A problem with XP Smart Security 2010

[salp]

Hi all! I've been running pretty 'clean' with Mbytes until the other day when I got the XP Smart Security 2010 pop-ups, I immediately disconnected from the net & ran Mbytes - No results - ran Super Anti-Spyware - No results -ran AVG free AntiVirus - No results - ran Spybot Search & Destroy - just some FireFox cookies found - kept getting the pop-ups - in task manager, ave.exe was the process that started each time with the pop-ups - kept ending the process while searching for the file ave,exe & deleted the file, that stopped the XP Smart Security 2010 pop-ups but now when using fireFox I get random spam/phishing site pop-ups & seems like my google search in FireFox is hacked, I also can NOT open Internet Explorer!

As requested in-> I'm infected - What do I do now?, Please follow these instructions to clean your system--here are the logs...

DDS-

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/26/2002 11:11:46 AM

System Uptime: 3/18/2010 2:28:01 PM (24 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 4300

Processor: Intel® Pentium® 4 CPU 1.60GHz | Microprocessor | 1595/100mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 25.397 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP66: 1/9/2010 2:02:31 PM - System Checkpoint

RP67: 1/12/2010 3:59:05 PM - System Checkpoint

RP68: 1/13/2010 12:03:18 PM - Software Distribution Service 3.0

RP69: 1/14/2010 11:34:09 AM - Software Distribution Service 3.0

RP70: 1/15/2010 12:37:46 PM - System Checkpoint

RP71: 1/16/2010 3:59:04 PM - System Checkpoint

RP72: 1/17/2010 5:31:05 PM - System Checkpoint

RP73: 1/18/2010 7:27:34 PM - System Checkpoint

RP74: 1/19/2010 2:52:21 AM - Software Distribution Service 3.0

RP75: 1/20/2010 4:16:45 AM - System Checkpoint

RP76: 1/21/2010 5:35:39 AM - System Checkpoint

RP77: 1/22/2010 7:38:02 AM - System Checkpoint

RP78: 1/23/2010 10:06:24 AM - System Checkpoint

RP79: 1/23/2010 12:30:26 PM - Software Distribution Service 3.0

RP80: 1/24/2010 6:10:25 PM - System Checkpoint

RP81: 1/26/2010 12:08:47 AM - System Checkpoint

RP82: 1/26/2010 10:56:29 PM - Software Distribution Service 3.0

RP83: 1/27/2010 9:58:07 AM - Software Distribution Service 3.0

RP84: 1/28/2010 2:35:29 PM - System Checkpoint

RP85: 1/28/2010 11:14:53 PM - Software Distribution Service 3.0

RP86: 1/30/2010 6:20:48 AM - System Checkpoint

RP87: 1/31/2010 6:46:19 AM - System Checkpoint

RP88: 2/1/2010 6:47:35 AM - System Checkpoint

RP89: 2/2/2010 12:44:34 PM - System Checkpoint

RP90: 2/2/2010 7:53:18 PM - Windows Defender Checkpoint

RP91: 2/2/2010 9:15:00 PM - Software Distribution Service 3.0

RP92: 2/4/2010 1:04:40 AM - System Checkpoint

RP93: 2/4/2010 11:31:49 AM - Avg8 Update

RP94: 2/4/2010 1:18:47 PM - Software Distribution Service 3.0

RP95: 2/5/2010 4:52:48 PM - System Checkpoint

RP96: 2/6/2010 8:11:32 PM - System Checkpoint

RP97: 2/7/2010 9:56:20 PM - System Checkpoint

RP98: 2/8/2010 11:48:08 PM - System Checkpoint

RP99: 2/9/2010 2:43:02 AM - Software Distribution Service 3.0

RP100: 2/9/2010 7:51:26 PM - Software Distribution Service 3.0

RP101: 2/10/2010 8:23:45 PM - System Checkpoint

RP102: 2/11/2010 10:23:51 PM - System Checkpoint

RP103: 2/12/2010 10:31:53 AM - Software Distribution Service 3.0

RP104: 2/13/2010 11:29:15 AM - System Checkpoint

RP105: 2/14/2010 12:40:13 PM - System Checkpoint

RP106: 2/15/2010 2:23:19 PM - System Checkpoint

RP107: 2/15/2010 5:40:47 PM - Software Distribution Service 3.0

RP108: 2/16/2010 7:56:48 PM - System Checkpoint

RP109: 2/17/2010 12:53:16 PM - Windows Defender Checkpoint

