relevant knowledge and atdm

[SuperDave]

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Trusted Zone: facebook.com\www

:folders
c:\program files\Free Offers from Freeze.com

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
****************************************************************

Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
Glary Registry Repair 3.0
There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
***************************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[darcomputer]

========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.28.0 log created on 09142011_221218

 Results of screen317's Security Check version 0.99.18 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 27 
 Java(TM) 6 Update 7 
 Out of date Java installed!
Flash Player Out of Date!
 Adobe Flash Player    10.1.102.64 
 Adobe Reader X (10.1.0)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Malwarebytes' Anti-Malware mbamservice.exe 
 Malwarebytes' Anti-Malware mbamgui.exe 
 COGECO Security Services Anti-Virus fsgk32st.exe 
 COGECO Security Services Anti-Virus FSGK32.EXE 
 Common Files Authentium AntiVirus5 vsedsps.exe
 Common Files Authentium AntiVirus5 vseamps.exe
 Common Files Authentium AntiVirus5 vseqrts.exe
 COGECO Security Services Anti-Virus fssm32.exe 
 COGECO Security Services Anti-Virus fsav32.exe 
 Windows Defender MsMpEng.exe   
``````````End of Log````````````

ComboFix 11-09-14.02 - Darlene 09/14/2011  21:54:34.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1919.1231 [GMT -4:00]
Running from: c:\documents and settings\Darlene\Desktop\ComboFix.exe
AV: COGECO Security Services 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: COGECO Security Services 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory\ConfigWizards.exe.7492e342.ini
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory\dndlauncher.exe.49f1997f.ini
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory\TurbineInvoker.exe.e40d002e.ini
c:\documents and settings\Darlene\Local Settings\Application Data\ApplicationHistory\TurbineLauncher.exe.d8bd62d4.ini
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\SGPSA
c:\windows\Downloaded Program Files\popcaploader.dll
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\documents and settings\Administrator\NTUSER.DAT.LOG
.
.
(((((((((((((((((((((((((   Files Created from 2011-08-15 to 2011-09-15  )))))))))))))))))))))))))))))))
.
.
2011-09-15 01:35 . 2011-09-15 01:35   --------   d-----w-   C:\_OTL
2011-09-13 19:00 . 2011-08-16 12:48   7152464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{D49DA1D4-9035-47C2-A70B-6D9CC4863102}\mpengine.dll
2011-09-12 20:26 . 2011-09-12 20:26   --------   d-----w-   c:\program files\ACW
2011-09-12 19:45 . 2011-09-12 19:45   --------   d-----w-   c:\documents and settings\Darlene\Application Data\CBS Interactive
2011-09-12 19:41 . 2011-08-31 21:00   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-09-09 20:00 . 2011-09-09 20:00   --------   d-----w-   c:\program files\File Type Assistant
2011-09-09 19:59 . 2011-09-09 20:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2011-09-09 19:59 . 2011-09-09 19:59   --------   d-----w-   c:\program files\Free Offers from Freeze.com
2011-09-06 19:01 . 2011-09-06 19:01   --------   d-----w-   c:\program files\CCleaner
2011-09-06 18:00 . 2011-08-16 12:48   7152464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-09-06 18:00 . 2011-05-24 23:14   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-09-06 17:59 . 2011-09-06 17:59   --------   d-----w-   c:\program files\Windows Defender
2011-09-03 15:44 . 2011-09-03 15:44   --------   d-----w-   c:\documents and settings\Darlene\Application Data\VirtualStore
2011-08-29 04:31 . 2001-08-18 02:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2011-08-29 04:31 . 2008-04-14 09:42   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2011-08-29 04:31 . 2011-08-29 04:31   --------   d-----w-   c:\documents and settings\LocalService\Application Data\Apple Computer
2011-08-24 02:36 . 2011-08-24 02:36   --------   d-----w-   c:\program files\iPod
2011-08-24 02:36 . 2011-08-24 02:37   --------   d-----w-   c:\program files\iTunes
2011-08-24 02:33 . 2011-05-10 12:06   4517664   ----a-w-   c:\windows\system32\usbaaplrc.dll
2011-08-24 02:33 . 2011-05-10 12:06   42496   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2011-08-24 02:33 . 2011-08-24 02:33   --------   d-----w-   c:\program files\Bonjour
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-24 02:29 . 2011-08-24 02:29   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-08-24 02:29 . 2011-08-24 02:29   --------   d-----w-   c:\program files\QuickTime
2011-08-23 00:50 . 2011-08-23 00:54   --------   d-----w-   c:\program files\SecondLifeViewer2
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 12:00   599040   ----a-w-   c:\windows\system32\crypt32.dll
2011-09-02 02:55 . 2011-05-18 01:10   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-17 21:17 . 2011-03-27 01:06   42672   ----a-w-   c:\windows\system32\drivers\fsbts.sys
2011-07-19 09:05 . 2010-04-24 17:55   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-07-19 06:40 . 2009-06-29 13:26   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2004-08-04 12:00   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20   83816   ----a-w-   c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20   73064   ----a-w-   c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20   50536   ----a-w-   c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20   178536   ----a-w-   c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2004-08-04 12:00   10496   ----a-w-   c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2009-03-20 06:27   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-06-08 04:20 . 2011-06-08 04:20   11363664   ----a-w-   c:\program files\SUPERAntiSpywarePro.exe
2011-06-08 03:48 . 2011-06-08 03:48   7109120   ----a-w-   c:\program files\registrybooster.exe
2011-06-01 03:24 . 2011-06-01 03:23   9352392   ----a-w-   c:\program files\Install_MSN_Messenger
2011-05-07 06:07 . 2011-05-07 06:07   440   ----a-w-   c:\program files\050720112070929.bat
2011-04-28 02:33 . 2011-04-28 02:32   9013888   ----a-w-   c:\program files\MSNOIE8_ENCA_XPL.EXE
2011-02-22 02:06 . 2011-02-22 02:06   442   -c--a-w-   c:\program files\0221201121065109.bat
2011-01-31 02:03 . 2011-01-31 02:03   5095264   ----a-w-   c:\program files\FLVPlayerSetup.exe
2011-01-21 20:06 . 2011-01-21 20:06   208072   ----a-w-   c:\program files\bigfishgamesRainbowWEb2.exe
2011-01-21 18:37 . 2011-01-21 18:37   208072   ----a-w-   c:\program files\bigfishgamesSUperGRanny.exe
2010-10-19 21:18 . 2010-10-19 21:18   554280   ----a-w-   c:\program files\Mats_Run.AudioPlayback.exe
2010-10-18 15:18 . 2010-10-18 15:17   554264   ----a-w-   c:\program files\Mats_Run.IEAddon.exe
2010-09-11 02:04 . 2010-09-11 02:04   441   ----a-w-   c:\program files\0910201022044203.bat
2010-06-13 04:02 . 2010-06-13 04:02   6153352   ----a-w-   c:\program files\mbam-setup-1.46.exe
2010-05-10 18:56 . 2010-04-29 00:17   299864   ----a-w-   c:\program files\dxwebsetup.exe
2010-05-01 04:02 . 2010-05-01 04:02   24099296   ----a-w-   c:\program files\Second_Life_2-0-1-203797_Setup.exe
2010-04-29 20:59 . 2010-04-29 20:59   252564   ----a-w-   c:\program files\FHSetup.exe
2010-04-29 02:40 . 2010-04-29 02:40   22080360   ----a-w-   c:\program files\NDP30SP2-KB976570-x64.exe
2010-04-26 19:40 . 2010-04-26 19:40   3774872   ----a-w-   c:\program files\rcsetup137.exe
2010-04-26 19:39 . 2010-04-26 19:39   4165768   ----a-w-   c:\program files\dfsetup118.exe
2010-04-26 19:39 . 2010-04-26 19:39   3382520   ----a-w-   c:\program files\ccsetup231.exe
2010-04-24 18:04 . 2010-04-24 18:04   82045688   ----a-w-   c:\program files\197.45_desktop_winxp_32bit_english_whql.exe
2010-04-24 17:53 . 2010-04-24 17:53   921376   ----a-w-   c:\program files\JavaSetup6u20.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Point Finder\Helper.dll" [2011-06-21 357376]
.
[HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2011-06-21 21:23   1544192   ----a-w-   c:\program files\MyPoints Point Finder\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2011-06-21 1544192]
.
[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2011-06-21 1544192]
.
[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-03-22 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-02-15 61440]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-03-22 69632]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"F-Secure Manager"="c:\program files\COGECO Security Services\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]
.
c:\documents and settings\Darlene\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\documents and settings\Darlene\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe [2011-8-30 2620416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-05 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"LXCECATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58436:TCP"= 58436:TCP:Pando Media Booster
"58436:UDP"= 58436:UDP:Pando Media Booster
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [3/26/2011 9:06 PM 42672]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [3/26/2011 9:06 PM 82120]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\COGECO Security Services\HIPS\drivers\fshs.sys [3/26/2011 9:06 PM 68064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 2:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 1:54 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 3:41 PM 366152]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [4/8/2010 4:46 PM 117288]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [4/8/2010 4:46 PM 117288]
R2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [4/8/2010 4:46 PM 154152]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [3/26/2011 9:06 PM 148632]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\COGECO Security Services\ORSP Client\fsorsp.exe [3/26/2011 9:06 PM 61088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 3:41 PM 22216]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\SOOA4NAJ\SASKUTIL.SYS --> c:\documents and settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\SOOA4NAJ\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/19/2010 6:28 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/22/2010 2:38 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/19/2010 6:28 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\COGECO Security Services\Anti-Virus\win2k\fsfilter.sys [3/26/2011 9:06 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\COGECO Security Services\Anti-Virus\win2k\fsrec.sys [3/26/2011 9:06 PM 25184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ      WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-09-15 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-29 21:02]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-19 22:28]
.
2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-19 22:28]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb70c1aab709f4.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-19 22:28]
.
2011-09-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2011-09-03 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2010-10-23 16:03]
.
2010-10-23 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2010-10-23 16:03]
.
2011-09-14 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 880562e9-38fd-4374-ade6-704245a712df.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-08-05 17:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.computerhope.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: facebook.com\www
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - hxxp://www.devalvr.com/instalacion/plugin/devalvrplugin.php
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 22:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16??
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-854245398-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Darlene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Darlene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Darlene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\Darlene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
c:\program files\cogeco security services\hips\fshook32.dll
.
- - - - - - - > 'lsass.exe'(744)
c:\program files\cogeco security services\hips\fshook32.dll
.
- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WININET.dll
c:\program files\cogeco security services\hips\fshook32.dll
c:\program files\COGECO Security Services\Spam Control\fsscoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COGECO Security Services\Anti-Virus\fsgk32st.exe
c:\program files\COGECO Security Services\Common\FSMA32.EXE
c:\program files\COGECO Security Services\Anti-Virus\FSGK32.EXE
c:\program files\COGECO Security Services\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\COGECO Security Services\FWES\Program\fsdfwd.exe
c:\program files\COGECO Security Services\Anti-Virus\fssm32.exe
c:\program files\COGECO Security Services\Anti-Virus\fsav32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\lxcecoms.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-09-14  22:09:06 - machine was rebooted
ComboFix-quarantined-files.txt  2011-09-15 02:09
.
Pre-Run: 218,044,141,568 bytes free
Post-Run: 218,032,193,536 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0971C76DCB125B6DF85C43911BF8674A

[SuperDave]

You can uninstall Java(TM) 6 Update 7. The newest version is installed.

Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[darcomputer]

AysProt Antirootkit will not produce the log file.  freezes and task manager needs to be used in order to shut it down and i get 'send error report'.  also before my computer froze a few times, and my service provider's (my email freezes as well 'outlook express.  I still can't get into my email. tyvm

[SuperDave]

I still can't get into my email

What happens when you try? Any error messages?

Please try this one.
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[darcomputer]

ty my email is working again, searching for programs that may be installed, ie  bit defender, teatime etc  I'm checking the list and perhaps i did not turn off all firewalls, malware etc programs

[darcomputer]

did not find any unknown antivirus, antimalware or firewalls tyvm

[darcomputer]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2011/09/17 14:48
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB3627000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8650000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1C3B000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Yahoo! Games\Super Granny 5\SuperGranny5.exe:{DAE9D4A3-B119-0DB6-3513-C4E9E1D8A7B0}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Darlene\Local Settings\Apps\2.0\HL145TQP.LHO\226XO7ON.QGW\manifests\InquisitNet.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Darlene\Local Settings\Apps\2.0\HL145TQP.LHO\226XO7ON.QGW\manifests\InquisitNet.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829acd6

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829acf0

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299e8c

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829a1bc

#: 108   Function Name: NtMapViewOfSection
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299bcc

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829a5ee

#: 192   Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829b88c

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829a43e

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299a4c

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299ec0

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829a042

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb384c640

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299b06

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb8299f86

Shadow SSDT
-------------------
#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys" at address 0xb829c646

==EOF==

[SuperDave]

i did not turn off all firewalls,

You should only have one firewall.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[darcomputer]

only one firewall built into router and my service provider provides security package


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GameVancePlaySushi26.zip   Win32/Bagle.gen.zip worm
C:\Program Files\registrybooster.exe   Win32/RegistryBooster application

[SuperDave]

How's your computer working now? Any other issues?

[darcomputer]

ty i will be on it tomorrow and check it out ty

[darcomputer]

MBAMService terminated unexpectedly: see Event Log for details.  This happens at bootup. IE slow starting. Relevant Knowledge last in email (junk folder) Sept 2

[SuperDave]

MBAMService terminated unexpectedly: see Event Log for details.  This happens at bootup. IE slow starting. Relevant Knowledge last in email (junk folder) Sept 2

You can uninstall MBAM. I'm not sure what you mean by "Relevant Knowledge last in email (junk folder) Sept 2"

[darcomputer]

I was getting relevant knowledge emails everyday for months.  it seems to have stopped thanks to you tyvm