please help, lost control

[struggling]

After being bombarded with pop-ups I've lost control of my computer; no control panel, no task manager, not able to attach files to emails, and more or should I say less.

Please help me, Sharon

[JeanInMontana]

Hi there struggling.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

[struggling]

I'm not sure how to get the log from AVG, since I have lost administrator rights on my computer I can't run the Panda scan, but here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:21:36 PM, on 11/28/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\E_S00RP1.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Documents and Settings\SharShar\Desktop\utorrent.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {B5CDEF79-C6DD-4013-90AF-16FE0B84E00D} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on SOUNDLAB] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P43 "Auto EPSON Stylus CX4800 Series on SOUNDLAB" /O18 "\\SOUNDLAB\Printer" /M "Stylus CX4800"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: tuvtqpo - tuvtqpo.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--

End of file - 4713 bytes

[JeanInMontana]

Turn off TeaTimer in Spybot Search & Destroy until we are done cleaning.

Then get Windows update SP1 don't get SP2 yet...but you must get SP1 before we go on.

Then get this please:

1. Download this file :

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall

[JeanInMontana]

You may have to run the Combofix first to gain back Administer rights.

[struggling]

ComboFix 07-11-19.4C - SharShar 2007-11-30 16:39:15.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.792 [GMT -7:00]

Running from: C:\Documents and Settings\SharShar\Desktop\Internet downloads\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\shdocvs.dll

.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))

.

2007-11-30 16:26 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-11-30 16:26 844,048 --a------ C:\WINDOWS\system32\msdxm.ocx

2007-11-30 16:26 498,960 --a------ C:\WINDOWS\system32\dxmasf.dll

2007-11-28 12:34 1,406 --a------ C:\WINDOWS\system32\Help.ico

2007-11-28 12:31 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2007-11-28 12:21 <DIR> d-------- C:\Program Files\Trend Micro

2007-11-28 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-12 17:18 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-11-06 17:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\SharShar\Application Data\SUPERAntiSpyware.com

2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-11-06 17:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-06 17:00 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-11-05 16:54 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$

2007-11-01 20:55 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files

2007-11-01 20:55 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2007-11-01 20:37 77,824 --a------ C:\MicroSofts.pif

2007-11-01 20:28 0 --a------ C:\WINDOWS\system32\mscorews.dll

2007-11-01 19:10 <DIR> d-------- C:\Documents and Settings\SharShar\Application Data\AVG7

2007-11-01 19:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

2007-11-01 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-01 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2007-11-01 18:54 <DIR> d-------- C:\Program Files\Lavasoft

2007-11-01 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-01 16:31 14,747 --ahs---- C:\WINDOWS\system32\fhhkj.ini

2007-11-01 16:31 6,470 --ahs---- C:\WINDOWS\system32\fhhkj.bak1

2007-11-01 16:26 <DIR> d--hs---- C:\WINDOWS\b2sgYWsncw

2007-11-01 16:26 <DIR> d-------- C:\Temp\mZOr

2007-11-01 16:26 <DIR> d-------- C:\Temp

2007-10-31 07:42 <DIR> d-------- C:\Program Files\support.com

2007-10-31 07:42 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

2007-10-26 16:52 331,776 --a------ C:\WINDOWS\system32\winhttp.dll

2007-10-26 16:52 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll

2007-10-26 16:52 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll

2007-10-21 15:12 65,536 --a------ C:\WINDOWS\system32\E_S00RP1.EXE

2007-10-04 19:30 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys

2007-10-04 19:30 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2007-10-04 19:30 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-30 21:31 --------- d-----w C:\Documents and Settings\SharShar\Application Data\uTorrent

2007-11-29 04:09 --------- d-----w C:\Program Files\MSN Messenger

2007-11-29 04:08 --------- d-----w C:\Program Files\Google

2007-11-29 04:07 --------- d-----w C:\Program Files\Common Files\LightScribe

2007-11-02 02:30 --------- d-----w C:\Documents and Settings\SharShar\Application Data\CC_CCBN_Editor

.

((((((((((((((((((((((((((((( snapshot@2007-11-02_ 8.07.43.06 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe

+ 2007-11-08 23:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe

+ 2006-08-24 15:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll

+ 2007-11-07 00:02:08 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe

+ 2007-11-07 00:02:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2007-11-07 00:02:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

+ 2001-03-23 23:17:12 7,168 ----a-w C:\WINDOWS\LastGood.Tmp\System32\updcrl.exe

+ 2007-03-29 16:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll

+ 2006-10-05 23:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll

+ 2005-06-03 21:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll

+ 2003-08-01 18:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll

+ 2005-05-20 20:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll

+ 2006-02-17 01:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll

+ 2005-10-26 01:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll

+ 2004-05-04 22:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll

+ 2006-07-14 20:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe

+ 2006-04-10 17:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll

+ 2006-02-14 20:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll

+ 2006-02-17 01:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll

+ 2006-10-05 23:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll

+ 2006-06-30 21:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe

+ 2004-02-04 21:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll

+ 2006-08-01 20:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll

+ 2006-08-23 20:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll

+ 2006-08-17 18:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll

+ 2006-09-04 18:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll

+ 2006-08-18 15:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll

+ 2007-03-26 21:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll

+ 2006-08-09 17:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll

+ 2006-07-19 17:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll

+ 2006-01-20 23:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll

+ 2006-05-17 16:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll

+ 2006-08-16 17:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll

+ 2006-06-30 21:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll

+ 2006-08-17 21:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll

+ 2006-08-08 20:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll

+ 2006-08-18 15:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll

+ 2006-08-18 15:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll

+ 2007-04-19 00:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll

+ 2007-01-22 21:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll

+ 1997-09-18 13:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll

+ 2006-03-01 00:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll

+ 2006-08-02 19:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe

- 2007-11-02 01:40:11 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2007-11-30 23:25:57 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2007-11-02 01:40:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2007-11-30 23:25:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1\MM2048.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1\MM256.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2\MM2048.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2\MM256.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3\MM2048.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3\MM256.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4\MM2048.DAT