RP110: 2/18/2010 12:54:19 PM - System Checkpoint

RP111: 2/19/2010 1:00:55 AM - Software Distribution Service 3.0

RP112: 2/26/2010 1:51:57 PM - Software Distribution Service 3.0

RP113: 2/27/2010 7:50:33 PM - System Checkpoint

RP114: 2/28/2010 8:16:49 PM - System Checkpoint

RP115: 3/2/2010 12:28:35 PM - Software Distribution Service 3.0

RP116: 3/5/2010 1:38:10 PM - Software Distribution Service 3.0

RP117: 3/6/2010 2:08:40 PM - System Checkpoint

RP118: 3/7/2010 4:51:40 PM - System Checkpoint

RP119: 3/8/2010 10:27:23 AM - Software Distribution Service 3.0

RP120: 3/9/2010 4:09:47 PM - System Checkpoint

RP121: 3/10/2010 8:18:29 AM - Avg8 Update

RP122: 3/10/2010 1:40:27 PM - Software Distribution Service 3.0

RP123: 3/11/2010 1:37:03 PM - Software Distribution Service 3.0

RP124: 3/12/2010 3:01:29 PM - System Checkpoint

RP125: 3/13/2010 6:10:26 PM - System Checkpoint

RP126: 3/14/2010 7:14:47 PM - System Checkpoint

RP127: 3/15/2010 2:47:30 PM - Software Distribution Service 3.0

RP128: 3/16/2010 5:04:14 PM - System Checkpoint

RP129: 3/17/2010 5:23:07 PM - System Checkpoint

RP130: 3/18/2010 6:17:10 PM - System Checkpoint

RP131: 3/19/2010 8:50:23 AM - Avg8 Update

RP132: 3/19/2010 8:52:09 AM - Avg8 Update

==== Installed Programs ======================

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe Flash Player 10 Plugin

Adobe Flash Player ActiveX

Adobe Reader 7.0.9

Adobe Shockwave Player

Agilysys Web File Viewer

AOL Uninstaller (Choose which Products to Remove)

ATI Display Driver

AusLogics Disk Defrag

AutoUpdate

AVG Free 8.5

CCleaner

Critical Update for Windows Media Player 11 (KB959772)

DelFin Media Viewer

Dell Driver Reset Tool

Dell Solution Center

Dell Support 5.0.0 (630)

DellTouch

DivX Codec

DivX Player

DivX Web Player

Easy CD Creator 5 Basic

EPSON Printer Software

ESSBrwr

ESSCDBK

ESScore

ESSCT

ESSEMAIL

ESSgui

ESShelp

ESSini

ESSPCD

ESSSONIC

ESSTOOLS

essvatgt

essvcpt

ESSvpaht

ESSvpot

Exterminate3

Generic - HCF PCI Modem

Glary Utilities 2.14.0.711

Help and Support Customization

HLPIndex

HLPSFO

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Intel® Processor ID Utility

J2SE Runtime Environment 5.0 Update 5

J2SE Runtime Environment 5.0 Update 6

Java 2 Runtime Environment, SE v1.4.2_08

Kodak EasyShare software

KSU

LeadTool

Logitech MouseWare 9.79.1

Malwarebytes' Anti-Malware

McAfee SiteAdvisor

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Encarta Encyclopedia Standard 2002

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft Picture It! Photo 2002

Microsoft Silverlight

Microsoft Streets and Trips 2002

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Word 2002

Microsoft Works 2002 Setup Launcher

Microsoft Works 6.0

Microsoft Works Suite Add-in for Microsoft Word

Modem Helper

Mozilla Firefox (3.0.14)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MusicMatch Jukebox

MyDeluxeInvoices & Estimates

NETGEAR RangeMax Wireless USB 2.0 Adapter WPN111

Notifier

OfotoXMI

OTtBP

OTtBPSDK

PC Matic 1.0.0.0

PCDADDIN

PCDHELP

PCDrdsho

PhoneTools

PowerDVD

RealPlayer

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

SFR

SFR2

SHASTA

Shockwave

Shockwave Player

SKIN0001

SKINXSDK

SoundMAX

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

System Requirements Lab

TBS WMP Plug-in

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Viewpoint Manager (Remove Only)

Viewpoint Media Player

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VPRINTOL

WebCyberCoach 3.2 Dell

WebFldrs XP

WebIQ Client Software

Webshots!

