Persistent Trojan/Malware,Please Help!

[victusdementis]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:43:36 PM, on 5/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\CACHEM~1\CachemanXP.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\MSN Messenger\usnsvc.exe

\?\globalroot\C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O1 - Hosts: rch.info

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Main\protect.dll,_IWMPEvents@16

O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\m0t9i2fim.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\m0t9i2fim.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2785438620.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [sYS32DLL] SYS32DLL (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\m0t9i2fim.exe (User 'Default user')

O4 - Startup: ChkDisk.dll

O4 - Startup: ChkDisk.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154225769015

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243000470656

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8127 bytes

Hello,iv had this problem going on a month so far and its making my life very miserable.i first noticed that my browser kept coming up with bogus search results in google and yahoo search and so i did a scan withmalwarebytes and got rid of it(assumably).a few days later i started to notice that at random times whenever i would click a link to a site(email checking,myspace,etc)i would get redirected to some spam or bogus site and it has not stopped at all.now im beginning to notice that it seems to delete my adobe flash so i cannot view youtube videos.i then tried to do a spybot search and destroy,but about ten minutes in the scan it froze my computer.then i tried malwarebytes,then it restarted my computer.then the trend micro house call and the same thing happened.the anti walware removal tool from microsoft it did that as well.i have to go into safe mode whenever i boot my computer up to use malwarebytes just so i can function.please help me im in dire straights!i would appreciate any help given.thank you for reading this.

[miekiemoes]

Hi,

Please post the MalwareBytes log in your next reply.

Also, Is there any reason why you don't have an Antivirus installed?

Extra note.. I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Then rerun malwarebytes and post the log.

[victusdementis]

hello,thank you very much for helping me,i do appreciate it.to be honest iv never needed a full antivirus,iv never had these problems before.but iv run trend micros house call scan at least once every two weeks for a little while now just to make sure..and ever since this started,every antivirus program out there has frozen up my computer or has made it restart.

i followed your instructions but when i went to do a malwarebytes full system scan about 5 minutes into the scan it restarted my computer.should i try a quick scan instead?

[miekiemoes]

to be honest iv never needed a full antivirus,iv never had these problems before.

Ehm, an Antivirus is mainly for PREVENTION. Please see here: http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html

i followed your instructions but when i went to do a malwarebytes full system scan about 5 minutes into the scan it restarted my computer.should i try a quick scan instead?

Yes, because that's also what I instructed.

If it still reboots, try from Windows safe mode.

[victusdementis]

god i feel like an idiot.no one needs surgery until they need a new organ.your absolutely correct.

it looks like quick scan worked and yes the results were rather scary.

Malwarebytes' Anti-Malware 1.37

Database version: 2185

Windows 5.1.2600 Service Pack 2

5/27/2009 10:22:07 AM

mbam-log-2009-05-27 (10-22-07).txt

Scan type: Quick Scan

Objects scanned: 89036

Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 5

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 7

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 23

Memory Processes Infected:

C:\WINDOWS\pp10.exe (Worm.Koobface) -> Unloaded process successfully.

C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.

C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.

c:\program Files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Unloaded process successfully.

C:\WINDOWS\ld08.exe (Worm.Koobface) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\ty667.ty667mgr (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ty667.ty667mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.Koobface) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux3 (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\tvx.obn) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.OnlineGamer) -> Data: c:\progra~1\thunmail\testabd.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Delete on reboot.

C:\WINDOWS\pp10.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\config\systemprofile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Main\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Main\local settings\temporary internet files\Content.IE5\2USVL5LO\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.

c:\documents and settings\Main\local settings\temporary internet files\Content.IE5\LNE8GJNP\6244[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\Main\local settings\temporary internet files\Content.IE5\P8X0GHQA\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.

c:\documents and settings\Main\start menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.

c:\program files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

c:\program files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.

c:\documents and settings\Main\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

c:\documents and settings\Main\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vp_setup.exe.bat (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

[miekiemoes]

I have a bad feeling here though. It smells that you may also be dealing with Virut.

I really hope that's not the case here, because that would be a lost situation then.

It's easy to find out though... If an Antivirus immediately crashes or won't properly install, then you may be indeed dealing with Virut.

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[victusdementis]

:sigh:

i downloaded it and tried a full system scan,same result.computer restarts.

[miekiemoes]

Can you try in Windows safe mode?