+ 2007-11-30 23:26:23 8,192 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4\MM256.DAT

- 2007-11-02 01:40:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-11-30 23:25:57 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2001-08-17 13:28:08 509,353 ----a-w C:\WINDOWS\system32\drivers\ltmdmnt.sys

+ 2003-03-31 21:29:00 625,537 ----a-w C:\WINDOWS\system32\drivers\ltmdmnt.sys

- 2001-08-26 16:00:00 72,704 ----a-w C:\WINDOWS\system32\iexpress.dll

+ 2001-08-27 15:00:00 83,968 ----a-w C:\WINDOWS\system32\iexpress.dll

+ 2001-08-27 16:00:00 6,554 ----a-w C:\WINDOWS\system32\magnify.dll

+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe

- 2001-08-24 14:00:00 33,858 ----a-w C:\WINDOWS\system32\msratnit.dll

+ 2001-08-24 15:00:00 36,131 ----a-w C:\WINDOWS\system32\msratnit.dll

- 2007-11-01 23:22:05 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2007-11-13 03:00:26 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2007-11-01 23:22:05 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2007-11-13 03:00:26 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2001-08-17 13:28:08 509,353 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\ltmdmnt.sys

- 2001-08-23 12:00:00 246,302 ----a-w C:\WINDOWS\system32\strmdll.dll

+ 2001-04-20 19:14:22 251,904 ----a-w C:\WINDOWS\system32\strmdll.dll

- 2007-04-02 21:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe

+ 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe

+ 2001-03-23 23:17:12 7,168 ----a-w C:\WINDOWS\system32\updcrl.exe

+ 2004-01-10 05:11:10 26,112 ----a-w C:\WINDOWS\system32\xpsp1hfm.exe

+ 2003-03-26 01:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll

+ 2007-11-30 23:15:33 491,768 ------w C:\WINDOWS\Windows Update Setup Files\ie6setup.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5CDEF79-C6DD-4013-90AF-16FE0B84E00D}]

2001-08-27 08:00 83968 --a------ C:\WINDOWS\System32\iexpress.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 15:50]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Auto EPSON Stylus CX4800 Series on SOUNDLAB"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 12:00]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-11 19:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"wextract_cleanup0"="C:\WINDOWS\System32\advpack.dll" [2001-08-23 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 15:50]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 19:09]

C:\Documents and Settings\SharShar\Start Menu\Programs\Startup\

Resume Windows Update Installation.lnk - C:\WINDOWS\Windows Update Setup Files\ie6setup.exe [2007-11-30 16:17:30]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqpo]

tuvtqpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe

backup=C:\WINDOWS\pss\autos.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SharShar^Start Menu^Programs^Startup^infos.exe]

path=C:\Documents and Settings\SharShar\Start Menu\Programs\Startup\infos.exe

backup=C:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

2007-03-01 09:37 2321600 -ra------ C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]

2004-09-03 01:58 65536 --------- C:\Program Files\nero\ODD Toolkit\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 EPSON Stylus CX4800 Series /O6 USB001 /M Stylus CX4800

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-09-13 15:50 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]

2005-02-13 23:54 81920 --a------ C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]

C:\WINDOWS\System32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"CryptSvc"=2 (0x2)

.

**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-30 16:41:49

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-30 16:42:54 - machine was rebooted

C:\ComboFix.txt ... 2007-11-02 08:09

.

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:43:57 PM, on 11/30/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\E_S00RP1.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: iexpress - {B5CDEF79-C6DD-4013-90AF-16FE0B84E00D} - C:\WINDOWS\System32\iexpress.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on SOUNDLAB] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P43 "Auto EPSON Stylus CX4800 Series on SOUNDLAB" /O18 "\\SOUNDLAB\Printer" /M "Stylus CX4800"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: tuvtqpo - tuvtqpo.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--

End of file - 4757 bytes

Now when I double click on these text files I get messages that they are not valid win32 applications. I have to "open with"

I had trouble with the SP1 and combofix, not sure if they're done right.

Seems like technology just isn't my friend.

[struggling]

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\SharShar\Cookies\sharshar@doubleclick[1].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\SharShar\Cookies\sharshar@statse.webtrendslive[2].txt

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\SharShar\Cookies\sharshar@target[2].txt

Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\SharShar\Cookies\sharshar@tucows[1].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1935655697-926492609-839522115-1003\Dc1.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1935655697-926492609-839522115-1003\Dc1.exe[nircmd.cfexe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Still haven't figured out where to get the AVG log.

A little help? 8)

[JeanInMontana]

You can usually find how to run specific software by looking in the help tab.

AVG Anti-Spyware Settings

Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

In the Settings screen click "Recommended actions" and then select "Quarantine".

Under "Reports"

Select "Automatically generate report after every scan"

DE-Select "Only if threats were found"

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"

AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

While scanning, AVG will list any infections found on the left side.

When the scan is completed, the recommended action should be set to Quarantine. If not, click Recommended Action and set it there. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Close AVG Anti-Spyware.

[JeanInMontana]

Due to lack of response I will close this topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic.