Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Serious spyware or virus problem (Help please!)  (Read 11866 times)

0 Members and 1 Guest are viewing this topic.

harry 48



    Egghead

  • lay back , relax and chill out
  • Thanked: 129
    • Yes
    • Yes
    • Yes
    • Dribbling Pensioner
  • Certifications: List
  • Experience: Familiar
  • OS: Windows 7
Re: Serious spyware or virus problem (Help please!)
« Reply #15 on: January 05, 2010, 02:54:37 PM »
keep sas , mbam and ccleaner in the pc and run weekly

SuperDave

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Thanked: 991
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Serious spyware or virus problem (Help please!)
« Reply #16 on: January 06, 2010, 07:29:10 AM »
Hello 007will and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Will\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Your logs look quite clean but just to be on the safe side, we'll run another scan with this:

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

007will

    Topic Starter


    Beginner

    Re: Serious spyware or virus problem (Help please!)
    « Reply #17 on: January 06, 2010, 05:36:22 PM »
    ComboFix 10-01-04.01 - Will 07/01/2010   0:23.3.2 - x86
    Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.459 [GMT 0:00]
    Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
    AV:  *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW:  *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Will\Cookies\oduny._dl
    c:\documents and settings\Will\Cookies\xepodazoca.ban
    c:\program files\Common Files\hukegomiho.vbs
    c:\program files\Common Files\padamum.bat
    c:\program files\Common Files\yzenijace.bat
    C:\Thumbs.db
    c:\windows\alygiwo.vbs

    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

    .
    (((((((((((((((((((((((((   Files Created from 2009-12-07 to 2010-01-07  )))))))))))))))))))))))))))))))
    .

    2010-01-07 00:31 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
    2010-01-07 00:31 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
    2010-01-05 20:32 . 2010-01-05 20:33   --------   d-----w-   C:\Malwarebytes' Anti-Malware
    2010-01-05 17:35 . 2010-01-05 17:35   52224   ----a-w-   c:\documents and settings\Will\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2009-12-31 10:18 . 2010-01-05 20:21   --------   d-----w-   c:\documents and settings\Will\Local Settings\Application Data\lptdvl
    2009-12-16 22:29 . 2009-12-16 22:42   --------   d-----w-   c:\documents and settings\Will\.hydrogen
    2009-12-16 22:27 . 2009-12-16 22:28   --------   d-----w-   c:\program files\Hydrogen
    2009-12-16 22:27 . 2009-12-16 22:27   --------   d-----w-   c:\program files\SwiffRec
    2009-12-16 22:24 . 2009-12-16 22:26   --------   d-----w-   c:\program files\BestPractice
    2009-12-16 22:22 . 2009-12-16 22:22   --------   d-----w-   c:\program files\AudioBookCutter_0_5_0
    2009-12-16 22:21 . 2009-12-16 22:21   --------   d-----w-   c:\program files\7-Zip
    2009-12-16 22:19 . 2009-12-16 22:19   --------   d-----w-   c:\program files\ggseq-0.3.1
    2009-12-16 22:17 . 2009-12-16 22:17   --------   d-----w-   c:\program files\WinLame_pre4
    2009-12-16 22:15 . 2009-12-16 22:15   --------   d-----w-   c:\program files\lame_3.96.1
    2009-12-13 16:23 . 2009-12-13 16:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\TomTom
    2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\documents and settings\Will\Local Settings\Application Data\TomTom
    2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\documents and settings\Will\Application Data\TomTom
    2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\program files\TomTom International B.V
    2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\program files\TomTom HOME 2