Windows Defender

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WIRELESS

Works Suite OS Pack

Works Synchronization

==== Event Viewer Messages From Past Week ========

3/19/2010 8:53:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.

3/17/2010 9:51:34 AM, error: System Error [1003] - Error code 100000d1, parameter1 00035de8, parameter2 00000002, parameter3 00000000, parameter4 edcc6d0f.

3/17/2010 9:49:41 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

3/17/2010 9:49:41 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

3/17/2010 5:07:36 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).

3/17/2010 2:00:43 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

3/17/2010 10:22:34 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.2 with the system having network hardware address 00:24:8D:13:2B:D5. Network operations on this system may be disrupted as a result.

3/15/2010 11:16:21 AM, error: Service Control Manager [7034] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s).

3/15/2010 11:16:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AOL Connectivity Service service to connect.

3/15/2010 11:16:15 AM, error: Service Control Manager [7000] - The AOL Connectivity Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/14/2010 8:31:43 PM, error: WPN111 [43] -

3/14/2010 12:23:18 PM, error: System Error [1003] - Error code 100000d1, parameter1 00035de8, parameter2 00000002, parameter3 00000000, parameter4 edb86d0f.

3/12/2010 9:04:48 PM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 00184D340B6A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Attach-

DDS (Ver_10-03-17.01) - NTFSx86

Run by pats at 14:10:56.46 on Fri 03/19/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.71 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\NETGEAR\WPN111\WPN111.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\pats\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://connecticut.cox.net/cci/home

uDefault_Page_URL = hxxp://education.dellnet.com/

uInternet Connection Wizard,ShellNext = hxxp://education.dellnet.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunServices: [AolAcsDaemon1] c:\progra~1\common~1\aol\acs\acsd.exe

StartupFolder: c:\docume~1\pats\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\WebshotsTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\WPN111.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

Trusted Zone: aol.com\www

Trusted Zone: bestbuy.com\www

Trusted Zone: ebates.com\www

Trusted Zone: eprize.net\degree

Trusted Zone: monster.com

Trusted Zone: nascar.com\poll

Trusted Zone: nascar.com\www

Trusted Zone: oldnavy.com

Trusted Zone: olx.com\www

Trusted Zone: paypal.com

Trusted Zone: radiomat.com\www

Trusted Zone: staples.com\www

Trusted Zone: wfsb.com

Trusted Zone: www.ebay

Trusted Zone: www.shoplocal

Trusted Zone: yahoo.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB

DPF: {11818680-FCF6-11D0-9808-0800092A4865} - hxxp://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pctuneup.com/internet/pcpConnCheck.cab

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} - hxxp://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab

DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://pictures.aolcdn.com/ap/Resources/1.2.0.38/cab/aolpPlugins.10.1.0.0.cab

DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - hxxp://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxp://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab

DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.pcpitstop.com/pestscan/pestscan.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166856996890

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/multi/patch/prog/UpdateAdvisor.cab

DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll

DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab

DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab

DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxp://www.symantec.com/techsupp/activedata/ActiveData.cab

DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab

DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} - hxxp://www.jud2.state.ct.us/webforms/codebase/fontinstaller.cab

DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstop2.dll

TCP: NameServer = 208.67.220.220,208.67.222.222

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pats\applic~1\mozilla\firefox\profiles\ez8wrl8h.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-26 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-26 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-26 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2001-12-7 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2001-12-7 297752]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-28 93320]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-23 24652]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-8-25 17149]

R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-9-16 362944]

S2 ExtractorServiceNPF04;DeepSight Extractor Service for NPF04;c:\program files\symantec\deepsight extractor\extractorservicenpf04.exe --> c:\program files\symantec\deepsight extractor\ExtractorServiceNPF04.exe [?]

