Author Topic: malware removal guide (Read 10183 times)

notevenclose · « **on:** May 11, 2009, 12:11:50 PM »

I'm following the "read this before requesting malware removal help" guide and have a question : I have Adaware installed on my laptop will it conflict with any of the recommended downloads? should i uninstall it ?

evilfantasy · « **Reply #1 on:** May 11, 2009, 12:36:37 PM »

No it won't.

notevenclose · « **Reply #2 on:** May 11, 2009, 04:15:05 PM »

Because i cant open my browser I'm downloading programs to a jump drive. and installing them to my infected laptop.So far i have CCcleaner installed. However, I could not update it ( my wireless connection is strong and I was able to update AVG but can't open any web pages)

Is there any way around this? Below is my origanal post of the problem:

After being sick for three days I started my daughters laptop and found all kinds of spyware malware and trojans... AVG is scheduled to run everyday but I think when it started acting hinky she just shut it down)..Any road, I ran AVG , Adaware, and Spybot SD, and they cleared it up, However, my browser-Explorer-was still not right. I tried to do a system restore but it would not let me not even in safe mode…so I ran Spybot again and it found registry changes…Data source object exploit and healed them but it was still not right when I ran SD again it found the DOS exploit but said- registry change, nothing done. With each shut down it got worse. Now I can't connect to the internet even in safe mode and I can only access regedit.exe if I'm in safe mode.. I found them but I don't know what to do to them or what the !=w=3 means since it's not at the end of the registries I brought up . Can anyone help me.

The laptop is a Dell Inspiron 8100 running XP home edition, version 2000 service pack 2 ( I got it used about a month ago for my daughter in excellent condition an running great) AVG, Adaware and Spybot SD all free versions are installed
These are the registries that have been changed:

HKey_users \ s-1-5-18\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!= w =3

HKey _ users\ s-1-5-21-1547161642-199396763-854245398\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!= w =3

HKey _ users\ s-1-5-20\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!= w =3

HKey _ users\ s-1-5-19\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!= w =3

HKey _ users\.Default\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!= w =3

Thank You

evilfantasy · « **Reply #3 on:** May 11, 2009, 04:22:03 PM »

As long as you can get SUPERAntispyware and Malwarebytes installed and run them then that should be good enough. We will update them later when you have internet access.

notevenclose · « **Reply #4 on:** May 12, 2009, 01:53:57 PM »

Hi
I finally got all the logs onto a jump drive (I take care of my 80 year old mother.... little free time)

Frist let me tell you the laptop does not have Java installed...also when i start up I get a: "your computer has recoverd from a serious error
msg." this happend before I installed the spyware programs

the errors are below

C\docume~1\default\locals~1\temp\wer2f4e.dir00\Mini051209-01dmp

C\docume~1\default\locals~1\temp\wer2f4e.dir00\sysdata.xml

here are the spyware logs,

Thank you
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2009 at 10:48 PM

Application Version : 4.26.1002

Core Rules Database Version : 3868
Trace Rules Database Version: 1816

Scan type : Complete Scan
Total Scan Time : 00:58:47

Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 5066
Registry threats detected : 24
File items scanned : 51297
File threats detected : 18

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{ABD45510-9B22-41cd-9ACD-8182A2DA7C63}
   HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}
   HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}
   HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}\InProcServer32
   HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}\InProcServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\IEHELPER.DLL
   HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}
   HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}

Adware.E404 Helper/Hij
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
   HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
   HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
   HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
   HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
   HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
   HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Trojan.Unclassified/C00-WL
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810#Asynchronous
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810#DllName
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810#Impersonate
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810#Startup
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C007D810#Logon

Adware.Tracking Cookie
   C:\Documents and Settings\Quay\Cookies\[email protected][1].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][2].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][2].txt
   C:\Documents and Settings\Quay\Cookies\quay@bravenet[1].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][1].txt
   C:\Documents and Settings\Quay\Cookies\quay@media6degrees[2].txt
   C:\Documents and Settings\Quay\Cookies\quay@specificclick[1].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][1].txt
   C:\Documents and Settings\Quay\Cookies\quay@atwola[1].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][1].txt
   C:\Documents and Settings\Quay\Cookies\quay@clicksense[1].txt
   C:\Documents and Settings\Quay\Cookies\quay@interclick[2].txt
   C:\Documents and Settings\Quay\Cookies\quay@collective-media[1].txt
   C:\Documents and Settings\Quay\Cookies\quay@invitemedia[1].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][2].txt
   C:\Documents and Settings\Quay\Cookies\[email protected][1].txt
   C:\Documents and Settings\Quay\Cookies\quay@specificmedia[1].txt

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

5/11/2009 11:35:21 PM
mbam-log-2009-05-11 (23-35-21).txt

Scan type: Quick Scan
Objects scanned: 91393
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\t55ft2692f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241740591.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241734629.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\default\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:53 AM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cf.icq.com/cf/2000/lost_password.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164998083052
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164998017898
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll (file missing)
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9067 bytes

[attachment deleted by admin]

evilfantasy · « **Reply #5 on:** May 12, 2009, 07:08:07 PM »

Can you connect to the internet now, if not what happens when you try?

Have you tried resetting the router?

notevenclose · « **Reply #6 on:** May 13, 2009, 09:45:31 AM »

I booted up in safe mode and opened Netgear wizard it said my card was not connected (This is new Before it said I had a great connection) However the lights on my card were blinking as they should be.

I removed the card and reinserted it ...same thing card not connected but lights blinking...
I went to divice mgr. checked the card and ports it said all were working properly ....

I connected an ethernet cable and was able to connect to internet :)although my home page was changed to Microsoft and when did a shearch all it displayed were MS sites even when I put an address in the address bar

I restarted in normal mode and got the error msg. "your pc has recovered from a serious error "

I reported it to MS and it started to take me to the error page but I got "This page could not be displayed"

restarted in safe mode was able to connect.... changed my home page to yahoo
and was able to search
that's where I left it.... I thought about trying to do a system restore but decided to wait for an expert
Thank u

evilfantasy · « **Reply #7 on:** May 13, 2009, 10:14:50 AM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

notevenclose · « **Reply #8 on:** May 13, 2009, 12:05:34 PM »

Can I do this in safe mode? or should I do the whole zip drive thing.

Thank you for being patient

evilfantasy · « **Reply #9 on:** May 13, 2009, 12:10:39 PM »

Do it in Normal Mode if possible. If not then it will run in Safe Mode also.

notevenclose · « **Reply #10 on:** May 15, 2009, 10:24:29 AM »

Hi I'm posting this from the infected laptop using wireless

but it took awhile first when I when 2 turn off my firewall to install Combo fix I discovered it was off . could a virus do that? I don't remember turning it off ...but some days I'm so busy I don't no if I’m coming or going. Any road ,I went through the whole removal guide again ...And low and behold.... spy ware, malware, Trojans..( I'll attach logs to this post) when I went to install Combo from the zip drive it told me to uninstall and to uninstall and try again I downloaded in safe mode and saved to desktop. ...I restarted in normal and the icon was not on my desktop so back to safe and ran it there ..when it said to restart I got nervous but it restarted in normal and continued its fix below is the log

OK I can’t find the Super anti spyware log.. I know I ran It..It must be in safe mode … I must have been tired cuz I don’t remember running it in safe mode.. There’s an Administrator user in safe mode that doesn’t load in normal ( I opened that instead of mine so I wouldn’t have to enter my password ( I have ADD and do stupid things like that sometimes …impatient and impulsive )That’s where the Combo fix icon is ….If you need to see it I’ll get it 4 you right now I have to get back to mom…

Thank you so much

ComboFix 09-05-14.03 - default 05/15/2009 1:37.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.278 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Temp\Perflib_Perfdata__755.dat
c:\windows\start.exe
c:\windows\system32\drivers\ovfsthxlklrxuje.sys
c:\windows\system32\ovfsthxboxttdrg.dll
c:\windows\system32\ovfsthxdfjwsnsr.dat
c:\windows\system32\ovfsthxnkirtbwu.dat
c:\windows\system32\ovfsthxsviletqf.dll
c:\windows\system32\ovfsthxyxuwkrwr.dll
c:\windows\system32\uniq.tll
c:\windows\system32\windows.scr
c:\windows\Web\default.htt
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxibwafpby

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 05:34 . 2009-05-15 05:34   --------   d-sh--w   C:\FOUND.001
2009-05-14 21:10 . 2009-05-14 21:10   --------   d-----w   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-14 21:08 . 2009-05-14 21:08   --------   d-----w   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-14 02:18 . 2009-05-14 02:18   74352   ----a-w   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 03:59 . 2009-05-12 03:59   --------   d-----w   c:\program files\Trend Micro
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-12 03:19 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-11 18:24 . 2009-05-11 18:24   --------   d-----w   c:\program files\CCleaner
2009-05-09 20:46 . 2009-05-09 20:46   --------   d-----w   c:\documents and settings\default\Apps
2009-05-09 19:35 . 2009-05-09 19:35   --------   d-----w   c:\documents and settings\All Users\Application Data\WEBREG
2009-05-09 18:51 . 2009-05-09 18:51   --------   d-----w   c:\documents and settings\default\Application Data\HP
2009-05-09 18:51 . 2009-05-09 18:51   --------   d-----w   c:\documents and settings\default\Application Data\HP
2009-05-09 18:49 . 2008-01-24 21:29   16496   ----a-r   c:\windows\system32\drivers\HPZipr12.sys
2009-05-09 18:49 . 2008-01-24 21:29   49920   ----a-r   c:\windows\system32\drivers\HPZid412.sys
2009-05-09 18:49 . 2009-05-09 18:49   --------   d-----w   c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-09 18:49 . 2008-01-24 21:31   271704   ----a-r   c:\windows\system32\hpzids01.dll
2009-05-09 18:49 . 2007-10-20 22:25   118272   ----a-w   c:\windows\system32\hpz3l5mu.dll
2009-05-09 18:48 . 2008-01-24 21:30   309760   ----a-r   c:\windows\system32\difxapi.dll
2009-05-09 18:48 . 2008-01-24 21:30   372736   ----a-r   c:\windows\system32\hppldcoi.dll
2009-05-09 18:48 . 2008-01-24 21:30   21568   ----a-r   c:\windows\system32\drivers\HPZius12.sys
2009-05-09 18:41 . 2009-05-09 18:41   --------   d-----w   c:\documents and settings\All Users\Application Data\HP
2009-05-09 18:39 . 2009-05-09 18:39   --------   d-----w   c:\windows\system32\DRVSTORE
2009-05-09 18:38 . 2009-05-09 18:38   --------   d-----w   c:\program files\HP
2009-05-09 18:38 . 2004-08-04 05:01   25856   ----a-w   c:\windows\system32\dllcache\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:01   25856   ----a-w   c:\windows\system32\drivers\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:08   31616   ----a-w   c:\windows\system32\dllcache\usbccgp.sys
2009-05-09 18:38 . 2004-08-04 05:08   31616   ----a-w   c:\windows\system32\drivers\usbccgp.sys
2009-05-09 01:29 . 2009-05-09 01:29   --------   d-----w   c:\program files\Common Files\AOLSHARE
2009-05-07 15:07 . 2009-03-06 14:44   283648   ------w   c:\windows\system32\dllcache\pdh.dll
2009-05-07 15:07 . 2005-07-26 04:39   60416   ------w   c:\windows\system32\dllcache\colbact.dll
2009-05-07 15:07 . 2009-02-09 10:20   399360   ------w   c:\windows\system32\dllcache\rpcss.dll
2009-05-07 15:07 . 2009-02-06 17:14   110592   ------w   c:\windows\system32\dllcache\services.exe
2009-05-07 15:07 . 2009-02-09 10:20   473088   ------w   c:\windows\system32\dllcache\fastprox.dll
2009-05-07 15:07 . 2009-02-06 16:39   227840   ------w   c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 15:07 . 2009-02-09 10:20   453120   ------w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 15:07 . 2009-02-09 10:20   616960   ------w   c:\windows\system32\dllcache\advapi32.dll
2009-05-07 15:07 . 2009-02-09 10:20   714752   ------w   c:\windows\system32\dllcache\ntdll.dll
2009-05-07 15:05 . 2008-04-21 10:02   215552   ------w   c:\windows\system32\dllcache\wordpad.exe
2009-05-07 00:44 . 2009-05-07 00:44   --------   d-----w   c:\program files\RegistryRepair
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-04 14:21 . 2009-05-04 14:21   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 14:21 . 2009-05-04 14:21   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-04-16 10:45 . 2001-10-11 15:26   65536   ----a-w   c:\windows\system32\YCRWin32.dll
2009-04-16 10:45 . 2002-01-05 11:37   344064   ----a-w   c:\windows\system32\msvcr70.dll
2009-04-16 10:45 . 2002-01-05 10:18   84992   ----a-w   c:\windows\system32\ATL70.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 04:29 . 2006-12-01 14:49   90112   ----a-w   c:\windows\DUMP88cc.tmp
2009-04-22 04:12 . 2006-12-02 17:58   17015   ----a-w   c:\windows\system32\nvModes.dat
2009-04-14 13:16 . 2006-12-03 15:33   74352   ----a-w   c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 13:16 . 2006-12-03 15:33   74352   ----a-w   c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 21:48 . 2009-03-23 21:48   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:44 . 2006-12-02 19:01   283648   ----a-w   c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2006-06-23 15:33   668160   ----a-w   c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2004-08-04 06:56   81920   ------w   c:\windows\system32\ieencode.dll
2000-10-13 20:56 . 2000-10-13 20:56   271   --sh--w   c:\program files\desktop.ini
2000-10-13 20:56 . 2000-10-13 20:56   23357   ---h--w   c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-08 401408]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AS00_Gear511"="c:\program files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 1122412]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-07 68592]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 01:32   10520   ----a-w   c:\windows\SYSTEM32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"Mirabilis ICQ"=c:\program files\ICQ\NDetect.exe
"Weather"=c:\program files\AWS\WEATHERBUG\WEATHER.EXE 1
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"=c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LapLink Scheduler"="c:\program files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"seticlient"=c:\program files\SETI@home\[email protected] -min
"TkBellExe"=c:\program files\Common Files\Real\Update_OB\realsched.exe -osboot
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"DadApp"=c:\program files\DELL\AccessDirect\dadapp.exe
"BayMgr"=DockApp.exe
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"HostManager"=c:\program files\Common Files\AOL\1106251464\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Promon.exe"=Promon.exe
"CPortPatch"=c:\windows\Quick Install\CPPatch.exe
"PRPCMonitor"=PRPCUI.exe
"LoadQM"=loadqm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE"
"AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"MSNIA"=c:\progra~1\MSN\MSNIA\MSNIASVC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/15/2008 11:17 AM 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/15/2008 11:17 AM 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2009 1:43 PM 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 1:43 PM 298264]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [12/1/2006 12:30 PM 28672]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\es198xdl.sys [6/20/2002 5:53 PM 414400]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [12/1/2006 12:30 PM 6942]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [12/3/2006 1:40 PM 16194]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\SYSTEM32\DRIVERS\wg511nd5.sys [12/3/2006 1:39 PM 449888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{5DC51E2A-2041-4745-97BA-1CA8C794A07F} - c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
Toolbar-{3E9D340B-D614-4854-AE06-4218201F6AAE} - c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKU-Default-Run-InetChk - c:\windows\TEMP\ms1242158271.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://cf.icq.com/cf/2000/lost_password.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: aol.com\free
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - hxxp://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 01:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-15 1:43
ComboFix-quarantined-files.txt 2009-05-15 05:43

Pre-Run: 8,631,222,272 bytes free
Post-Run: 9,237,594,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

254   --- E O F ---   2009-05-08 16:44

[attachment deleted by admin]

evilfantasy · « **Reply #11 on:** May 15, 2009, 11:30:20 AM »

Open HijackThis and select Do a system scan only

Vista users right click on HijackThis and select Run as Administrator. (you will receive a UAC prompt, please allow it)

Place a check mark next to the following entries: (if there)

O2 - BHO: TBSB00583 - {5DC51E2A-2041-4745-97BA-1CA8C794A07F} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll (file missing)
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll (file missing)
O16 - DPF: Win32 Classes -

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
C:\FOUND.001

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

notevenclose · « **Reply #12 on:** May 16, 2009, 04:39:41 PM »

here are my latest logs

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\FOUND.001 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\dfbd20b3-b0c5-4470-b454-1feee20ee01a.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05162009_133548

Files moved on Reboot...
File C:\WINDOWS\temp\dfbd20b3-b0c5-4470-b454-1feee20ee01a.tmp not found!

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4080 (20090515)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=83bff9a9d9d396428ed4da6cef4c835f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-16 07:05:20
# local_time=2009-05-16 03:05:20 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=176763
# found=0
# scan_time=3664

evilfantasy · « **Reply #13 on:** May 16, 2009, 04:43:20 PM »

Looks good.

How is the computer running now?

notevenclose · « **Reply #14 on:** May 16, 2009, 08:32:58 PM »

Seems good, fast ..I can't thank you enough!

evilfantasy · « **Reply #15 on:** May 16, 2009, 08:36:56 PM »

Cool

Final suggestions...

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

notevenclose · « **Reply #16 on:** May 17, 2009, 08:43:23 PM »

Hi I found a problem.... after i told you it was running fine my daughter tired to play a video on you tube and got a msg. to load adobe active x or java i downloaded active x 10... but no videos will play from any site , even her school... they all say i need active x or java ....any suggestions?

evilfantasy · « **Reply #17 on:** May 17, 2009, 09:12:42 PM »

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

notevenclose · « **Reply #18 on:** May 18, 2009, 07:23:42 AM »

here are the logs thank you

DDS (Ver_09-05-14.01) - FAT32x86
Run by default at 8:37:39.28 on Mon 05/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.239 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\default\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\system\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://cf.icq.com/cf/2000/lost_password.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\YHEXBMES0411.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\SHDOCVW.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [AS00_Gear511] c:\program files\netgear\wg511scu\utility\Gear511.exe -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
dRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\YHEXBMES0411.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\SHDOCVW.DLL
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17163BB4-107E-11D4-9B76-006097DF2317} - hxxp://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164998083052
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164998017898
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - hxxp://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038151877710
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} - hxxp://windowsupdate.microsoft.com/R1044/V31Controls/x86/mil/en/actsetup.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-15 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-15 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-19 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-19 298776]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2006-12-1 28672]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-12-3 16194]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\system32\drivers\es198xdl.sys [2002-6-20 414400]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2006-12-1 6942]
R3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [2006-12-3 449888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-16 22:55   410,984   a-------   c:\windows\system32\deploytk.dll
2009-05-16 14:00   <DIR>   --d-----   c:\program files\EsetOnlineScanner
2009-05-15 01:19   <DIR>   a-dshr--   C:\cmdcons
2009-05-11 23:59   <DIR>   --d-----   c:\program files\Trend Micro
2009-05-11 23:19   <DIR>   --d-----   c:\docume~1\default\applic~1\Malwarebytes
2009-05-11 23:19   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-05-11 23:19   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-11 23:19   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-05-11 23:19   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-11 21:22   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-11 21:22   <DIR>   --d-----   c:\program files\SUPERAntiSpyware
2009-05-11 21:22   <DIR>   --d-----   c:\docume~1\default\applic~1\SUPERAntiSpyware.com
2009-05-11 14:24   <DIR>   --d-----   c:\program files\CCleaner
2009-05-09 16:46   <DIR>   --d-----   c:\documents and settings\default\Apps
2009-05-09 15:35   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\WEBREG
2009-05-09 14:49   16,496   a----r--   c:\windows\system32\drivers\HPZipr12.sys
2009-05-09 14:49   49,920   a----r--   c:\windows\system32\drivers\HPZid412.sys
2009-05-09 14:49   271,704   a----r--   c:\windows\system32\hpzids01.dll
2009-05-09 14:49   118,272   a-------   c:\windows\system32\hpz3l5mu.dll
2009-05-09 14:48   372,736   a----r--   c:\windows\system32\hppldcoi.dll
2009-05-09 14:48   309,760   a----r--   c:\windows\system32\difxapi.dll
2009-05-09 14:48   21,568   a----r--   c:\windows\system32\drivers\HPZius12.sys
2009-05-09 14:38   <DIR>   --d-----   c:\program files\HP
2009-05-09 14:38   25,856   a-------   c:\windows\system32\drivers\usbprint.sys
2009-05-09 14:38   25,856   a-------   c:\windows\system32\dllcache\usbprint.sys
2009-05-09 14:38   31,616   a-------   c:\windows\system32\drivers\usbccgp.sys
2009-05-09 14:38   31,616   a-------   c:\windows\system32\dllcache\usbccgp.sys
2009-05-08 21:29   <DIR>   --d-----   c:\program files\common files\AOLSHARE
2009-05-07 21:47   118   a-------   c:\windows\system32\MRT.INI
2009-05-07 19:35   <DIR>   --d-----   c:\windows\pss
2009-05-07 11:07   283,648   --------   c:\windows\system32\dllcache\pdh.dll
2009-05-07 11:07   60,416   --------   c:\windows\system32\dllcache\colbact.dll
2009-05-07 11:07   473,088   --------   c:\windows\system32\dllcache\fastprox.dll
2009-05-07 11:07   453,120   --------   c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 11:07   399,360   --------   c:\windows\system32\dllcache\rpcss.dll
2009-05-07 11:07   227,840   --------   c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 11:07   110,592   --------   c:\windows\system32\dllcache\services.exe
2009-05-07 11:07   616,960   --------   c:\windows\system32\dllcache\advapi32.dll
2009-05-07 11:07   714,752   --------   c:\windows\system32\dllcache\ntdll.dll
2009-05-07 11:05   1,193,414   --------   c:\windows\system32\dllcache\sysmain.sdb
2009-05-07 11:05   215,552   --------   c:\windows\system32\dllcache\wordpad.exe
2009-05-06 20:44   <DIR>   --d-----   c:\program files\RegistryRepair
2009-05-04 10:28   <DIR>   --d-----   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-04 10:28   <DIR>   --d-----   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-04 10:28   <DIR>   --d-----   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-04 10:28   <DIR>   --d-----   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-04 10:21   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-04 10:21   <DIR>   --d-----   c:\program files\Spybot - Search & Destroy
2009-04-26 21:15   28,776   a-------   C:\vffbvrg.jpg

==================== Find3M ====================

2009-05-17 10:25   325,896   a-------   c:\windows\system32\drivers\avgldx86.sys
2009-05-17 10:25   11,952   a-------   c:\windows\system32\avgrsstx.dll
2009-05-17 10:25   108,552   a-------   c:\windows\system32\drivers\avgtdix.sys
2009-05-16 23:32   17,015   a-------   c:\windows\system32\nvModes.dat
2009-05-15 00:29   90,112   a-------   c:\windows\DUMP88cc.tmp
2009-04-14 09:16   74,352   a-------   c:\docume~1\default\applic~1\GDIPFONTCACHEV1.DAT
2009-03-28 18:55   61,224   a-------   c:\windows\java\GoToAssistDownloadHelper.exe
2009-03-21 10:18   986,112   --------   c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44   283,648   a-------   c:\windows\system32\pdh.dll
2009-03-02 19:27   1,499,136   --------   c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 17:44   3,067,904   --------   c:\windows\system32\dllcache\mshtml.dll
2009-02-19 05:50   18,432   --------   c:\windows\system32\dllcache\iedw.exe
2004-07-04 21:02   75   a-------   c:\docume~1\default\applic~1\fusioncache.dat
2000-10-13 16:56   271   ---sh---   c:\program files\desktop.ini
2000-10-13 16:56   23,357   ----h---   c:\program files\folder.htt

============= FINISH: 8:38:41.74 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/1/2006 11:33:09 AM
System Uptime: 5/18/2009 8:26:23 AM (0 hours ago)

Motherboard: Dell Computer Corporation | | Inspiron 8100
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 996/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 10.36 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP299: 5/16/2009 1:48:47 PM - System Checkpoint
RP300: 5/16/2009 10:54:14 PM - Installed Java(TM) 6 Update 13
RP301: 5/17/2009 10:12:29 AM - Avg8 Update
RP302: 5/17/2009 10:26:06 AM - Avg8 Update
RP303: 5/17/2009 11:44:39 AM - Removed Java(TM) 6 Update 13

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL You've Got Pictures Screensaver
AVG Free 8.5
BarSim 1.5.2
CCleaner (remove only)
Dell AccessDirect
Dell Dock Quick Install for Windows
Dell Internal Modem Diagnostics Tool
Dell Solution Center
DellTouch
DivX Codec
DivX Player
EACOM Game Installer
ESET Online Scanner
FoneSync
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB952287)
Image Expert 2000 v3.2
Intel SpeedStep technology Applet
Intel(R) PRO Ethernet Adapter and Software
Internet Explorer Q903235
iTunes
Learn2 Player (Uninstall Only)
LiveInfoPro
Malwarebytes' Anti-Malware
MathPlayer
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Money 2001
Microsoft Office 2000 Premium
Microsoft Picture It! Publishing 2001
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2001 Setup Launcher
Microsoft XML Parser and SDK
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
NETGEAR 108 Mbps Wireless PC Card WG511T
NVIDIA Windows 2000/XP Display Drivers
OS Updates for WinME and Win2K
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Shockwave
Snood for Windows version 3.0-W
Softex BayManager
Spybot - Search & Destroy 1.3
SUPERAntiSpyware Free Edition
Synaptics TouchPad
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User's Guides
Verizon Yahoo! Applications
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Works Suite OS Pack
Works Synchronization
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/17/2009 11:45:12 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/15/2009 1:41:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the 7F3300AEC5DB29D6F7AE8C96105DD640 service to connect.
5/15/2009 1:41:06 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the 0624B29CDD53C5C2B4D49AC9BAC6B32F service to connect.
5/15/2009 1:37:12 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the 7D9761E0E5600B6001EDFB377419661E service to connect.
5/14/2009 9:55:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/14/2009 9:51:01 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/14/2009 8:50:59 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/14/2009 8:20:58 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/14/2009 8:05:58 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/14/2009 6:34:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/14/2009 6:34:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
5/14/2009 6:34:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/14/2009 6:34:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/14/2009 6:34:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/14/2009 6:33:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/14/2009 3:25:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips P3 SASDIFSV SASKUTIL
5/13/2009 10:53:07 AM, error: E100B [4] - Adapter Intel 8255x-based PCI Ethernet Adapter (10/100): Adapter Link Down
5/13/2009 10:49:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/13/2009 10:36:38 AM, error: System Error [1003] - Error code 1000000a, parameter1 000000b1, parameter2 00000002, parameter3 00000000, parameter4 8050af1a.
5/12/2009 7:45:12 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 8050af20.
5/11/2009 4:53:27 PM, error: System Error [1003] - Error code 1000000a, parameter1 bad0b0c8, parameter2 00000002, parameter3 00000000, parameter4 8050af20.

