All Anti-spyware software fails

[FJN]

I have a dell inspiron 2200/1.24gb RAM/Intel Celeron M 1.5 HGz processor/XP sp3.

Two days ago I tried running Advanced System Care. When it got to the last stage of scanning, the program suddenly crashed. ASC.exe was then corrupted. Reinstalling into a new folder yield identical results. The same was true for Spy-bot, SuperAntiSpyware, and Malwarebytes, all updated to the latest version as of two days ago. I attempted running Spy-bot and ASC in safe-mode after reinstalling them into new directories with the same results. As none of these programs can perform a scan, I can't post any of the logs. 

I ran CCleaner and found msa.exe. AVG took care of it and found no infections on scan after removal of msa.exe. I hoped that fixed the problem but it didn't. In addition to the corruption of anti-spyware .exes, I've started to notice that upon exiting any program, the program ceases to respond. Trying to open any other program results in a system freeze. I can move the mouse, but that's it. It seems to be getting worse.

My question is whether I should try to fix the machine or backup my files to my external hard drive and reinstall the OS. Also, if I do backup the files, is there a risk of reinfecting the machine when I put them back on?

[SuperDave]

Hello FJN and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1.I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2.The fixes are specific to your problem and should only be used for this issue on this machine.
3.If you don't know or understand something, please don't hesitate to ask.
4.Please DO NOT run any other tools or scans whilst I am helping you.
5.It is important that you reply to this thread. Do not start a new topic.
6.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7.Absence of symptoms does not mean that everything is clear.

You can back up your files to another HDD or to DVD's. If you will need them after we're finished cleaning, you can scan them before using them again.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper

•Please download exeHelper to your desktop.

•Double-click on exeHelper.com to run the fix.

•A black window should pop up, press any key to close once the fix is completed.
•Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file)

[FJN]

Hi SD,

Thanks for being patient with me. Below is the "exehelperlog" generated by exehelper. I had no issues running RKill.exe (first one I tried) and exehelper did not say "error deleting file."

exeHelper by Raktor
Build 20091122
Run at 16:38:46 on 12/01/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[SuperDave]

Please go to this link and see if you can run the SAS, MBAM and HJT scans. Copy and paste the logs here afterward.

[FJN]

SAS first attempt to run: error, insufficient privileges or missing. Exe appears corrupted.
reran rkill, exehelper and tried again. same result. re-downloaded setup and attempted install. while installing, it said I had insufficient privileges to install a certain file. Retry option failed. Chose "ignore." SAS will not run. Tried alternate start, too. nothing.

MBAM would not even setup, stalled with just a tab on the taskbar (as if minimized)

HJT installed. I chose "scan and create log." It began scanning, then crashed like all the other software. trying to reopen get's the same "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

[FJN]

newer symptoms i've noticed. Windows Task Manager has a blank listing for user for almost all the running processes. Usually, this is filled with either User, Owner, or System. When I try to look at the computer's parts in the admin tools in control panel, none of the information is available. Windows is attempting to update itself, but I have a strong feeling there isn't an update. Last, windows will not shut down the computer. I have to hold the power button until the machine powers off.

[SuperDave]

FJN, let's try this:

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[FJN]

ComboFix ran after a window appeared stating "catchme.cfxxe" could not open because the window was shutting down. It said the machine did not have Windows Recovery Console and asked to download it. I said no because I know the machine has that feature. After running and rebooting the machine, it generated the following log:

ComboFix 09-12-02.08 - Mary Neill 12/03/2009 14:23.1.1 - x86
Running from: c:\documents and settings\Mary Neill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
c:\windows\bemark2.dat
c:\windows\f49f4daa.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


(((((((((((((((((((((((((   Files Created from 2009-11-03 to 2009-12-03  )))))))))))))))))))))))))))))))
.