S3 AR5513;%ATHER.Service.DispName%;c:\windows\system32\drivers\ar5513.sys --> c:\windows\system32\drivers\ar5513.sys [?]

S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2005-4-4 16194]

S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys --> c:\windows\system32\drivers\wg311tn5.sys [?]

S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-11-27 85504]

=============== Created Last 30 ================

2010-03-19 18:06:51 0 ----a-w- c:\documents and settings\pats\defogger_reenable

2010-03-18 04:07:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-10 18:39:39 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-02 18:16:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-02 18:11:28 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-28 05:15:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

==================== Find3M ====================

2010-03-18 16:10:14 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-18 16:10:14 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll

2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll

2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll

2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll

2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll

2004-08-04 05:56:58 73728 -csha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

2009-11-10 19:51:36 56320 --sha-r- c:\windows\system32\QNAD.dll

============= FINISH: 14:13:33.01 ===============

GMER-

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-19 15:42:00

Windows 5.1.2600 Service Pack 3

Running: o4y5xrvy.exe; Driver: C:\DOCUME~1\pats\LOCALS~1\Temp\pxtdapog.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF884687E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8846BFE]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEBC9C320]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8371FCA1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thank you in advance - this forum is a great help!

[kahdah]

Hello salp

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=================

Download TDSSKiller and save it to your Desktop.

• Right click on the file and choose extract all extract the file to your desktop then run it.
  
• Once completed it will create a log in your C:\ drive
  
• Please post the contents of that log
  

====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[salp]

Hi kahdah, thank you so much for helping me -- here are the ComboFix & TDSSKiller logs --

ComboFix 10-03-20.06 - pats 03/21/2010 15:29:05.1.1 - x86

Running from: c:\documents and settings\pats\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

c:\recycler\S-1-5-21-477365121-4083767938-562202453-1007

c:\windows\system32\drivers\tsk5A.tmp . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))

.

2010-03-21 18:54 . 2010-03-21 18:54 36488 ----a-w- c:\windows\system32\drivers\klmd.sys

2010-03-18 04:07 . 2010-03-02 18:16 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-17 18:15 . 2010-03-17 18:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-03-17 14:08 . 2010-03-17 14:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-03-10 18:39 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-02 18:15 . 2010-03-19 17:17 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-02 18:15 . 2010-03-19 17:17 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-02 18:15 . 2010-03-19 17:17 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-03-02 18:11 . 2010-03-02 18:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-02 18:11 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-02-28 05:15 . 2010-02-28 05:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-21 19:23 . 2001-08-17 19:51 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-21 04:07 . 2009-12-02 17:50 117760 ----a-w- c:\documents and settings\pats\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-19 20:28 . 2006-02-06 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-19 20:25 . 2005-12-21 19:25 -------- d-----w- c:\program files\CCleaner

2010-03-19 17:18 . 2010-03-02 18:16 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-19 17:18 . 2010-03-02 18:16 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-19 17:18 . 2010-03-02 18:16 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-19 17:18 . 2010-03-02 18:16 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll

2010-03-19 17:18 . 2010-03-02 18:16 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll

2010-03-19 17:18 . 2010-03-02 18:16 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-19 17:17 . 2010-03-02 18:16 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-19 17:17 . 2010-03-02 18:16 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-19 17:17 . 2010-03-02 18:16 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-19 17:17 . 2010-03-02 18:16 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-19 17:17 . 2010-03-02 18:16 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-19 17:17 . 2010-03-02 18:16 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-02 18:16 . 2010-03-02 18:16 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-03-02 18:16 . 2010-03-02 18:16 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-02 18:16 . 2010-03-02 18:16 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-03-02 18:16 . 2010-03-02 18:16 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-03-02 18:16 . 2010-03-02 18:16 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-02 18:16 . 2010-03-02 18:16 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll

2010-03-02 18:10 . 2009-07-29 04:48 -------- d-----w- c:\program files\Lavasoft

2010-03-02 18:10 . 2007-12-29 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-26 19:00 . 2008-09-23 22:19 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-24 14:16 . 2009-10-06 23:55 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-13 13:46 . 2009-07-28 08:06 -------- d-----w- c:\program files\McAfee

