problem after running first spybot S & D

[okbreeze]

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 318.55 MiB / 124.5 MiB
Pagefile Memory (total/avail): 771.58 MiB / 427.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.85 MiB

C: is Fixed (FAT32) - 11.24 GiB total, 4.82 GiB free.
D: is Fixed (FAT32) - 2.73 GiB total, 1.24 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD150AA-60BAA0 - 13.99 GiB - 2 partitions
  \PARTITION0 (bootable) - Unknown - 11.25 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 2.73 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: Bitdefender Firewall v8.0 (BitDefender)
AV: Bitdefender Antivirus v8.0 (BitDefender)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\txboots\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
ESAUDIO=A220 D1 I5  T4
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\txboots
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\txboots\LOCALS~1\Temp
TMP=C:\DOCUME~1\txboots\LOCALS~1\Temp
USERDOMAIN=COMPUTER
USERNAME=txboots
USERPROFILE=C:\Documents and Settings\txboots
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

txboots (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
BitDefender Total Security 2008 --> MsiExec.exe /I{92098E58-00AD-4F78-AD6E-807BDB323478}
Compaq Digital Dashboard LED --> C:\Program Files\Compaq\Digital Dashboard\uninstall.exe
Compaq Hardware Discovery --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Hardware Discovery\Uninst.isu"
Compaq IE5 Custom US v2.6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq IE5 Custom US\Uninst.isu" -c"C:\Compaq\IE5\IE5_Uninstall.DLL"
Compaq IJ300 Electronic Registration --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Compaq\Ereg\Uninst.isu
Compaq OOBE Online --> C:\WINDOWS\uninst.exe -fC:\compaq\oobe\DeIsL1.isu
Compaq WebISP --> C:\WINDOWS\uninst.exe -fC:\Compaq\webisp\DeIsL1.isu
Compaq WebReg v2.6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq WebReg v2.6\Uninst.isu"
Compaq Wizard Host Online v2.6 --> C:\WINDOWS\uninst.exe -fc:\compaq\lutil\DeIsL1.isu -c"c:\compaq\lutil\ISUninst.dll
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
Easy Access Button Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.exe" -uninst
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GSIM --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\gsim.inf, Uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HSP56 MicroModem Drivers --> ptuninst.exe
iLumina Bible --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF0F5955-FC76-4F85-A13D-C9A8A9A5E067}\Setup.exe" -l0x9
Java 2 Runtime Environment, SE v1.4.1_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1666FA7C-CB5F-11D6-A78C-00B0D079AF64}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Lake Scenes Screen Saver --> C:\PROGRA~1\SCREEN~1.COM\LAKESC~1\UNINSTAL.EXE /U C:\PROGRA~1\SCREEN~1.COM\LAKESC~1\INSTALL.LOG
Logitech IM Video Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{984F10FD-11FD-4BED-8163-92DB81E6A825}\SETUP.EXE" -l0x9 UNINSTALL
Logitech QuickCam --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Logitech\QuickCam\Uninst.isu"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2000 Standard Edition --> C:\Program Files\Microsoft Money\setup\setup.exe
Microsoft NetShow Tools 2.0 --> C:\Program Files\Microsoft NetShow\Tools\_INSTTOO.EXE /U
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Mouse Suite --> PMUninst.exe MouseSuite98
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 5.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314B00544}
Search Assistant - My Web Search --> mshta res://C:\PROGRA~1\MYWEBS~1\SrchAstt\1.bin\mwssrcas.dll/101
Service Connection --> c:\cpqs\bwtools\scuninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
W Photo Studio --> MsiExec.exe /X{CBF3C503-946E-45EA-B347-EACC41781989}
Windows Blaster Worm Removal Tool (KB833330) --> C:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Search Suggest Add-on for IE7 --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type6706 / Error
Event Submitted/Written: 06/09/2008 11:38:56 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type6705 / Error
Event Submitted/Written: 06/09/2008 11:38:55 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type6704 / Error
Event Submitted/Written: 06/09/2008 11:38:40 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type6658 / Error
Event Submitted/Written: 05/31/2008 07:40:19 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 663217111.

