sound goes out, yadaying running, Downloader.Tiny.BB, Help!!!

[Mr.Hopeless]

While I was on a business trip, somebody got my computer infected it seems. I first knew something was wrong when the the sound kept going out and I had to reset the sound settings to get the sound back on on. Since, other things were happening, including a pop-up, messages about wanting to make IE my default browser, etc. My computer has AVG Anti-Virus (Free Version 8, I'll be upgrading ASAP), and on three separate scans it found infections, including Trojan house Clicker.AJUP, Tracking cooking.Trafficmp, Tracking cooking.Overture, Virus FakeAlert, and the latest on separate scans Trojan horse Downloader.Tiny.BB.

Whatever is going on, iexplore.exe keeps opening up, even after I End Process from the Windows Task Manager. It's rather disturbing. (Firefox is my default browser.)

And one more thing I've found. hxxp://www.yadaying.com/index.php?aff_id=979 (on Windows Internet Explorer) is running in the background, and I don't know how to stop it from running.

It seems there must be something lodged in the computer that's bringing about these infections, but I don't know where to start looking for it. At this point, I'm a bit afraid to turn that computer on (I'm using a different laptop). If anyone can get me started on this, I'd really appreciate it.

For the record, that computer is running Windows XP.

[Dr Jay]

Hello, and welcome to Computer Hope.

Please note the following information about the malware forum:

• Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not attach logs or post them in Quote/Code boxes unless requested.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

[Mr.Hopeless]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/7/2010 8:56:08 PM
mbam-log-2010-07-07 (20-56-08).txt

Scan type: Quick scan
Objects scanned: 144970
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dr Jay]

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[Mr.Hopeless]

ComboFix 10-07-06.05 - Brett 07/07/2010  22:53:31.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.794 [GMT -4:00]
Running from: c:\documents and settings\Brett\My Documents\Temp\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brett\g2mdlhlpx.exe
c:\documents and settings\Deborah\Favorites\DBLY1.exe
c:\documents and settings\Deborah\Favorites\Launcher.exe
c:\documents and settings\Deborah\g2mdlhlpx.exe
c:\windows\settings.reg
c:\windows\system32\bszip.dll
c:\windows\system32\Data

.
(((((((((((((((((((((((((   Files Created from 2010-06-08 to 2010-07-08  )))))))))))))))))))))))))))))))
.

2010-07-07 01:16 . 2010-07-07 01:16   495616   ----a-w-   c:\windows\system32\igfxcfg.exe
2010-07-05 00:31 . 2010-07-05 00:31   --------   d-sh--w-   c:\documents and settings\Deborah\IECompatCache
2010-07-04 18:25 . 2010-07-04 18:25   --------   d-----w-   C:\$AVG
2010-07-04 18:21 . 2010-07-04 18:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-07-04 03:41 . 2010-07-04 03:41   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-07-04 03:13 . 2010-07-04 03:13   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-07-02 04:45 . 2010-07-02 04:45   --------   d-----w-   c:\program files\Trend Micro
2010-07-01 17:20 . 2010-07-01 17:20   --------   d-sh--w-   c:\documents and settings\NetworkService\PrivacIE
2010-07-01 17:20 . 2010-07-01 17:20   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-07-01 17:20 . 2010-07-01 17:20   --------   d-sh--w-   c:\windows\system32\config\systemprofile\PrivacIE
2010-07-01 17:19 . 2010-07-01 17:19   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-06-13 04:47 . 2010-06-13 04:47   --------   d-----w-   c:\documents and settings\Brett\Application Data\ZipGenius
2010-06-13 04:46 . 2010-06-13 04:46   --------   d-----w-   c:\program files\ZipGenius 6
2010-06-08 18:33 . 2010-05-06 10:41   743424   ------w-   c:\windows\system32\dllcache\iedvtool.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 01:45 . 2009-02-16 01:55   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-04 18:25 . 2009-02-16 03:30   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-04 18:25 . 2009-02-16 03:30   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-04 18:25 . 2009-02-16 03:30   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-07-04 18:25 . 2009-02-16 03:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-04 18:21 . 2009-02-16 03:30   --------   d-----w-   c:\program files\AVG
2010-07-04 16:52 . 2009-02-16 03:45   --------   d-----w-   c:\program files\CCleaner
2010-07-04 16:50 . 2008-09-11 12:18   --------   d-----w-   c:\documents and settings\Brett\Application Data\Amazon
2010-07-04 16:50 . 2008-09-11 12:18   --------   d-----w-   c:\program files\Amazon
2010-07-04 16:49 . 2005-04-20 21:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-02 04:45 . 2010-07-02 04:45   388096   ----a-r-   c:\documents and settings\Brett\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-08 00:30 . 2010-06-08 00:30   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-08 00:30 . 2010-06-08 00:30   56997   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30   56765   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-06-08 00:30 . 2010-06-08 00:30   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30   57715   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   --------   d-----w-   c:\documents and settings\Brett\Application Data\DivX
2010-06-08 00:29 . 2010-06-08 00:29   84062   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   54174   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   54153   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   54128   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   54644   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29   57409   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-27 18:40 . 2005-04-20 17:18   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-04-27 18:40 . 2005-04-20 17:18   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2004-08-02 07:03   45648   ------w-   c:\windows\system32\drivers\pxhelp20.sys
2010-04-20 05:30 . 2004-08-10 17:50   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-11 16:00 . 2010-04-11 16:00   3303568   ----a-w-   c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNY.exe
2010-04-11 15:39 . 2010-04-11 15:39   21195208   ----a-w-   c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2005-05-11 98192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-22 149280]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SmcService"="c:\progra~1\COMPUT~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-04 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-04 18:25   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06   11776   ----a-w-   c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-08 23:54   155648   ----a-w-   c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01   110592   ----a-w-   c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2009 11:30 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2009 11:30 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/4/2010 2:23 PM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2009 8:51 PM 133104]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [11/20/2005 11:11 PM 17432]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2/10/2006 5:27 PM 45840]
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]