2010-02-04 15:53 . 2010-03-02 18:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-01-29 01:01 . 2002-02-28 20:51 68416 -c--a-w- c:\documents and settings\pats\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-29 00:36 . 2008-04-03 01:28 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-13 18:45 . 2009-12-20 09:05 52224 ----a-w- c:\documents and settings\pats\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-12 20:40 . 2009-12-31 20:05 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 21:07 . 2009-09-14 03:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2009-09-14 03:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-22 05:21 . 2004-08-24 01:32 667136 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:20 . 2004-12-07 23:57 81920 ------w- c:\windows\system32\ieencode.dll

2004-08-04 05:56 . 2006-12-23 07:21 73728 -csha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe

2009-11-10 19:51 . 2009-11-10 19:51 56320 --sha-r- c:\windows\SYSTEM32\QNAD.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

c:\documents and settings\pats\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2002-4-17 196608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\WPN111.exe [2008-8-25 884838]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2002-01-09 01:42 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-07-15 21:37 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-10-27 12:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\SYSTEM32\\USMT\\migwiz.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

"c:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe"=

"c:\\Program Files\\Microsoft Picture It! 2002\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1177770550\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/2/2010 2:16 PM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/26/2008 1:57 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/26/2008 1:57 PM 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 66632]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/7/2001 1:23 AM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/7/2001 1:23 AM 297752]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/28/2009 4:08 AM 93320]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 3:41 PM 28672]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/23/2007 11:20 PM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [8/25/2008 9:36 PM 17149]

R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 5:18 PM 6942]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\SYSTEM32\DRIVERS\WPN111.sys [9/16/2008 2:39 PM 362944]

S2 ExtractorServiceNPF04;DeepSight Extractor Service for NPF04;c:\program files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe --> c:\program files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe [?]

S3 AR5513;%ATHER.Service.DispName%;c:\windows\system32\DRIVERS\ar5513.sys --> c:\windows\system32\DRIVERS\ar5513.sys [?]

S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [4/4/2005 5:55 PM 16194]

S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg311tn5.sys --> c:\windows\system32\DRIVERS\wg311tn5.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]

S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [11/27/2009 2:20 PM 85504]

.

Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:17]

2010-03-21 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-04-05 20:55]

2010-03-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://connecticut.cox.net/cci/home

uInternet Connection Wizard,ShellNext = hxxp://education.dellnet.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: aol.com\www

Trusted Zone: bestbuy.com\www

Trusted Zone: ebates.com\www

Trusted Zone: eprize.net\degree

Trusted Zone: monster.com

Trusted Zone: nascar.com\poll

Trusted Zone: nascar.com\www

Trusted Zone: oldnavy.com

Trusted Zone: olx.com\www

Trusted Zone: paypal.com

Trusted Zone: radiomat.com\www

Trusted Zone: staples.com\www

Trusted Zone: wfsb.com

Trusted Zone: www.ebay

Trusted Zone: www.shoplocal

Trusted Zone: yahoo.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/multi/patch/prog/UpdateAdvisor.cab

DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll

DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll

DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite

FF - ProfilePath - c:\documents and settings\pats\Application Data\Mozilla\Firefox\Profiles\ez8wrl8h.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-21 15:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\atapi]

"ImagePath"="system32\drivers\tsk5A.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2225589205-1163395192-3403473811-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\msacm32.drv

- - - - - - - > 'explorer.exe'(3756)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\windows\System32\locator.exe

c:\windows\wanmpsvc.exe

c:\windows\System32\wbem\unsecapp.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\Webshots.scr

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-03-21 16:05:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-21 20:04

Pre-Run: 27,741,253,632 bytes free

Post-Run: 27,958,919,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A8819A617532CEE6BB4908EAEAE1ACBF

TDSS rootkit removing tool, Kaspersky Lab, 2010

version 2.2.8 Mar 10 2010 155320

Scanning Services ...

Scanning Kernel memory ...

Driver atapi infected by TDSS rootkit!