[victusdementis]

i was able to do a full system scan in safe mode and this is the report

Avira AntiVir Personal

Report file date: Wednesday, May 27, 2009 21:20

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Save mode

Username : Main

Computer name : TYR

Version information:

BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00

AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 14:57:30

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 02:33:26

ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 13:41:14

ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 20:58:20

Engineversion : 8.2.0.100

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 23:36:42

AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 02:01:56

AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 17:44:25

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 00:24:41

AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 19:06:10

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 02:01:56

AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 21:49:16

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 02:01:56

AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 19:06:10

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 20:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 17:45:45

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Wednesday, May 27, 2009 21:20

Starting search for hidden objects.

The driver could not be initialized.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

11 processes with 11 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '72' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Main\.housecall\Quarantine\Keygen for F.E.A.R.exe.bac_a02616

[DETECTION] Is the TR/Agent.aox Trojan

C:\Documents and Settings\Main\.housecall6.6\Quarantine\Keygen for F.E.A.R.exe.bac_a02376

[DETECTION] Is the TR/Agent.aox Trojan

C:\Documents and Settings\Main\.housecall6.6\Quarantine\Keygen for F.E.A.R.exe.bac_a02616

[DETECTION] Is the TR/Agent.aox Trojan

C:\Documents and Settings\Main\My Documents\FantaMorph_mahek.rar

[0] Archive type: RAR

--> FantaMorph_mahek\FantaMorph_HoCuS\keygen\keygen.exe

[DETECTION] Contains recognition pattern of the DIAL/27137.A dialer

C:\Starcraft Broodwar\Files\StarCraft_NOCD_Loader-DD.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Q1MGLQ4\cd[1].htm

[DETECTION] Contains HEUR/Malware suspicious code

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Q1MGLQ4\lsp[1].exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7E2AZEI5\lsp[1].exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EGKTYHQF\cd[1].htm

[DETECTION] Contains HEUR/Malware suspicious code

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PKVCMK2F\6244[1].exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\WINDOWS\system32\drivers\dtscsi.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd3869.sys

[WARNING] The file could not be opened!

Beginning disinfection:

C:\Documents and Settings\Main\.housecall\Quarantine\Keygen for F.E.A.R.exe.bac_a02616

[DETECTION] Is the TR/Agent.aox Trojan

[NOTE] The file was moved to '4a970071.qua'!

C:\Documents and Settings\Main\.housecall6.6\Quarantine\Keygen for F.E.A.R.exe.bac_a02376

[DETECTION] Is the TR/Agent.aox Trojan

[NOTE] The file was moved to '49fd26aa.qua'!

C:\Documents and Settings\Main\.housecall6.6\Quarantine\Keygen for F.E.A.R.exe.bac_a02616

[DETECTION] Is the TR/Agent.aox Trojan

[NOTE] The file was moved to '4a970072.qua'!

C:\Documents and Settings\Main\My Documents\FantaMorph_mahek.rar

[NOTE] The file was moved to '4a8c006e.qua'!

C:\Starcraft Broodwar\Files\StarCraft_NOCD_Loader-DD.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a7f0081.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Q1MGLQ4\cd[1].htm

[DETECTION] Contains HEUR/Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4a790071.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Q1MGLQ4\lsp[1].exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a8e0080.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7E2AZEI5\lsp[1].exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4fbdaf21.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EGKTYHQF\cd[1].htm

[DETECTION] Contains HEUR/Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4f4db71a.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PKVCMK2F\6244[1].exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a52003f.qua'!

End of the scan: Wednesday, May 27, 2009 22:07

Used time: 37:42 Minute(s)

The scan has been done completely.

9862 Scanned directories

216637 Files were scanned

8 Viruses and/or unwanted programs were found

2 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

10 Files were moved to quarantine

0 Files were renamed

4 Files cannot be scanned

216623 Files not concerned

1519 Archives were scanned

4 Warnings

11 Notes

[miekiemoes]

Hi,

No wonder your computer is infected with all those keygens and other illegal software. 80% of them is malware.

Anyway, we're not finished yet... * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[victusdementis]

wow really?i got this computer from a friend a mine awhile ago and he didnt tell me this.

well anyway here is the report from combofix

ComboFix 09-05-26.05 - Main 05/28/2009 11:39.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1703 [GMT -5:00]

Running from: c:\documents and settings\Main\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Main\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\Main\Local Settings\Temporary Internet Files\Cpvff.stt

c:\documents and settings\Main\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\system32\AutoRun.inf

c:\windows\system32\drivers\ovfsthmepxuirfloypqwwqkxauufwxsbijxfmf.sys

c:\windows\system32\hetuyevo.exe

c:\windows\system32\ovfstheqorpwswulhraoqaklnnstiqoqxwpkrv.dll

c:\windows\system32\ovfsthkclwfsnkyaurqjodbhnsdltgmneeyhiu.dat

c:\windows\system32\ovfsthkioetlpmyvngvqxjxkuuqwgdwyfrmpqa.dat

c:\windows\system32\ovfsthoitlmvvmlpxckhonltdhstjuvvkxgptv.dll

c:\windows\system32\ovfsthwymtasitldtnrmvewlwulmybliyoxdny.dll

c:\windows\system32\uniq.tll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ovfsthoodapbapqjxtevdlthesrqpstwjrujnv

-------\Legacy_OREANS32

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))

.