2010-06-25 c:\windows\Tasks\Install.job
- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-06-24 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Deborah\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Brett\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Computer Defense\Sygate\SPF\smc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\Rundll32.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-07-07  23:11:04 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-08 03:11

Pre-Run: 20,980,580,352 bytes free
Post-Run: 20,480,839,680 bytes free

- - End Of File - - 07495C7CAAE74387232C3FE48885798E

[Dr Jay]

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[Mr.Hopeless]

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=109a82bd2f2d8043b7bac6a70eb93324
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-08 11:03:48
# local_time=2010-07-08 07:03:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 110339766 138927839 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=124280
# found=1
# cleaned=1
# scan_time=13844
C:\Documents and Settings\Deborah\Desktop\i386\GTDownDE_87.ocx   probably a variant of Win32/Adware.Agent application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

[Dr Jay]

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Mr.Hopeless]

Results of screen317's Security Check version 0.99.4 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 AVG Free 9.0   
 ESET Online Scanner v3   
 Sygate Personal Firewall   
```````````````````````````````
Anti-malware/Other Utilities Check:
 Out of date Spybot installed!
 Ad-Aware
 WinPatrol 2008 (Outdated! Latest version is WinPatrol 2009)[/b]
 Malwarebytes' Anti-Malware   
 CCleaner (remove only)   
 Lavasoft VX2 Cleaner   
 Java(TM) 6 Update 16 
 Java(TM) SE Runtime Environment 6 Update 1
 Java(TM) 6 Update 2 
 Java 2 Runtime Environment Standard Edition v1.3.1_17
 Java 2 Runtime Environment, SE v1.4.2_03
 Out of date Java installed!
 Adobe Flash Player 10.1.53.64 
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.6)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 WinPatrol winpatrol.exe
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 BillP Studios WinPatrol winpatrol.exe 
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[Dr Jay]

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=======================================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

[Mr.Hopeless]

Thanks for all of your help so far.

I've updated Adobe Acrobat Reader and Java.

Before I follow up with the Firewall and AntiSpyware software, two things:

1.) I still have problems with my computer (as I'm typing this, there is an Internet Explorer pop-up window saying "Internet Explorer is not currently your default browser. Would you like to make it your default browser?" (I never opened IE, and I rarely ever use it.)  If I close IExplere.exe from the Task Manger, it just opens right back up again.  I get this pop-up window when I first turn on the modem after starting up the computer.  I also get warnings from WinPatrol that says:

Scotty the Windows Watchdog is on patrol and has detected a change to one of your file type associations [.URL].
The program currently associated with this file type is:
Run a DLL as an APP
Microsoft Corporation
C:\WINDOWS\system32\rundll32.exe C:\WIDOWS\system32\ieframe.dll,OpenURL %l
A change was made to use the following program for this file type.
Run a DLL as an App
Microsoft Corporation
rundll32.exe ieframe.dll,OpenURL %l
Is this change ok?
(I always say no.)

2.) I'm concerned about having too many firewalls, especially since this computer is on the older side, because I'm afraid the computer will get intolerably slow.  I"m already running Sygate Personal Firewall and Windows Watchdog on top of AVG.  Is my concern valid about  the speed of my computer running so many firewalls?

Thanks.

[Dr Jay]

Only have one firewall.

Internet Explorer has an auto-recovery mode. It will automatically re-launch if it gets crashed (shut down immediately). That is normal behavior for Internet Explorer.

Also, Internet Explorer will probably need to finish its install. Just follow any prompts with it, and see if you have any more issues.

[Mr.Hopeless]

I think where I'm concerned about IE is that I'm getting this prompt without launching IE.  Doesn't that suggest that something is launching IE?  I mean, IE shouldn't be asking me to make it the default browser if I didn't initiate opening it myself, I would think...

[marzinp]

Hi M Hopeless,

I had exactly the same problem and could'nt fix it. I just solved today using bootkit_remover and the instructions found here: http://forums.majorgeeks.com/showthread.php?p=1507974

Hope it'll work for you!

[lovelyr88]

I am having the exact samething Down to the T going on with my laptop,and Im doing everything in this post but nothings helping.Im really wondering is this like a recent/new malware/virus/trojan what have you going around this year.