2009-11-30 01:42 . 2009-11-30 01:49   117760   ----a-w-   c:\documents and settings\Mary Neill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-30 01:41 . 2009-11-30 01:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-30 01:41 . 2009-12-03 19:28   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-11-30 01:41 . 2009-11-30 01:41   --------   d-----w-   c:\documents and settings\Mary Neill\Application Data\SUPERAntiSpyware.com
2009-11-30 01:41 . 2009-11-30 01:41   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-11-29 19:10 . 2009-11-28 21:01   497944   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-29 19:10 . 2009-11-28 21:01   3963648   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-29 19:08 . 2009-11-28 21:00   877848   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-29 19:08 . 2009-11-28 21:00   1657112   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-28 22:08 . 2009-11-28 22:08   --------   d-sh--w-   c:\documents and settings\Administrator.MARYNEILL\IETldCache
2009-11-28 21:48 . 2009-11-29 02:57   --------   d-----w-   c:\program files\Spybot - Search & Destroy FRESH
2009-11-28 21:16 . 2009-11-28 21:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-28 21:02 . 2009-11-28 21:05   --------   d-----w-   C:\$AVG
2009-11-28 21:00 . 2009-11-28 21:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-11-28 20:59 . 2009-12-03 19:29   --------   d-----w-   c:\windows\SxsCaPendDel
2009-11-25 23:09 . 2009-12-03 19:29   --------   d--h--w-   c:\windows\PIF
2009-11-25 21:11 . 2009-11-25 21:11   --------   d-----w-   c:\program files\CCleaner
2009-11-21 18:58 . 2009-11-21 19:01   --------   d-----w-   c:\documents and settings\Mary Neill\Application Data\SPORE
2009-11-21 18:58 . 2009-11-21 18:58   --------   d--h--r-   c:\documents and settings\Mary Neill\Application Data\SecuROM
2009-11-21 18:57 . 2009-11-21 18:57   --------   d-----w-   C:\ProgramData
2009-11-21 18:57 . 2009-11-21 18:57   1216   ----a-w-   c:\windows\system32\ealregsnapshot1.reg
2009-11-21 18:57 . 2009-11-21 18:57   --------   d-----w-   c:\documents and settings\Mary Neill\Local Settings\Application Data\Downloaded Installations
2009-11-21 18:40 . 2009-11-21 18:58   --------   d-----w-   c:\program files\Electronic Arts
2009-11-07 22:32 . 2009-11-12 21:32   --------   d-----w-   c:\documents and settings\Mary Neill\.gimp-2.6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 18:53 . 2009-09-30 02:47   0   ----a-r-   c:\windows\win32k.sys
2009-11-29 02:24 . 2009-04-12 23:39   --------   d-----w-   c:\documents and settings\Mary Neill\Application Data\uTorrent
2009-11-29 02:01 . 2008-04-19 18:35   --------   d-----w-   c:\program files\IObit
2009-11-29 00:06 . 2006-09-26 23:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 21:15 . 2006-09-26 23:11   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-11-28 21:08 . 2009-09-07 23:42   --------   d-----w-   c:\program files\Cell Phone Manager
2009-11-28 21:01 . 2009-03-14 22:27   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-11-28 21:01 . 2009-03-14 22:27   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-11-28 21:01 . 2009-03-14 22:27   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-11-28 21:01 . 2009-03-14 22:27   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-11-28 21:00 . 2008-12-04 00:45   --------   d-----w-   c:\program files\AVG
2009-11-25 20:33 . 2005-06-22 23:54   --------   d-----w-   c:\program files\Opera
2009-11-21 18:58 . 2008-03-19 21:41   107888   ----a-w-   c:\windows\system32\CmdLineExt.dll
2009-11-21 18:58 . 2005-11-07 04:05   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-11-21 18:37 . 2005-12-25 02:09   43982   -c--a-w-   c:\documents and settings\Mary Neill\Application Data\wklnhst.dat
2009-11-21 18:37 . 2007-09-14 19:41   --------   d-----w-   c:\program files\LEGO Media
2009-11-21 18:36 . 2008-03-19 21:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\WildTangent
2009-11-21 18:35 . 2008-05-01 20:10   --------   d-----w-   c:\program files\WildGames
2009-11-15 16:57 . 2007-09-14 19:41   346   -c--a-w-   c:\windows\EReg213.dat
2009-11-11 03:39 . 2009-08-19 21:01   --------   d-----w-   c:\program files\JetAudio
2009-10-11 02:45 . 2009-10-11 02:45   --------   d-----w-   c:\program files\7-Zip
2009-09-27 22:34 . 2009-09-27 22:34   127872   ----a-w-   c:\documents and settings\Mary Neill\Application Data\Move Networks\uninstall.exe
2009-09-27 22:34 . 2009-06-16 06:35   4183416   ----a-w-   c:\documents and settings\Mary Neill\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-11 14:18 . 2004-08-10 18:51   136192   ----a-w-   c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 18:51   58880   ----a-w-   c:\windows\system32\msasn1.dll
2006-08-25 00:17 . 2005-12-01 01:18   56   -csh--r-   c:\windows\system32\7FA7908E3A.sys
2006-08-25 00:17 . 2005-12-01 01:18   3766   -csha-w-   c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-28 2020120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-28 21:01   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Mary Neill\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R2 AVG Free8 WatchDog (avg8wd) ;AVG Free8 WatchDog (avg8wd) ;c:\program files\tinyproxy\tinyproxy.exe

R2 DHCP Client (Dhcp) ;DHCP Client (Dhcp) ;c:\program files\tinyproxy\tinyproxy.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2006-04-03 14032]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-28 333192]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-28 360584]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-11-28 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-28 285392]

.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 18:54]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 18:54]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3063908644-3062810159-149590578-1006Core.job
- c:\documents and settings\Mary Neill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-18 19:35]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3063908644-3062810159-149590578-1006UA.job
- c:\documents and settings\Mary Neill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-18 19:35]