File CWINDOWSsystem32DRIVERSatapi.sys infected by TDSS rootkit ... will be

cured on next reboot

Completed

Results

Memory objects infected cured cured on reboot 1 0 0

Registry objects infected cured cured on reboot 0 0 0

File objects infected cured cured on reboot 1 0 1

To finalize removal of infection and avoid loosing of data program will

reboot your PC now.

Close all programs and choose Y to restart or N to continue

=================================================================

what would be my next step to get rid of the @%(#!/?^ infection?

and again thanx!

[kahdah]

It is gone already.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[kahdah]

Hi please post the last logs please.

Thanks.

[salp]

Hi please post the last logs please.

Thanks.

=========================================================================

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/4/2010 6:18:43 PM

mbam-log-2010-04-04 (18-18-43).txt

Scan type: Full scan (C:\|)

Objects scanned: 161448

Time elapsed: 1 hour(s), 9 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also ran Spybot Search & Destroy -- only picked up a couple of FireFox cookies -- And ran Super AntiSpyware, nothing

[salp]

=========================================================================

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=b8bac8f94096234c8dd71244be6210a7

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-04-05 04:13:21

# local_time=2010-04-05 12:13:21 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777175 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=55322

# found=1

# cleaned=1

# scan_time=8699

C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe Win32/Adware.HiWire application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

esets_scanner_update returned -1 esets_gle=53251

[kahdah]

Great how are things running?

[salp]

Great how are things running?

All seems to be running o/k for a couple of days!

Is it possible that it's running clean enough to do some online payments?

Thank you so much for your help!!

[kahdah]

Yes do the following and you are done.

=======Cleanup=======

• Click START then RUN
  
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

======Next======

• Double click on OTL to run it.
  
• Click on the Cleanup button at the top.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  
• This will remove itself and other tools we may have used.
  

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 19...allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

[salp]

Hi, I ran the Combofix /uninstall -- it seemed to work o/k

But your 2nd step of -- Double click on OTL to run it. has me a bit confused, I don't recall this procedure?

I then looked at the 3rd step of updating Java -- the link you gave does NOT have the choice mention, but has a choice of

JDK 6 Update 19 with JavaFX SDK

or

JDK 6 Update 19 with NetBeans 6.8

If I change pages, I found a Java SE Runtime Environment 6u20

should I use that one?

Thanx, salp

[kahdah]

Don't worry with the OTL part I use that in case you had used OTL if you don't have it then skip it.

The Java has just been updated that is why you cannot find the one I mentioned.

I found a Java SE Runtime Environment 6u20

That is the newest version that is the one you want.

[salp]

Thank you so much Kahdah!!

everything seems to be back to normal for now

One last question, during this infection process I bought a used desktop, the previous owner said it was once riddled with 'adware' how can I check it if MalwareBytes picks up nothing?

[kahdah]

Hi you can run dds on it and let me have a look or you can run any online virus scanner to double check.

http://www.google.com/search?sourceid=chro...+virus+scanners

That is a basic list of what is available to use.

Hope that helps.

You are welcome.

[salp]

Hi kahdah-- hereis the dds txt on my new used computer

DDS (Ver_10-03-17.01) - NTFSx86

Run by JC Surveillance Inc at 23:35:07.53 on Wed 04/28/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1060 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\JC Surveillance Inc\My Documents\Downloads\dds.com

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sigmatelSysTrayApp] stsystra.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jcsurv~1\applic~1\mozilla\firefox\profiles\0evo8ztb.default\

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {3507B79D-BAEB-4E98-B24C-B9BD25991D82} - c:\documents and settings\jc surveillance inc\local settings\application data\{3507B79D-BAEB-4E98-B24C-B9BD25991D82}

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-29 51984]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-29 59664]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-29 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-29 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-29 242896]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-19 308064]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-8-14 17149]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-7-26 362944]

S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-8 311568]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1284840]

S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]

S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-29 33552]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-4-17 85504]

=============== Created Last 30 ================

2010-04-26 00:02:53 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-16 18:42:09 1374 ----a-w- c:\windows\imsins.BAK

2010-04-07 08:16:11 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-04-04 10:06:58 0 d-----w- c:\program files\Roxio

==================== Find3M ====================

2010-04-21 13:32:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 19:03:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-19 19:02:01 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-17 15:57:54 2063744 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 17:37:57 2186880 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:01:43 226880 ----a-w- c:\windows\system32\dllcache\tcpip6.sys

2009-09-04 12:59:25 19395 ----a-w- c:\program files\common files\inucaf.sys

2009-09-04 12:59:25 17544 ----a-w- c:\program files\common files\hiden.dat

2009-09-04 12:59:25 14896 ----a-w- c:\program files\common files\elexuk.exe

2009-09-04 12:59:25 13452 ----a-w- c:\program files\common files\erug.ban

2009-09-04 12:59:25 12945 ----a-w- c:\program files\common files\cypizamaq._sy

2009-08-14 03:43:54 8 --sha-r- c:\windows\system32\18006624F4.sys

2007-06-09 02:45:58 88 -csha-r- c:\windows\system32\F1D74CB742.sys

2009-07-10 21:27:10 8 --sha-r- c:\windows\system32\FCF4F4C102.sys

2009-10-03 16:37:17 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:35:52.50 ===============

[salp]

Here is a ESET scan log--

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=13f2720ce8125541ad365ddd9cfda38d

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-13 09:50:06

# local_time=2010-01-13 04:50:06 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 1641563 1641563 0 0

# compatibility_mode=1024 16777175 100 0 2952833 2952833 0 0

# compatibility_mode=5892 16776574 100 100 9934050 103240758 0 0

# compatibility_mode=7937 16777214 0 50 5532614 5533303 0 0

# compatibility_mode=8192 67108863 100 0 15221191 15221191 0 0

# scanned=61220

# found=4

# cleaned=4

# scan_time=2996

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Win32/TrojanDownloader.FakeAlert.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.ADM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VTR4DODQ\oiCharEl[1].pdf PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=13f2720ce8125541ad365ddd9cfda38d

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-04-05 09:49:38

# local_time=2010-04-05 05:49:38 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 8723004 8723004 0 0

# compatibility_mode=1024 16777175 100 0 10034274 10034274 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=7937 16777214 0 50 12614055 12614744 0 0

# compatibility_mode=8192 67108863 100 0 22302632 22302632 0 0

# scanned=65703

# found=0

# cleaned=0

# scan_time=6328

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=13f2720ce8125541ad365ddd9cfda38d

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-04-29 12:54:03

# local_time=2010-04-28 08:54:03 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 10721826 10721826 0 0

# compatibility_mode=1024 16777175 100 0 12033096 12033096 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=7937 16777214 0 50 14612877 14613566 0 0

# compatibility_mode=8192 67108863 100 0 24301454 24301454 0 0

# scanned=65578

# found=0

# cleaned=0

# scan_time=5771

________________________________________________________________________________

____________________________________

I hope things look good on this machine!

[kahdah]

You have many protection programs present 2 antivirus programs and multpile others.

1. Please uninstall the following:
   
2. Ad Aware
   
3. Avg9
   
4. iobit security 360
   
5. Threat Fire (if Present)
   
6. windows defender
   

================

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off
md %systemdrive%\quarantine
sc stop "ThreatFire"
sc delete "ThreatFire"
move /y "c:\program files\common files\inucaf.sys" %systemdrive%\quarantine
move /y "c:\program files\common files\hiden.dat" %systemdrive%\quarantine
move /y "c:\program files\common files\elexuk.exe" %systemdrive%\quarantine
move /y "c:\program files\common files\erug.ban" %systemdrive%\quarantine
move /y "c:\program files\common files\cypizamaq._sy" %systemdrive%\quarantine
if exist "c:\program files\threatfire" rd /q /s "c:\program files\threatfire"
if exist %systemdrive%\quarantine rd /q /s %systemdrive%\quarantine
del %0
exit

Then please double click on fixthis.bat a window will open and close quickly.This is normal.

==================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Download the following GMER Rootkit Scanner from Here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
• Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
• It may take a minute to load and become available.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  

  
  

• IAT/EAT
  
  
• Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  
  
• Show All (don't miss this one)

  
  

• Then click the Scan button & wait for it to finish.
  
• Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop
  
• **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  
• Click OK and quit the GMER program.
  
• Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  
• Post that log in your next reply.
  

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!