE500
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateProcess
Address: 8205A580
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateProcessEx
Address: 8205A880
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 822CE8C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 822CE020
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: 8205BD80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: 8205C680
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeviceIoControlFile
Address: F835FCEF
Driver Base: F8356000
Driver End: F836F000
Driver Name: IPVNMon.sys

Function Name: ZwDuplicateObject
Address: 822CEAA0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 822CE200
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: 8205AB80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 8205CC60
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 8205AE80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRenameKey
Address: 8205C080
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: 8205C380
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 822CE6E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: 8205BA80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 8205B180
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 8205B480
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 8205CE40
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[mudsud]

Dave - I got the Jotti thing here I think.
Sam

http://virusscan.jotti.org/en/scanresult/a7205d5b72308fe0ae22111f97151bdb0cb1ff19/be8
7232be2dc5fa4e87ecdd49f7267eecc1a31a4

[SuperDave]

That link is no good. Please try again.

AVENGER

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Click the Execute button.
  
• You will be asked No script has been entered.  Do you want to execute a rootkit scan only?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log in your next reply.

*********************************************************
ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log