==== End Of File ===========================

evilfantasy · « **Reply #19 on:** May 18, 2009, 11:09:41 AM »

Go to Add or Remove Programs and uninstall Spybot - Search & Destroy 1.3 <- This is about 3 years out of date.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} -

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

notevenclose · « **Reply #20 on:** May 18, 2009, 07:43:33 PM »

Combofix log

ComboFix 09-05-18.02 - default 05/18/2009 21:25.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.243 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\messenger\msmsgs.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-17 15:37 . 2009-05-17 15:37   --------   d-----w   c:\windows\Sun
2009-05-17 03:28 . 2009-05-17 03:28   --------   d-----w   c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-05-17 02:55 . 2009-05-17 02:54   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-05-16 18:00 . 2009-05-16 18:00   --------   d-----w   c:\program files\EsetOnlineScanner
2009-05-14 21:10 . 2009-05-14 21:10   --------   d-----w   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-14 21:08 . 2009-05-14 21:08   --------   d-----w   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-14 02:18 . 2009-05-14 02:18   74352   ----a-w   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 03:59 . 2009-05-12 03:59   --------   d-----w   c:\program files\Trend Micro
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-12 03:19 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22   --------   d-----w   c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-11 18:24 . 2009-05-11 18:24   --------   d-----w   c:\program files\CCleaner
2009-05-09 20:46 . 2009-05-09 20:46   --------   d-----w   c:\documents and settings\default\Apps
2009-05-09 19:35 . 2009-05-09 19:35   --------   d-----w   c:\documents and settings\All Users\Application Data\WEBREG
2009-05-09 18:51 . 2009-05-09 18:51   --------   d-----w   c:\documents and settings\default\Application Data\HP
2009-05-09 18:51 . 2009-05-09 18:51   --------   d-----w   c:\documents and settings\default\Application Data\HP
2009-05-09 18:49 . 2008-01-24 21:29   16496   ----a-r   c:\windows\system32\drivers\HPZipr12.sys
2009-05-09 18:49 . 2008-01-24 21:29   49920   ----a-r   c:\windows\system32\drivers\HPZid412.sys
2009-05-09 18:49 . 2009-05-09 18:49   --------   d-----w   c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-09 18:49 . 2008-01-24 21:31   271704   ----a-r   c:\windows\system32\hpzids01.dll
2009-05-09 18:49 . 2007-10-20 22:25   118272   ----a-w   c:\windows\system32\hpz3l5mu.dll
2009-05-09 18:48 . 2008-01-24 21:30   309760   ----a-r   c:\windows\system32\difxapi.dll
2009-05-09 18:48 . 2008-01-24 21:30   372736   ----a-r   c:\windows\system32\hppldcoi.dll
2009-05-09 18:48 . 2008-01-24 21:30   21568   ----a-r   c:\windows\system32\drivers\HPZius12.sys
2009-05-09 18:41 . 2009-05-09 18:41   --------   d-----w   c:\documents and settings\All Users\Application Data\HP
2009-05-09 18:39 . 2009-05-09 18:39   --------   d-----w   c:\windows\system32\DRVSTORE
2009-05-09 18:38 . 2009-05-09 18:38   --------   d-----w   c:\program files\HP
2009-05-09 18:38 . 2004-08-04 05:01   25856   ----a-w   c:\windows\system32\dllcache\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:01   25856   ----a-w   c:\windows\system32\drivers\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:08   31616   ----a-w   c:\windows\system32\dllcache\usbccgp.sys
2009-05-09 18:38 . 2004-08-04 05:08   31616   ----a-w   c:\windows\system32\drivers\usbccgp.sys
2009-05-09 01:29 . 2009-05-09 01:29   --------   d-----w   c:\program files\Common Files\AOLSHARE
2009-05-07 15:07 . 2009-03-06 14:44   283648   ------w   c:\windows\system32\dllcache\pdh.dll
2009-05-07 15:07 . 2005-07-26 04:39   60416   ------w   c:\windows\system32\dllcache\colbact.dll
2009-05-07 15:07 . 2009-02-09 10:20   399360   ------w   c:\windows\system32\dllcache\rpcss.dll
2009-05-07 15:07 . 2009-02-06 17:14   110592   ------w   c:\windows\system32\dllcache\services.exe
2009-05-07 15:07 . 2009-02-09 10:20   473088   ------w   c:\windows\system32\dllcache\fastprox.dll
2009-05-07 15:07 . 2009-02-06 16:39   227840   ------w   c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 15:07 . 2009-02-09 10:20   453120   ------w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 15:07 . 2009-02-09 10:20   616960   ------w   c:\windows\system32\dllcache\advapi32.dll
2009-05-07 15:07 . 2009-02-09 10:20   714752   ------w   c:\windows\system32\dllcache\ntdll.dll
2009-05-07 15:05 . 2008-04-21 10:02   215552   ------w   c:\windows\system32\dllcache\wordpad.exe
2009-05-07 00:44 . 2009-05-07 00:44   --------   d-----w   c:\program files\RegistryRepair
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28   --------   d-----w   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-04 14:21 . 2009-05-04 14:21   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 14:21 . 2009-05-04 14:21   --------   d-----w   c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 01:23 . 2006-12-03 15:33   74352   ----a-w   c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 01:23 . 2006-12-03 15:33   74352   ----a-w   c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 14:25 . 2008-05-15 15:17   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-17 14:25 . 2008-05-15 15:17   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-05-17 14:25 . 2008-05-15 15:17   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-05-17 03:32 . 2006-12-02 17:58   17015   ----a-w   c:\windows\system32\nvModes.dat
2009-05-15 04:29 . 2006-12-01 14:49   90112   ----a-w   c:\windows\DUMP88cc.tmp
2009-03-23 21:48 . 2009-03-23 21:48   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:44 . 2006-12-02 19:01   283648   ----a-w   c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2006-06-23 15:33   668160   ----a-w   c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2004-08-04 06:56   81920   ------w   c:\windows\system32\ieencode.dll
2000-10-13 20:56 . 2000-10-13 20:56   271   --sh--w   c:\program files\desktop.ini
2000-10-13 20:56 . 2000-10-13 20:56   23357   ---h--w   c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-08 401408]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AS00_Gear511"="c:\program files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 1122412]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-17 1947928]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-07 68592]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 14:25   11952   ----a-w   c:\windows\SYSTEM32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"Mirabilis ICQ"=c:\program files\ICQ\NDetect.exe
"Weather"=c:\program files\AWS\WEATHERBUG\WEATHER.EXE 1
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"=c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LapLink Scheduler"="c:\program files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"seticlient"=c:\program files\SETI@home\[email protected] -min
"TkBellExe"=c:\program files\Common Files\Real\Update_OB\realsched.exe -osboot
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"DadApp"=c:\program files\DELL\AccessDirect\dadapp.exe
"BayMgr"=DockApp.exe
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"HostManager"=c:\program files\Common Files\AOL\1106251464\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Promon.exe"=Promon.exe
"CPortPatch"=c:\windows\Quick Install\CPPatch.exe
"PRPCMonitor"=PRPCUI.exe
"LoadQM"=loadqm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE"
"AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"MSNIA"=c:\progra~1\MSN\MSNIA\MSNIASVC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/15/2008 11:17 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/15/2008 11:17 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2009 1:43 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 1:43 PM 298776]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [12/1/2006 12:30 PM 28672]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [12/3/2006 1:40 PM 16194]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\es198xdl.sys [6/20/2002 5:53 PM 414400]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [12/1/2006 12:30 PM 6942]
R3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\SYSTEM32\DRIVERS\wg511nd5.sys [12/3/2006 1:39 PM 449888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://cf.icq.com/cf/2000/lost_password.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: aol.com\free
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 21:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Netropa\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-19 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 01:36

Pre-Run: 10,996,350,976 bytes free
Post-Run: 11,031,134,208 bytes free

244   --- E O F ---   2009-05-15 06:00

evilfantasy · « **Reply #21 on:** May 18, 2009, 08:06:37 PM »

I'm not seeing anything malware related. How is the computer running now?

notevenclose · « **Reply #22 on:** May 21, 2009, 10:18:42 AM »

hi sorry for late reply... . mom in hospital .....thought u were done with me huh? no such luck...

any road... sill not playing any vidoes still saying need active x.......i checked video adaters said wroking properly ..went to dell and did a hardware scan everthing passed... with my other cumputers ...2 Dells and an HP ....when i go to boot menu there is a diagnostic scan u can run ..i cant seem to find it on this one.... any suggestions or can u direct me any where? do u think i should update the drivers ? do a system restore ? i'm nowhere near this in my repair course and my pc guy is expensive

thank you

evilfantasy · « **Reply #23 on:** May 21, 2009, 01:50:36 PM »

Try posting in the Windows forum.

notevenclose · « **Reply #24 on:** May 26, 2009, 09:42:28 AM »

HI
thanks i will ... I went to Abobe support and I found It could be registry permissions ..since it downloaded with no prob... but its not being recognized...makes sense with all the cleaning ... if you'd like I'll let you know what i find and how it was fixed ....might take awhile cuz moms still in hosp.

hope soon I can do the malware removal and hijack this self help with my other pcs

Thank you again for all your help your a godsend

Computer Hope Forum

News:

Author Topic: malware removal guide (Read 10183 times)

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose

evilfantasy

notevenclose