2009-05-27 15:46 . 2009-05-27 15:46 -------- d-----w c:\program files\Avira

2009-05-27 15:46 . 2009-05-27 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-27 15:46 . 2009-03-30 15:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-27 15:46 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-27 15:46 . 2009-02-13 17:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-27 15:46 . 2009-02-13 17:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-27 15:12 . 2009-05-26 09:18 105 ----a-w C:\tj.vbs

2009-05-27 15:12 . 2009-05-27 15:12 107155 ----a-w c:\windows\system32\vic_setup.exe

2009-05-27 04:28 . 2009-05-27 04:28 180 ----a-w C:\487656.bat

2009-05-26 14:32 . 2009-05-27 15:22 -------- d-----w c:\windows\system32\sysloc

2009-05-15 14:22 . 2009-05-15 14:22 190 ----a-w C:\43214354.bat

2009-05-10 02:44 . 2009-05-10 02:44 -------- d-----w C:\8108b73ead8f9daa0819

2009-05-07 21:29 . 2009-05-07 21:29 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-05-06 07:41 . 2008-12-04 06:25 120832 ----a-w c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ii6dqyeu.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2009-05-06 02:23 . 2009-05-06 02:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-05 15:42 . 2009-05-27 14:51 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-27 14:52 . 2009-02-13 02:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-27 04:51 . 2009-01-24 17:03 -------- d-----w c:\documents and settings\Main\Application Data\StumbleUpon

2009-05-26 18:20 . 2009-02-13 02:09 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 18:19 . 2009-02-13 02:09 19096 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-06 07:44 . 2008-07-29 22:01 -------- d-----w c:\program files\Windows Live Safety Center

2009-05-06 04:56 . 2007-01-17 05:27 -------- d-----w c:\program files\World of Warcraft

2009-05-01 05:02 . 2009-01-25 04:50 -------- d-----w c:\program files\StumbleUpon

2005-12-07 23:46 . 2006-12-20 06:09 11980772 ----a-w c:\program files\soldat131.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-14 67128]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-18 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-18 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"WheelMouse"="c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe" [2007-02-27 184320]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SYSDLL"="SYSDLL" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-14 67128]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1155190149\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1155190149\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Soldat\\Soldat.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Steam\\steamapps\\victusdementis\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\victusdementis\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Duke3D\\eduke32.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"24868:TCP"= 24868:TCP:BitComet 24868 TCP

"24868:UDP"= 24868:UDP:BitComet 24868 UDP

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [7/29/2006 12:29 PM 9809]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2009 10:46 AM 108289]

R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [8/3/2006 5:54 PM 208384]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/17/2008 12:16 PM 24652]

S3 cusbohcn;cusbohcn;\??\c:\docume~1\Main\LOCALS~1\Temp\cusbohcn.sys --> c:\docume~1\Main\LOCALS~1\Temp\cusbohcn.sys [?]

S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [4/12/2009 1:19 PM 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

.

- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ii6dqyeu.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-28 11:43

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20640045-EE68-4941-8302-B93A55BA514C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iajiilaoklgafgggdp"=hex:6a,61,66,64,66,69,68,6b,65,6c,6d,66,63,67,6d,6d,67,6e,

6b,6c,00,00

"halhckkflhflaaom"=hex:69,61,65,64,6e,66,6b,6a,6b,6a,6e,6a,65,70,6b,64,6b,63,

00,00

"iafnapcnapnalkeaef"=hex:63,61,69,64,65,6b,00,7c

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:d4,39,9a,e1,82,0c,a8,03,0e,12,3b,0a,e9,2a,c7,59,41,19,76,bb,49,f6,fa,

f3,40,ac,69,b3,13,e2,65,10,cf,cd,dc,f3,c0,aa,ec,42,a0,43,cb,0a,ac,52,e0,2b,\

"??"=hex:cb,72,68,35,76,aa,5a,d4,74,56,99,85,54,23,37,e4

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:7e,8f,92,9c,7e,76,e5,86,f1,5a,60,65,a1,e6,b3,33,e4,ab,c7,b9,8c,

9c,b5,91,6f,2a,84,46,46,35,92,b2,f4,cd,03,1b,ef,f2,d4,84,82,8e,1a,11,c5,7b,\

"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-05-28 11:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-28 16:47

Pre-Run: 13,776,228,352 bytes free

Post-Run: 14,035,898,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

220 --- E O F --- 2008-11-07 13:44

also it may or maynot mean anything but elso whenever i log on to my computer an automatic program starts trying to boot something up called"status" its a little hard to explain,i could take a screen for you to see if u think its malicious and worth dealing with.

[miekiemoes]

Hi,

also it may or maynot mean anything but elso whenever i log on to my computer an automatic program starts trying to boot something up called"status" its a little hard to explain,i could take a screen for you to see if u think its malicious and worth dealing with.

No need for a screenshot. We'll look into that later. It's most probably related with one of those HP startup entries being set here.

Malware removal is still a priority here, so..

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

C:\tj.vbs

C:\487656.bat

C:\43214354.bat

Folder::

c:\windows\system32\sysloc

Filelook::

c:\windows\system32\vic_setup.exe

c:\program files\soldat131.exe

Driver::

cusbohcn

DDS::

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

Firefox::

FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ii6dqyeu.default\

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.type - 4

REGNULL::

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20640045-EE68-4941-8302-B93A55BA514C}*]

Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SYSDLL"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"=-

"NoActiveDesktopChanges"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[victusdementis]

ComboFix 09-05-26.05 - Main 05/28/2009 12:21.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1659 [GMT -5:00]

Running from: c:\documents and settings\Main\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Main\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"C:\43214354.bat"

"C:\487656.bat"

"C:\tj.vbs"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\43214354.bat

C:\487656.bat

C:\tj.vbs

c:\windows\system32\sysloc

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CUSBOHCN

-------\Service_cusbohcn

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))

.

2009-05-27 15:46 . 2009-05-27 15:46 -------- d-----w c:\program files\Avira

2009-05-27 15:46 . 2009-05-27 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-27 15:46 . 2009-03-30 15:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-27 15:46 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-27 15:46 . 2009-02-13 17:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-27 15:46 . 2009-02-13 17:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-27 15:12 . 2009-05-27 15:12 107155 ----a-w c:\windows\system32\vic_setup.exe

2009-05-10 02:44 . 2009-05-10 02:44 -------- d-----w C:\8108b73ead8f9daa0819

2009-05-07 21:29 . 2009-05-07 21:29 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-05-06 07:41 . 2008-12-04 06:25 120832 ----a-w c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ii6dqyeu.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2009-05-06 02:23 . 2009-05-06 02:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-05 15:42 . 2009-05-27 14:51 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-28 17:17 . 2008-08-02 21:03 -------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems

2009-05-28 17:17 . 2006-08-03 22:56 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-28 17:17 . 2006-08-10 06:09 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-05-27 14:52 . 2009-02-13 02:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-27 04:51 . 2009-01-24 17:03 -------- d-----w c:\documents and settings\Main\Application Data\StumbleUpon

2009-05-26 18:20 . 2009-02-13 02:09 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 18:19 . 2009-02-13 02:09 19096 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-06 07:44 . 2008-07-29 22:01 -------- d-----w c:\program files\Windows Live Safety Center

2009-05-06 04:56 . 2007-01-17 05:27 -------- d-----w c:\program files\World of Warcraft

2009-05-01 05:02 . 2009-01-25 04:50 -------- d-----w c:\program files\StumbleUpon

2005-12-07 23:46 . 2006-12-20 06:09 11980772 ----a-w c:\program files\soldat131.exe

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

--- c:\program files\soldat131.exe ---

Company: !VERINFO: NOT PE FILE!

File Description: !VERINFO: NOT PE FILE!

File Version: !VERINFO: NOT PE FILE!

Product Name: !VERINFO: NOT PE FILE!

Copyright: !VERINFO: NOT PE FILE!

Original Filename: !VERINFO: NOT PE FILE!

File size: 11980772

Created time: 2006-12-20 06:09

Modified time: 2005-12-07 23:46

MD5: EC9566CD6FB5FDACF0C2BFB0C847DC42

SHA1: DB3248E5530B5428670D7BC4CF0070EC2C55F0C1

--- c:\windows\system32\vic_setup.exe ---

Company: !VERINFO: NOT PE FILE!

File Description: !VERINFO: NOT PE FILE!

File Version: !VERINFO: NOT PE FILE!

Product Name: !VERINFO: NOT PE FILE!

Copyright: !VERINFO: NOT PE FILE!

Original Filename: !VERINFO: NOT PE FILE!

File size: 107155

Created time: 2009-05-27 15:12

Modified time: 2009-05-27 15:12

MD5: 544B2209C95C4DD8DC0886EB1591655D

SHA1: 15D29AB225DC998C2256574C36D198409B0DF1FE

((((((((((((((((((((((((((((( SnapShot@2009-05-28_16.43.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-07-29 17:40 . 2009-05-28 17:24 139648 c:\windows\system32\FNTCACHE.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-14 67128]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-18 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-18 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"WheelMouse"="c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe" [2007-02-27 184320]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-14 67128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1155190149\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1155190149\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Soldat\\Soldat.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Steam\\steamapps\\victusdementis\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\victusdementis\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Duke3D\\eduke32.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"24868:TCP"= 24868:TCP:BitComet 24868 TCP

"24868:UDP"= 24868:UDP:BitComet 24868 UDP

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [7/29/2006 12:29 PM 9809]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2009 10:46 AM 108289]

R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [8/3/2006 5:54 PM 208384]

S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [4/12/2009 1:19 PM 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ii6dqyeu.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-28 12:25

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:d4,39,9a,e1,82,0c,a8,03,0e,12,3b,0a,e9,2a,c7,59,41,19,76,bb,49,f6,fa,

f3,40,ac,69,b3,13,e2,65,10,cf,cd,dc,f3,c0,aa,ec,42,a0,43,cb,0a,ac,52,e0,2b,\

"??"=hex:cb,72,68,35,76,aa,5a,d4,74,56,99,85,54,23,37,e4

[HKEY_USERS\S-1-5-21-1844237615-2025429265-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:7e,8f,92,9c,7e,76,e5,86,f1,5a,60,65,a1,e6,b3,33,e4,ab,c7,b9,8c,

9c,b5,91,6f,2a,84,46,46,35,92,b2,f4,cd,03,1b,ef,f2,d4,84,82,8e,1a,11,c5,7b,\

"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-05-28 12:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-28 17:28

ComboFix2.txt 2009-05-28 16:47

Pre-Run: 14,112,165,888 bytes free

Post-Run: 14,085,828,608 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

208 --- E O F --- 2008-11-07 13:44

[miekiemoes]

Hi,

Please delete the following files:

c:\windows\system32\vic_setup.exe

c:\program files\soldat131.exe

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

To find out what program is causing the message at startup, it will be a matter of disabling startup entries.

To do this, go to start > run and type: msconfig

There select the tab startup.

In there, uncheck the following entries:

NvCplDaemon - NvCpl.dll

nwiz

DAEMON Tools - daemon.exe

WINDVDPatch

CTHelper

IPHSend

LVCOMSX

LogitechVideoRepair - ISStart.exe

LogitechVideoTray - LogiTray.exe

Adobe Photo Downloade - apdproxy.exe

NvMediaCenter - NvMcTray.dll

WheelMouse - Amoumain.exe

HP Software Update - HPWuSchd2.exe

LDM - LogitechDesktopMessenger.exe

LogitechSoftwareUpdate - ManifestEngine.exe

HP Digital Imaging Monitor.lnk - hpqtra08.exe

Logitech Desktop Messenger

Then reboot.

After reboot, you'll see that something was modified in your system configuration. Just check in the same window the checkbox not to display this message again.

Let me know if you still get that message after reboot.

Basically above programs I ask you to disable are not required to start up with Windows anyway, so you can leave them disabled, unless you really want them starting up with Windows. In that case, check the ones again.

[victusdementis]

hi!

combofix is uninstalled and i did indeed get that message after the reboot.and so far i have not gotten that startup "status" to come up.

so far there doesnt seem to be any of the mentioned above problems.should i run avira or malwarebytes to make sure im clean?

i just want to tell you thank you very much for helping me and guiding me with these issues iv been having,not just my computer issues but my ignorance in whats on my computer and the appropriate way to try and take care of it.its been a great blessing to me.

[miekiemoes]

Hi,

Yes, run Avira and malwarebytes to get rid of the leftovers if still present

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[victusdementis]

both avira and malwarebytes both ran through their respective courses with no restarts at all and with nothing found.again i have to say thank you for your help and your patience with me and my issue.believe it or not you have improved my quality of life,latly iv been extremely hindered because of my dirty infected computer.thank you

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.