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-07 00:32 . 2008-09-21 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kontiki
    2010-01-06 22:07 . 2007-03-01 14:05   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
    2010-01-05 18:18 . 2008-12-22 21:43   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
    2010-01-05 17:36 . 2008-12-31 15:48   --------   d-----w-   c:\program files\SUPERAntiSpyware
    2010-01-05 17:35 . 2009-10-01 21:24   117760   ----a-w-   c:\documents and settings\Will\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-30 14:55 . 2009-01-01 15:53   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-30 14:54 . 2009-01-01 15:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
    2009-12-16 08:18 . 2009-11-10 20:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SSScanAppDataDir
    2009-12-05 15:06 . 2006-09-20 09:20   --------   d-----w-   c:\program files\Java
    2009-12-05 15:03 . 2009-12-05 15:03   152576   ----a-w-   c:\documents and settings\Will\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2009-12-05 15:02 . 2009-12-05 15:02   79488   ----a-w-   c:\documents and settings\Will\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-11-10 22:20 . 2006-09-25 21:35   49000   ----a-w-   c:\documents and settings\Will\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-10 22:19 . 2008-03-06 08:19   --------   d-----w-   c:\program files\Windows Live
    2009-11-10 22:19 . 2006-09-26 09:34   --------   d-----w-   c:\program files\Windows Live Toolbar
    2009-11-10 22:18 . 2009-11-10 22:18   --------   d-----w-   c:\program files\Microsoft Sync Framework
    2009-11-10 22:11 . 2009-11-10 22:11   --------   d-----w-   c:\program files\Microsoft
    2009-11-10 22:11 . 2009-11-10 22:11   --------   d-----w-   c:\program files\Windows Live SkyDrive
    2009-11-10 20:42 . 2009-11-10 20:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\MSScanAppDataDir
    2009-10-29 07:45 . 2004-08-10 11:51   916480   ----a-w-   c:\windows\system32\wininet.dll
    2009-10-21 05:38 . 2004-08-10 11:51   75776   ----a-w-   c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-10 11:51   25088   ----a-w-   c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-03 22:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
    2009-10-13 10:30 . 2004-08-10 11:51   270336   ----a-w-   c:\windows\system32\oakley.dll
    2009-10-12 19:37 . 2009-10-12 19:25   110415   ----a-w-   c:\windows\hpoins11.dat
    2009-10-12 13:38 . 2004-08-10 11:51   149504   ----a-w-   c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2004-08-10 11:51   79872   ----a-w-   c:\windows\system32\raschap.dll
    2009-10-11 04:17 . 2009-01-01 16:26   411368   ----a-w-   c:\windows\system32\deploytk.dll
    2008-10-07 07:00 . 2008-10-07 07:00   235296   ----a-w-   c:\program files\MC
    2008-11-16 23:42 . 2006-10-05 21:32   88   --sh--r-   c:\windows\system32\64D3CEE666.sys
    2008-05-19 20:22 . 2006-10-17 19:25   56   --sh--r-   c:\windows\system32\66E6CED364.sys
    2008-11-16 23:43 . 2006-10-05 21:32   5852   --sha-w-   c:\windows\system32\KGyGaAvL.sys
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-09 497240]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-20 26112]
    "AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-20 169984]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
    "DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
    "DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
    "EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-9-20 156784]
    BT Broadband Basic Help.lnk - c:\program files\BT Broadband Basic Help\bin\matcli.exe [2006-10-31 200704]
    Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-20 7168]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-9-25 581632]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Sierra\\SWAT3\\Swat.icd"=
    "c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
    "c:\\Program Files\\EasyChat\\EasyChat.exe"=
    "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
    "10426:UDP"= 10426:UDP:SingleClick ICC

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 10:42 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 10:42 74480]
    R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 26104]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/11/2008 12:11 682232]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [05/10/2006 22:11 13592]
    S3 pfsvgae;pfsvgae;\??\c:\docume~1\Will\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\Will\LOCALS~1\Temp\pfsvgae.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 10:42 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.btbroadbandstart.com/
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-CCleaner - f:\ccleaner\uninst.exe
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-07 00:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    .
    Completion time: 2010-01-07  00:34:50
    ComboFix-quarantined-files.txt  2010-01-07 00:34