2009-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 127.0.0.1:9090
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search - ?p=ZJ
FF - ProfilePath - c:\documents and settings\Mary Neill\Application Data\Mozilla\Firefox\Profiles\owxdew7q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com | www.gmail.com | hxxp://mail.yahoo.com | http://puzzles.usatoday.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Mary Neill\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Mary Neill\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWTHost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Broadcom 802.11b Network Adapter - c:\windows\system32\BCMWLU00.exe verbose



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 14:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3063908644-3062810159-149590578-1006\Software\SecuROM\License information*]
"datasecu"=hex:10,cc,08,bd,a2,bf,35,04,4a,79,bc,95,c4,f3,26,0c,e3,25,4a,5e,fb,
   64,12,f1,86,1a,5b,33,0f,cb,04,76,a5,f1,c9,5a,9f,37,54,0a,3b,e1,f6,cb,4d,0c,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-03 14:38 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-03 19:38

Pre-Run: 8,497,528,832 bytes free
Post-Run: 10,518,564,864 bytes free

- - End Of File - - 58C7359A48AE0CF392CFB59B868D4010


HJT completed a scan following ComboFix. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:17 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-3063908644-3062810159-149590578-1006\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart (User '?')
O4 - HKUS\S-1-5-21-3063908644-3062810159-149590578-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O8 - Extra context menu item: &Search - ?p=ZJ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd)  - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DHCP Client (Dhcp)  - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7405 bytes

[SuperDave]

Hello FJN. Could you please do this for me?

•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop. Copy and paste this file in your next reply

[FJN]

7-Zip 4.65
Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.7
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Age of Empires III
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Application Support
Apple Software Update
AVG Free 9.0
CardRd81
CCleaner
CCScore
Coupon Printer for Windows
COWON Media Center - jetAudio Basic
CR2
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Support 3.1
Digital Content Portal
Digital Line Detect
DivX Content Uploader
DivX Web Player
EA Download Manager
EducateU
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Game Booster
Google Earth
Google Update Helper
Graboid Video 1.6
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 6
kgcbase
Kodak EasyShare software
KSU
LEGOLAND
Macromedia Flash Player
MagicDisc 2.7.101
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Might and Magic® VII
Might and Magic® VIII: Day of the Destroyer(TM)
Mozilla Firefox (3.5.3)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Netflix Movie Viewer
Notifier
OfotoXMI
OLYMPUS Master 2
Opera 10.10
Oregon Trail(R) 5
OTtBP
OTtBPSDK
QuickSet
QuickTime
Revo Uninstaller 1.83
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SFR2
SHASTA
Shockwave
SKIN0001
SKINXSDK
SPORE™
staticcr
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TBS WMP Plug-in
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VLC media player 0.9.9
VPRINTOL
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
ZoneAlarm Spy Blocker

[FJN]

SuperDave? what do i do next?

[SuperDave]

Hello FJN. Is your computer running any better? Please do this.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
(Description: Listed at Spyware Warrior as spyware/adware)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJ
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Free8 WatchDog (avg8wd)  - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)

O23 - Service: DHCP Client (Dhcp)  - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)



Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Open HijackThis, but instead of scanning, click on the Open the MISC tools section button at the bottom of the choices.

Copy this red text -> avg8wd

•In HijackThis select Delete an NT Service

•Paste the text  into the box that opens and then click OK

•If you receive any error messages just ignore them and continue.
•Now repeat the above to delete the below Services (if you do not find them or get any errors, just continue):

Dhcp
.
Now exit HijackThis and reboot when it tells you it needs to.

Also send me another HJT log.

Please to update and run SAS & MBAM. The link is in reply #3

[FJN]

Yes, SD, my computer is running much better.

Windows Messenger removal done.

Fixed w/HJT the entries found.

When I got to the step where I copy "Dhcp" and enter in the delete NT Service I get this message, "The service 'Dhcp' is enabled and or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window." I looked in the services.msc window and found that "DHCP Client" was started (and seems to be a necessary service) while "DHCP Client (Dhcp)" (which has no description) was disabled and not started. Not sure what to do with that. Below is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:47 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3063908644-3062810159-149590578-1006\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart (User '?')
O4 - HKUS\S-1-5-21-3063908644-3062810159-149590578-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-3063908644-3062810159-149590578-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6899 bytes

[SuperDave]

FJN, I still need the scans and logs for SAS and MBAM.

[FJN]

yes, I know, sorry for the delay. I got pulled away from the machine after I got to scanning with MBAM. (MBAM log below) However, trying to install SAS I receive the following mid-way through installation (before and after MBAM scan, which found and removed three trojans): "Error 1321 Windows installer has insufficient privileges to modify this file: C:\SUPERAntispyware\SUPERAntispyware.exe" "Retry" option fails, "Ignore" allows SAS to finish installing but, attempting to open the program still results in the original "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I searched for SUPERAntispyware.exe on my hard drive and attempted to delete it, but was denied again.

Malwarebytes' Anti-Malware 1.42
Database version: 3314
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2009 9:26:28 PM
mbam-log-2009-12-07 (21-26-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 189868
Time elapsed: 39 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1393\A0449074.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.