windows xp antispyware 2010 help.

[djequal1987]

Hi im in some real help here, i have been around the internet to find out how to remove this mailware but i cant get anywhere.

i tried using sdfix in safe mode because malwarebytes wont run

and i have used fixexe also tried renaming the exe file of mailwarebytes but im still stuck an it wont run.

any ideas on what i can do?

many thanks luke.

[djequal1987]

this is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 7:35:44:pm, on 08/03/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\SYSTEM32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\SYSTEM32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

D:\Program Files\Bonjour\mDNSResponder.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\Program Files\Eset\nod32krn.exe

D:\WINDOWS\system32\PnkBstrA.exe

D:\WINDOWS\system32\PnkBstrB.exe

D:\WINDOWS\system32\PSIService.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\Tablet.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\wscntfy.exe

D:\WINDOWS\system32\WTablet\TabUserW.exe

D:\WINDOWS\system32\Tablet.exe

D:\WINDOWS\SYSTEM32\notepad.exe

D:\WINDOWS\Mixer.exe

D:\Program Files\LClock\LClock.exe

D:\Program Files\Java\jre6\bin\jusched.exe

D:\WINDOWS\system32\atwtusb.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

D:\Program Files\Messenger\msmsgs.exe

D:\Program Files\Java\jre6\bin\jucheck.exe

D:\WINDOWS\SYSTEM32\taskmgr.exe

D:\Documents and Settings\Luke\Local Settings\Application Data\av.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\msiexec.exe

D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13928&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - D:\Program Files\AskSearch\bin\DefaultSearch.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [JWOSetup] JWOSetup.exe -en

O4 - HKLM\..\Run: [startCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [F5D7050v3] D:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe

O4 - HKLM\..\Run: [openfiless.exe] D:\WINDOWS\system32\openfiless.exe

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "D:\WINDOWS\eHome" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "D:\WINDOWS\eHome" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe

O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\system32\PSIService.exe

O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe

--

End of file - 8821 bytes

[Maniac]

Hello Luke! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Step 1:

• Open HijackThis, click Config, click Misc Tools
  
• Click Open Uninstall Manager
  
• Click Save List (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Step 2:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* ComboFix log