    Pre-Run: 37,931,307,008 bytes free
    Post-Run: 38,102,618,112 bytes free

    - - End Of File - - 7044B05AD25336358301E416D411741C

    007will

      Topic Starter


      Beginner

      Re: Serious spyware or virus problem (Help please!)
      « Reply #18 on: January 06, 2010, 05:36:46 PM »
      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 00:35:55, on 07/01/2010
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
      C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Program Files\Dell Network Assistant\hnm_svc.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Kontiki\KService.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
      C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
      C:\WINDOWS\system32\HPZipm12.exe
      C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
      C:\WINDOWS\system32\SearchIndexer.exe
      C:\WINDOWS\system32\ZuneBusEnum.exe
      C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
      C:\Program Files\Microsoft Windows OneCare Live\winss.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
      C:\WINDOWS\system32\notepad.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Windows Live\Toolbar\wltuser.exe
      C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
      C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
      O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
      O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
      O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
      O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
      O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
      O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
      O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
      O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
      O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
      O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
      O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
      O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
      O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
      O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
      O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
      O4 - Global Startup: Dell Network Assistant.lnk = ?
      O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
      O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
      O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
      O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159216988941
      O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
      O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
      O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/stream.ocx
      O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
      O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
      O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
      O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
      O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
      O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
      O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
      O23 - Service: NMSAccessU - Unknown owner - C:\Documents and Settings\Will\Local Settings\Temp\{A069857B-A614-4598-9495-B0029E79B748}\NMSAccessU.exe (file missing)
      O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
      O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
      O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

      --
      End of file - 11924 bytes

      SuperDave

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Thanked: 991
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Serious spyware or virus problem (Help please!)
      « Reply #19 on: January 06, 2010, 05:57:17 PM »
      Hello 007will. You logs show that you are running two Anti-virus programs. McAfee (outdated) and LiveOneCare. Only one AV program should be run on computer. More than that will cause lots of problems. Please let me know which you want to remove and I'll send you a tool to remove it. It also shows that your running two firewalls (McAfee and LiveOneCare ) which is also a no-no. One should be removed.

      1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
      It must be Notepad, not Wordpad.
      2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

      Code: [Select]
      KillAll::

      Driver::
      pfsvgae

      3. Go to the Notepad window and click Edit > Paste
      4. Then click File > Save
      5. Name the file CFScript.txt - Save the file to your Desktop
      6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



      ComboFix will begin to execute, just follow the prompts.
      After reboot (in case it asks to reboot), it will produce a log for you.
      Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      007will

        Topic Starter


        Beginner

        Re: Serious spyware or virus problem (Help please!)
        « Reply #20 on: January 07, 2010, 05:58:49 AM »
        i will do as you have said when i get home from work. I would like to remove macafee as a paying for LiveOneCare.

        Thanks!

        SuperDave

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Thanked: 991
        • Certifications: List
        • Experience: Expert
        • OS: Windows 8
        Re: Serious spyware or virus problem (Help please!)
        « Reply #21 on: January 07, 2010, 12:32:34 PM »
        Download the McAfee Consumer Product Removal Tool to your Desktop.

        Using McAfee Consumer Product Removal tool:

        * Double click the MCPR.exe
        * A Command Line window will be displayed, and then close automatically.
        * Wait for a second Command Line window to be displayed.

        Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.

        * After the second window appears, the program will begin the cleanup.
        * Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n]
        * Press Y on the keyboard.
        * Wait for the computer to restart.
        * All McAfee products are now removed from your computer.

        This is supposed to  remove all traces of McAfee from your computer but you should check in Add/Remove programs to see if  the McAfee firewall is gone also.
        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

        007will

          Topic Starter


          Beginner

          Re: Serious spyware or virus problem (Help please!)
          « Reply #22 on: January 07, 2010, 02:22:05 PM »
          Okay i've done what you said.... log below.