Event Record #/Type6657 / Error
Event Submitted/Written: 05/31/2008 07:39:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application seccenter.exe, version 11.0.0.62, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32612 / Warning
Event Submitted/Written: 06/09/2008 09:35:26 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019A62A8F6B.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type32606 / Warning
Event Submitted/Written: 06/09/2008 06:33:53 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type32605 / Warning
Event Submitted/Written: 06/09/2008 05:02:23 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019A62A8F6B.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type32603 / Error
Event Submitted/Written: 06/09/2008 00:17:30 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type32590 / Error
Event Submitted/Written: 06/09/2008 04:54:36 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 0019A62A8F6B.



-- End of Deckard's System Scanner: finished at 2008-06-09 23:44:39 ------------

  you are so cool

[evilfantasy]

OK, we have some work to do.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
  
• Go To Left Panel, Click Tools, then also in left panel, click Resident
  
• If your firewall raises a question, say OK
  
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  
• Use File, Exit to terminate Spybot
  
• Reboot your machine for the changes to take effect.

.
----------

Your file associations need fixing.

Click Start > Run> type in (or copy & paste):

"%userprofile%\desktop\dss.exe" /daft

Click OK
 
DSS will start again, click OK in the disclaimer window
Click the Scan button.
Select everything displayed in the results window
Click the Fix button
Rescan with DAFT again (Start > Run > "%userprofile%\desktop\dss.exe" /daft) it should say All associations are OK
Close DSS.

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=s earchbar&LC=0409
• O1 - Hosts: 216.177.73.139 auto.search.msn.com
• O1 - Hosts: 216.177.73.139 search.netscape.com
• O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
• O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
• O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
• O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file)
• O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinkse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinkse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
• O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
• O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelf ish&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelf ish&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

.
Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

Install the new version Sun Java Runtime Environment

Remove the old version(s)

• Download JavaRa and unzip the file to your Desktop.
  
• Open JavaRA.exe and choose Remove Older Versions
  
• Once complete exit JavaRA and delete the program.
• Run CCleaner.

.
----------

Go to add/remove programs and uninstall:

Search Assistant - My Web Search

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally save the contents of the results file Report.txt to add in your next reply.

If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix

----------

Download Combofix by sUBs from one of the below links.

• Link #1
  
• Link #2
  

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of combofix.

----------

Next post add
SDFix Log
Combofix log

[okbreeze]

advanced mode gave me notice: "Warning. The advance mode of Spybot-S&D offers more options than the default mode; but those also include some that co harm to your system if you are not sure what you are doing. Do you really want to switch to advanced mode?"
As we're depending upon YOUR brains and not mine, select "yes"?

[evilfantasy]

Yes, we need to turn off Tea Timer.

There are more options in advanced mode. Here is an overview of it. http://antivirus.about.com/od/securitytips/ss/hosts_2.htm

It's a little out dated but the basics of it are still relevant.

[okbreeze]

I tried to run

"%userprofile%\desktop\dss.exe" /daft
results was notice "Windows cannot find "C:\Documents and Settings\txboots\desktop\dss.exe"/daft
Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
Did search for file again and still got the above notice.
I have to go to bed. Will all this be ok til later?
At least desktop reappeared.

[evilfantasy]

Download Deckard's Association File Tool (DAFT) and save it to your desktop.

• Rename daft.exe to daft.com and double click on it to run.
  
• Read the disclaimer and click OK.
• Click on the Scan button.
  
• If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
• Click the Fix button.
  

.
----------

Did you run any of the other scans?

[okbreeze]

  Hi. I'm still having messes. I have gotten thru everything up to trying to go into safe mode. I get the 304 error message, and just stays there. I tried shutting down for a few minutes before trying again, but twice my hard drive started sounding like a small airplane   engine! I'd stop quick tapping F8 and desktop icons loaded and the sound went away. I cannot get into safe mode, so I could go to firefox and open SDFix. I'm afraid to try again, without wise input, because that sound cannot be good. 
Thanks, again, for all your help!!! Don't know how you guys do all this!

[evilfantasy]

Skip to combofix.

[okbreeze]

ComboFix 08-06-10.1 - txboots 2008-06-10 23:05:11.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.112 [GMT -5:00]
Running from: C:\Documents and Settings\txboots\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\Program Files\MyWebSearch\SrchAstt\1.bin\UNINSTAL.INF
C:\Program Files\MyWebSearch\SrchAstt\Cache\00344F71
C:\Program Files\MyWebSearch\SrchAstt\Cache\files.ini
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt

.
(((((((((((((((((((((((((   Files Created from 2008-05-11 to 2008-06-11  )))))))))))))))))))))))))))))))
.

2008-06-10 19:59 . 2008-06-09 14:25   <DIR>   d--------   C:\SDFix
2008-06-09 23:30 . 2008-06-09 23:30   <DIR>   d--------   C:\Deckard
2008-06-09 04:06 . 2008-06-09 04:06   <DIR>   d--------   C:\Program Files\Trend Micro
2008-06-08 20:58 . 2008-06-08 20:58   <DIR>   d--------   C:\WINDOWS\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 20:58 . 2008-06-08 20:58   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-06-07 19:22 . 2008-06-07 19:22   126   --a------   C:\WINDOWS\SYSTEM32\mmc.exe.config
2008-05-31 20:39 . 2008-05-31 20:39   <DIR>   d--------   C:\WINDOWS\Profiles\All Users\Application Data\TEMP
2008-05-31 20:34 . 2007-06-08 13:53   1,753,088   --a------   C:\WINDOWS\SYSTEM32\ExGrid.dll
2008-05-31 20:34 . 2007-04-03 16:51   614,400   --a------   C:\WINDOWS\SYSTEM32\ExButton.dll
2008-05-31 20:34 . 2007-06-05 10:20   602,112   --a------   C:\WINDOWS\SYSTEM32\ExMenu.dll
2008-05-31 20:34 . 2007-06-05 10:19   516,096   --a------   C:\WINDOWS\SYSTEM32\ExTab.dll
2008-05-31 20:34 . 2007-04-03 16:51   307,200   --a------   C:\WINDOWS\SYSTEM32\ExPMenu.dll
2008-05-31 20:33 . 2008-05-31 20:33   <DIR>   d--------   C:\Program Files\Common Files\eSellerate
2008-05-31 20:33 . 2008-05-31 20:33   <DIR>   d--------   C:\Program Files\AnswersThatWork
2008-05-31 20:33 . 1998-04-24 00:00   368,912   --a------   C:\WINDOWS\SYSTEM32\vbar332.dll
2008-05-31 20:33 . 2005-10-11 14:40   356,352   --a------   C:\WINDOWS\SYSTEM32\eSellerateEngine.dll
2008-05-31 20:33 . 2005-10-04 08:11   118,784   --a------   C:\WINDOWS\SYSTEM32\eWebControl.dll
2008-05-31 15:18 . 2008-05-31 15:18   335   --a------   C:\WINDOWS\mozregistry.dat
2008-05-29 18:06 . 2008-05-29 18:06   <DIR>   d--------   C:\Program Files\Foxit Software
2008-05-28 18:17 . 2008-05-28 18:17   <DIR>   d--------   C:\Program Files\WhatsRunning
2008-05-26 17:23 . 2008-05-26 17:23   754   --a------   C:\WINDOWS\WORDPAD.INI
2008-05-23 11:11 . 2008-05-23 11:11   <DIR>   d--------   C:\Documents and Settings\txboots\dwhelper
2008-05-23 10:27 . 2008-05-23 10:27   1,160   --a------   C:\WINDOWS\mozver.dat
2008-05-19 20:23 . 2006-11-29 13:06   3,426,072   --a------   C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2008-05-19 02:14 . 2004-05-14 16:53   462,848   --a------   C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   450,560   --a------   C:\WINDOWS\SYSTEM32\ltimg13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   401,408   --a------   C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   299,008   --a------   C:\WINDOWS\SYSTEM32\ltdis13n.dll
2008-05-19 02:14 . 2004-01-12 02:09   206,336   --a------   C:\WINDOWS\SYSTEM32\ltefx13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   163,840   --a------   C:\WINDOWS\SYSTEM32\ltfil13n.dll
2008-05-19 02:14 . 2003-11-04 15:11   159,744   --a------   C:\WINDOWS\SYSTEM32\lfpng13n.dll
2008-05-19 02:14 . 2003-11-04 15:10   69,632   --a------   C:\WINDOWS\SYSTEM32\lfgif13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   57,344   --a------   C:\WINDOWS\SYSTEM32\lfbmp13n.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 01:04   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\W Photo Studio
2008-05-09 01:03   ---------   d-----w   C:\WINDOWS\Profiles\All Users\Application Data\Walgreens
2008-05-09 01:03   ---------   d-----w   C:\Program Files\Walgreens
2008-05-09 01:03   ---------   d-----w   C:\Program Files\Common Files\HP
2008-05-09 01:03   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\Walgreens
2008-05-09 00:55   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\W Photo Studio Viewer
2008-05-07 16:43   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\Uniblue
2008-04-22 16:29   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\BitDefender
2008-04-22 16:28   ---------   d-----w   C:\WINDOWS\Profiles\All Users\Application Data\BitDefender
2008-04-22 16:28   ---------   d-----w   C:\Program Files\BitDefender
2008-04-22 16:26   ---------   d-----w   C:\Program Files\Common Files\BitDefender
2008-04-22 01:26   ---------   d-----w   C:\Program Files\Screen-Savers.com
2008-04-22 01:26   ---------   d-----w   C:\Program Files\Java
2008-04-04 06:19   743,621   ----a-w   C:\WINDOWS\SYSTEM32\RPUpdates.zip
2008-03-27 08:12   151,583   ----a-w   C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12   151,583   ------w   C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-25 01:51   2,400,784   ----a-w   C:\WLinstaller.exe
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47   1,845,248   ------w   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2003-09-22 20:06   266   --sh--w   C:\Program Files\desktop.ini
2003-09-22 20:06   11,079   ---h--w   C:\Program Files\folder.htt
2001-05-24 17:59   162,304   ----a-w   C:\Program Files\UNWISE.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:36   8454656   --a------   C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 10:13 360448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.uyvy"= lvcod32.dll
"vidc.yuy2"= lvcod32.dll
"vidc.yvu9"= lvcod32.dll
"VIDC.VDOM"= vdowave.drv
"vidc.mxmc"= MimicICM.DLL
"VIDC.TR20"= tr2032.dll
"msacm.voxacm119"= vdk32119.acm
"vidc.vivo"= ivvideo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
--a------ 2001-09-07 17:18 45056 C:\WINDOWS\SYSTEM32\exshow95.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=c:\windows\scanregw.exe /autorun
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"CountrySelection"=pctptt.exe
"CPQInet"=c:\compaq\CPQInet\CpqInet.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
"LoadQM"=loadqm.exe
"QuickTime Task"=C:\WINDOWS\SYSTEM32\qttask.exe
"ausvc"=C:\WINDOWS\ausvc.exe
"SysScan"=C:\WINDOWS\bvt.exe
"ABsr"=C:\WINDOWS\absr.exe
"MovieNetworks"="C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
"WebInstall2"=C:\WINDOWS\TEMP\INS93B4.TMP /R /A
"Hotbar"=C:\PROGRAM FILES\HOTBAR\BIN\4.2.8.0\HBINST.EXE /Upgrade
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"LVComs"=C:\WINDOWS\SYSTEM32\LVComS.exe
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
"Mouse Suite 98 Daemon"=PELMICED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"PTSNOOP"=ptsnoop.exe
"LexStart"=Lexstart.exe
"LexmarkPrinTray"=PrinTray.exe
"CountrySelection"=pctptt.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2001-09-07 18:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   REG_MULTI_SZ      scan

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 23:10:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 23:12:45
ComboFix-quarantined-files.txt  2008-06-11 04:12:34

Pre-Run: 5,029,740,544 bytes free
Post-Run: 5,029,666,816 bytes free

206   --- E O F ---   2008-05-28 03:31:57

[evilfantasy]

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

.
----------

Now run a new Hijackthis scan and post that log also.

[okbreeze]

Computer shut down during full scan of Dr.Web CureIt, and rebooted. I don't think it was finished, and I didn't get to save report list. Took me a bit to get back up. Rerun?
I did a little digging. I need the Windows recovery console, but I don't have the Windows disc. In reading up on Dr.Web-Cure it, I need that recovery console. Is there a way around this? I read a little about UNC (Universal Naming Convention), as a possible help for this, but it looks a little scary for me to attempt.

[evilfantasy]

Without a Windows CD Recovery Console won't do any good.

Run the F-Secure online scan for Viruses, Spyware and RootKits:

This scanner works with Internet Explorer only

• Go to the F-Secure Online Virus Scanner
  
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take over an hour so please be patient

[okbreeze]

F-Secure found no malware

[evilfantasy]

Run a new scan with Hijackthis and post the log.

[okbreeze]

To post the Hijackthis log, just copy and paste?
And, what's the difference between "Rookie" and "Beginner"?