          007will

            Topic Starter


            Beginner

            Re: Serious spyware or virus problem (Help please!)
            « Reply #23 on: January 07, 2010, 02:22:18 PM »
            ComboFix 10-01-04.01 - Will 07/01/2010  20:55:03.4.2 - x86
            Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.522 [GMT 0:00]
            Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
            Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt
            AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
            FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            .
            (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            -------\Legacy_PFSVGAE
            -------\Service_pfsvgae


            (((((((((((((((((((((((((   Files Created from 2009-12-07 to 2010-01-07  )))))))))))))))))))))))))))))))
            .

            2010-01-07 00:31 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
            2010-01-07 00:31 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
            2010-01-05 20:32 . 2010-01-05 20:33   --------   d-----w-   C:\Malwarebytes' Anti-Malware
            2009-12-31 10:18 . 2010-01-05 20:21   --------   d-----w-   c:\documents and settings\Will\Local Settings\Application Data\lptdvl
            2009-12-16 22:29 . 2009-12-16 22:42   --------   d-----w-   c:\documents and settings\Will\.hydrogen
            2009-12-16 22:27 . 2009-12-16 22:28   --------   d-----w-   c:\program files\Hydrogen
            2009-12-16 22:27 . 2009-12-16 22:27   --------   d-----w-   c:\program files\SwiffRec
            2009-12-16 22:24 . 2009-12-16 22:26   --------   d-----w-   c:\program files\BestPractice
            2009-12-16 22:22 . 2009-12-16 22:22   --------   d-----w-   c:\program files\AudioBookCutter_0_5_0
            2009-12-16 22:21 . 2009-12-16 22:21   --------   d-----w-   c:\program files\7-Zip
            2009-12-16 22:19 . 2009-12-16 22:19   --------   d-----w-   c:\program files\ggseq-0.3.1
            2009-12-16 22:17 . 2009-12-16 22:17   --------   d-----w-   c:\program files\WinLame_pre4
            2009-12-16 22:15 . 2009-12-16 22:15   --------   d-----w-   c:\program files\lame_3.96.1
            2009-12-13 16:23 . 2009-12-13 16:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\TomTom
            2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\documents and settings\Will\Local Settings\Application Data\TomTom
            2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\documents and settings\Will\Application Data\TomTom
            2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\program files\TomTom International B.V
            2009-12-13 16:22 . 2009-12-13 16:22   --------   d-----w-   c:\program files\TomTom HOME 2

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2010-01-07 21:13 . 2008-09-21 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kontiki
            2010-01-07 21:10 . 2007-03-01 14:05   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
            2010-01-07 20:57 . 2008-12-22 21:43   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
            2010-01-05 17:36 . 2008-12-31 15:48   --------   d-----w-   c:\program files\SUPERAntiSpyware
            2010-01-05 17:35 . 2010-01-05 17:35   52224   ----a-w-   c:\documents and settings\Will\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
            2010-01-05 17:35 . 2009-10-01 21:24   117760   ----a-w-   c:\documents and settings\Will\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
            2009-12-30 14:55 . 2009-01-01 15:53   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2009-12-30 14:54 . 2009-01-01 15:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2009-12-16 08:18 . 2009-11-10 20:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SSScanAppDataDir
            2009-12-05 15:06 . 2006-09-20 09:20   --------   d-----w-   c:\program files\Java
            2009-12-05 15:03 . 2009-12-05 15:03   152576   ----a-w-   c:\documents and settings\Will\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
            2009-12-05 15:02 . 2009-12-05 15:02   79488   ----a-w-   c:\documents and settings\Will\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
            2009-11-10 22:20 . 2006-09-25 21:35   49000   ----a-w-   c:\documents and settings\Will\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
            2009-11-10 22:19 . 2008-03-06 08:19   --------   d-----w-   c:\program files\Windows Live
            2009-11-10 22:19 . 2006-09-26 09:34   --------   d-----w-   c:\program files\Windows Live Toolbar
            2009-11-10 22:18 . 2009-11-10 22:18   --------   d-----w-   c:\program files\Microsoft Sync Framework
            2009-11-10 22:11 . 2009-11-10 22:11   --------   d-----w-   c:\program files\Microsoft
            2009-11-10 22:11 . 2009-11-10 22:11   --------   d-----w-   c:\program files\Windows Live SkyDrive
            2009-11-10 20:42 . 2009-11-10 20:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\MSScanAppDataDir
            2009-10-29 07:45 . 2004-08-10 11:51   916480   ------w-   c:\windows\system32\wininet.dll
            2009-10-21 05:38 . 2004-08-10 11:51   75776   ----a-w-   c:\windows\system32\strmfilt.dll
            2009-10-21 05:38 . 2004-08-10 11:51   25088   ----a-w-   c:\windows\system32\httpapi.dll
            2009-10-20 16:20 . 2004-08-03 22:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
            2009-10-13 10:30 . 2004-08-10 11:51   270336   ----a-w-   c:\windows\system32\oakley.dll
            2009-10-12 19:37 . 2009-10-12 19:25   110415   ----a-w-   c:\windows\hpoins11.dat
            2009-10-12 13:38 . 2004-08-10 11:51   149504   ----a-w-   c:\windows\system32\rastls.dll
            2009-10-12 13:38 . 2004-08-10 11:51   79872   ----a-w-   c:\windows\system32\raschap.dll
            2009-10-11 04:17 . 2009-01-01 16:26   411368   ----a-w-   c:\windows\system32\deploytk.dll
            2008-10-07 07:00 . 2008-10-07 07:00   235296   ----a-w-   c:\program files\MC
            2008-11-16 23:42 . 2006-10-05 21:32   88   --sh--r-   c:\windows\system32\64D3CEE666.sys
            2008-05-19 20:22 . 2006-10-17 19:25   56   --sh--r-   c:\windows\system32\66E6CED364.sys
            2008-11-16 23:43 . 2006-10-05 21:32   5852   --sha-w-   c:\windows\system32\KGyGaAvL.sys
            .

            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
            "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
            "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
            "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
            "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
            "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
            "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
            "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
            "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
            "SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
            "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
            "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
            "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-09 497240]
            "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-20 26112]
            "AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
            "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
            "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-20 169984]
            "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
            "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
            "DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
            "DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
            "EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
            "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
            "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
            "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
            "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
            "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]

            [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
            "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
            "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

            c:\documents and settings\All Users\Start Menu\Programs\Startup\
            Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
            AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-9-20 156784]
            BT Broadband Basic Help.lnk - c:\program files\BT Broadband Basic Help\bin\matcli.exe [2006-10-31 200704]
            Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-20 7168]
            Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-9-25 581632]
            Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
            @="Service"

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
            @="Driver"

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
            @="Service"

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
            @="Service"

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
            "EnableFirewall"= 0 (0x0)

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\system32\\sessmgr.exe"=
            "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
            "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
            "c:\\Program Files\\AOL 9.0\\waol.exe"=
            "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\StubInstaller.exe"=
            "c:\\Sierra\\SWAT3\\Swat.icd"=
            "c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
            "c:\\Program Files\\EasyChat\\EasyChat.exe"=
            "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
            "c:\\Program Files\\Kontiki\\KService.exe"=
            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
            "c:\\Program Files\\iTunes\\iTunes.exe"=
            "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
            "c:\\Program Files\\LimeWire\\LimeWire.exe"=
            "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
            "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
            "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
            "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
            "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
            "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
            "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
            "10426:UDP"= 10426:UDP:SingleClick ICC

            R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/11/2008 12:11 682232]
            R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 10:42 9968]
            R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 10:42 74480]
            R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 26104]
            R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008]
            S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [05/10/2006 22:11 13592]
            S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 10:42 7408]
            .
            Contents of the 'Scheduled Tasks' folder

            2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
            .
            .
            ------- Supplementary Scan -------
            .
            uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
            uInternet Connection Wizard,ShellNext = hxxp://www.btbroadbandstart.com/
            uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
            DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
            .

            **************************************************************************

            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2010-01-07 21:10
            Windows 5.1.2600 Service Pack 3 NTFS

            scanning hidden processes ... 

            scanning hidden autostart entries ...

            scanning hidden files ... 

            scan completed successfully
            hidden files: 0

            **************************************************************************

            Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

            device: opened successfully
            user: MBR read successfully
            called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x86D808A8]<<
            kernel: MBR read successfully
            detected MBR rootkit hooks:
            \Driver\Disk -> CLASSPNP.SYS @ 0xf7660f28
            \Driver\ACPI -> ACPI.sys @ 0xf73e3cb8
            \Driver\atapi -> sfsync02.sys @ 0xf762d8b4
            IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
            \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
            NDIS:  -> SendCompleteHandler -> 0x0
             PacketIndicateHandler -> 0x0
             SendHandler -> 0x0
            user & kernel MBR OK

            **************************************************************************
            .
            --------------------- LOCKED REGISTRY KEYS ---------------------

            [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
            @DACL=(02 0000)
            "Installed"="1"

            [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
            @DACL=(02 0000)
            "Installed"="1"
            "NoChange"="1"

            [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
            @DACL=(02 0000)
            "Installed"="1"
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------

            - - - - - - - > 'explorer.exe'(2908)
            c:\windows\system32\WININET.dll
            c:\program files\Logitech\SetPoint\lgscroll.dll
            c:\progra~1\WINDOW~2\wmpband.dll
            c:\windows\system32\ieframe.dll
            c:\windows\system32\webcheck.dll
            c:\windows\system32\WPDShServiceObj.dll
            c:\windows\system32\PortableDeviceTypes.dll
            c:\windows\system32\PortableDeviceApi.dll
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
            c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
            c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            c:\program files\Bonjour\mDNSResponder.exe
            c:\program files\Dell Network Assistant\hnm_svc.exe
            c:\program files\Java\jre6\bin\jqs.exe
            c:\program files\Kontiki\KService.exe
            c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
            c:\program files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
            c:\windows\stsystra.exe
            c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
            c:\windows\system32\HPZipm12.exe
            c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
            c:\windows\system32\ZuneBusEnum.exe
            c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
            c:\program files\Microsoft Windows OneCare Live\winss.exe
            c:\windows\system32\SearchIndexer.exe
            c:\windows\system32\wscntfy.exe
            c:\program files\Logitech\SetPoint\KHALMNPR.EXE
            c:\program files\iPod\bin\iPodService.exe
            c:\program files\BT Broadband Basic Help\bin\mpbtn.exe
            .
            **************************************************************************
            .
            Completion time: 2010-01-07  21:19:36 - machine was rebooted
            ComboFix-quarantined-files.txt  2010-01-07 21:19
            ComboFix2.txt  2010-01-07 00:34

            Pre-Run: 38,101,262,336 bytes free
            Post-Run: 37,971,996,672 bytes free

            - - End Of File - - 8370B871BA0EBF97A30FBF75B9D4DEDC

            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 991
            • Certifications: List
            • Experience: Expert
            • OS: Windows 8
            Re: Serious spyware or virus problem (Help please!)
            « Reply #24 on: January 07, 2010, 04:54:42 PM »
            Download GMER Rootkit Detector and save it your desktop.
             
            * Extract it to your desktop and double-click GMER.exe
            * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
            * Click the Rootkit tab and then Scan.
            * Don't check the Show All box while scanning in progress!
            * When scanning is finished click Copy.
            * This copies the log to clipboard
            * Post the log in your reply.
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender