Can't remove Hijack.WindowsUpdates

[Kaiser 1984]

I have had this issue for months and haven't been able to update my pc!

Thank you in advance for reading =]

[gringo_pr]

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• 1.Please do not run any other tool untill instructed to do so!
  2.Please reply to this thread, do not start another!
  3.Please tell me about any problems that have occurred during the fix.
  4.Please tell me of any other symptoms you may be having as these can help also.
  5.Please try as much as possible not to run anything while executing a fix.
  

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.

DeFogger:

• Please download

DeFogger to your desktop.
Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK
  

Do not re-enable these drivers until otherwise instructed.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  Download DDS and save it to your desktop
  

Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
    

  [*]A window will open instructing you save & post the logs

  [*]Save the logs to a convenient place such as your desktop

  [*]Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    

  [*]Then click the Scan button & wait for it to finish

  [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

  [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

information and logs:

• In your next post I need the following
  
  • 1.logs from DDS
    2.log from GMER
    3.let me know of any problems you may have had
    

Gringo

[Kaiser 1984]

Hi Gringo, thanks for the quick response!

I have a problem, when i run defogger it runs fine, no error messages, when i the run GMER is freezes my pc so i have to manuall cut the power to reboot it!

Here is DDS, all i can get sorted so far;

DDS (Ver_10-03-17.01) - NTFSx86

Run by Michael at 19:25:50.34 on 30/04/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.447.160 [GMT 1:00]

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Michael\My Documents\Downloads\Defogger.exe

C:\Documents and Settings\Michael\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 1

mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe

dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

StartupFolder: c:\docume~1\michael\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272569823359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\4sfciw3f.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 66632]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]

S1 211c6440;211c6440;c:\windows\system32\drivers\211c6440.sys --> c:\windows\system32\drivers\211c6440.sys [?]

S1 579f9ac2;579f9ac2;c:\windows\system32\drivers\579f9ac2.sys --> c:\windows\system32\drivers\579f9ac2.sys [?]

S1 761d6cee;761d6cee;c:\windows\system32\drivers\761d6cee.sys --> c:\windows\system32\drivers\761d6cee.sys [?]

S1 cc2c5d42;cc2c5d42;c:\windows\system32\drivers\cc2c5d42.sys --> c:\windows\system32\drivers\cc2c5d42.sys [?]

S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [2010-1-15 171520]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-11-23 13224]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-1-28 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-1-28 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-1-28 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-1-28 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-1-28 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-1-28 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-1-28 115752]

S3 SE1008mdm;Sony Ericsson SE1008 Mobile Device Full USB Driver;c:\windows\system32\drivers\SE1008mdm.sys [2009-11-30 58536]

=============== Created Last 30 ================

2010-04-30 18:25:19 0 ----a-w- c:\documents and settings\michael\defogger_reenable

2010-04-30 15:45:56 77312 ----a-w- c:\windows\MBR.exe

2010-04-30 15:45:56 256512 ----a-w- c:\windows\PEV.exe

2010-04-30 15:45:47 0 d-s---w- C:\ComboFix

2010-04-30 03:35:22 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-29 21:29:48 0 d-----w- c:\windows\ServicePackFiles

2010-04-29 21:28:29 19528 ----a-w- c:\windows\000001_.tmp

2010-04-24 03:07:18 0 d-----w- c:\docume~1\michael\applic~1\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

2010-04-04 11:20:33 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-04-29 12:45:00 2048 ----a-w- c:\windows\system32\Tr_sttool.dat

2010-04-29 11:19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 11:19:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-14 20:13:16 81920 ----a-w- c:\windows\system32\bsrgvas.dll

2010-03-14 20:13:16 692224 ----a-w- c:\windows\system32\bsrmgcv.dll

2010-03-14 20:13:16 192512 ----a-w- c:\windows\system32\bsrmgps.dll

2010-03-14 20:12:53 585728 ----a-w- c:\windows\system32\bsratswf.dll

2010-03-14 20:12:53 147456 ----a-w- c:\windows\system32\bsratwmv.dll

2009-06-03 02:06:32 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat

2009-05-18 09:13:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051120090518\index.dat

2009-05-28 07:29:07 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051820090525\index.dat

2009-06-01 01:43:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052520090601\index.dat

2009-06-01 01:43:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060120090602\index.dat

2009-06-02 08:38:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060220090603\index.dat

2009-06-03 02:06:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060320090604\index.dat

============= FINISH: 19:26:19.59 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 27/01/2007 05:46:44

System Uptime: 30/04/2010 14:11:35 (5 hours ago)

Motherboard: Acer | | EM61SM/EM61PM

Processor: AMD Sempron Processor 3400+ | Socket M2 | 1808/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 17.112 GiB free.

D: is FIXED (FAT32) - 35 GiB total, 31.016 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 29/04/2010 21:50:17 - System Checkpoint

RP2: 29/04/2010 22:28:36 - Installed Windows XP Service Pack 2.

RP3: 30/04/2010 04:34:54 - Installed Java 6 Update 20

RP4: 30/04/2010 16:08:56 - Installed Windows XP Service Pack 2.

==== Installed Programs ======================

[gringo_pr]

Hello Kaiser 1984

.:P2P Warning!:

• IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

[Kaiser 1984]

My apologies, i installed it and opened it but never ran a scan as no such notepad entry exists

Would you like me to run combofix for the first time and post the log?

Proxy settings have been disabled and utorrent has been removed.

I will retry the previous instructions from DDS to GMER and see if it will finish

[Kaiser 1984]

My apologies, i installed it and opened it but never ran a scan as no such notepad entry exists

Would you like me to run combofix for the first time and post the log?

Proxy settings have been disabled and utorrent has been removed.

I will retry the previous instructions from DDS to GMER and see if it will finish

Sorry i mean from defogger to GMER

[gringo_pr]

Hello

I would like a new DDS scan done also - don't do combofix yet

as for GMER try it this way

I would like you to delete the Gmer you have now and download this version from here.

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.

• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
  

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • IAT/EAT
    
  • devices(don't miss this one) <--this one is different than the picture
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    

  [*]Then click the Scan button & wait for it to finish.

  [*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it does not run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
  
• Wait 30 seconds, and then turn the computer on.
  
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.
  

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

• In your next post I need the following
  

1. new dds log
   
2. log from Gmer
   
3. let me know of any problems you may have had
   
4. How is the computer doing now?
   

Gringo

[Kaiser 1984]

Will do, last time i tried it it finished scanning then when i went to save it froze up. Will post reports ASAP

[Kaiser 1984]

Ok so it froze once again but worked fine in safe mode. Here's the new logs!

DDS

DDS (Ver_10-03-17.01) - NTFSx86

Run by Michael at 0:32:29.10 on 01/05/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.447.138 [GMT 1:00]

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Michael\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 1

mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe

dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

StartupFolder: c:\docume~1\michael\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272569823359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\4sfciw3f.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 66632]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]

S1 211c6440;211c6440;c:\windows\system32\drivers\211c6440.sys --> c:\windows\system32\drivers\211c6440.sys [?]

S1 579f9ac2;579f9ac2;c:\windows\system32\drivers\579f9ac2.sys --> c:\windows\system32\drivers\579f9ac2.sys [?]

S1 761d6cee;761d6cee;c:\windows\system32\drivers\761d6cee.sys --> c:\windows\system32\drivers\761d6cee.sys [?]

S1 cc2c5d42;cc2c5d42;c:\windows\system32\drivers\cc2c5d42.sys --> c:\windows\system32\drivers\cc2c5d42.sys [?]

S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [2010-1-15 171520]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-11-23 13224]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-1-28 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-1-28 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-1-28 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-1-28 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-1-28 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-1-28 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-1-28 115752]

S3 SE1008mdm;Sony Ericsson SE1008 Mobile Device Full USB Driver;c:\windows\system32\drivers\SE1008mdm.sys [2009-11-30 58536]

=============== Created Last 30 ================

2010-04-30 22:22:44 0 d-s---w- C:\ComboFix

2010-04-30 18:25:19 0 ----a-w- c:\documents and settings\michael\defogger_reenable

2010-04-30 15:45:56 77312 ----a-w- c:\windows\MBR.exe

2010-04-30 15:45:56 256512 ----a-w- c:\windows\PEV.exe

2010-04-30 03:35:22 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-29 21:29:48 0 d-----w- c:\windows\ServicePackFiles

2010-04-29 21:28:29 19528 ----a-w- c:\windows\000001_.tmp

2010-04-24 03:07:18 0 d-----w- c:\docume~1\michael\applic~1\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

2010-04-04 11:20:33 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-04-29 12:45:00 2048 ----a-w- c:\windows\system32\Tr_sttool.dat

2010-04-29 11:19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 11:19:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-14 20:13:16 81920 ----a-w- c:\windows\system32\bsrgvas.dll

2010-03-14 20:13:16 692224 ----a-w- c:\windows\system32\bsrmgcv.dll

2010-03-14 20:13:16 192512 ----a-w- c:\windows\system32\bsrmgps.dll

2010-03-14 20:12:53 585728 ----a-w- c:\windows\system32\bsratswf.dll

2010-03-14 20:12:53 147456 ----a-w- c:\windows\system32\bsratwmv.dll

2009-06-03 02:06:32 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat

2009-05-18 09:13:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051120090518\index.dat

2009-05-28 07:29:07 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051820090525\index.dat

2009-06-01 01:43:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052520090601\index.dat

2009-06-01 01:43:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060120090602\index.dat

2009-06-02 08:38:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060220090603\index.dat

2009-06-03 02:06:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060320090604\index.dat

============= FINISH: 0:32:56.95 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 27/01/2007 05:46:44

System Uptime: 05/01/2010 00:27:17 (2784 hours ago)

Motherboard: Acer | | EM61SM/EM61PM

Processor: AMD Sempron Processor 3400+ | Socket M2 | 1808/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 17.112 GiB free.

D: is FIXED (FAT32) - 35 GiB total, 31.016 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 29/04/2010 21:50:17 - System Checkpoint

RP2: 29/04/2010 22:28:36 - Installed Windows XP Service Pack 2.

RP3: 30/04/2010 04:34:54 - Installed Java 6 Update 20

RP4: 30/04/2010 16:08:56 - Installed Windows XP Service Pack 2.

==== Installed Programs ======================

Acer eDataSecurity Management

Acer eDataSecurity Management 2.0.3077

Acer Empowering Technology

Acer ePerformance Management

Acer WLAN 11g USB Dongle

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.2

Adobe Shockwave Player 11.5

Apple Application Support

Apple Software Update

Avanquest update

AVEO USB2.0 PC Camera(C7EVTV1P10939)

Bonjour

BSR Screen Recorder 4

CCleaner

commercial

Critical Update for Windows Media Player 11 (KB959772)

GIMP 2.6.7

GTactix

HiDownloadPlatinum

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB888795)

Hotfix for Windows XP (KB891593)

Hotfix for Windows XP (KB893357)

Hotfix for Windows XP (KB895961)

Hotfix for Windows XP (KB896256)

Hotfix for Windows XP (KB898444)

Hotfix for Windows XP (KB899337)

Hotfix for Windows XP (KB899510)

Hotfix for Windows XP (KB902841)

Hotfix for Windows XP (KB906569)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Java Auto Updater

Java 6 Update 20

Junk Mail filter update

LightScribe 1.4.74.1

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.0 Hotfix (KB887998)

Microsoft .NET Framework 1.0 Hotfix (KB930494)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft Office Excel Viewer 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.6.3)

MSVCRT

MSXML 4.0 SP2 (KB954430)

NVIDIA Drivers

OCA Client history tool install

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB883939)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901190)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB903235)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Segoe UI

Sonic Encoders

Sony Ericsson PC Suite 4.010.00

Sony Ericsson W395© driver v3.5.3.0

SUPERAntiSpyware Free Edition

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB894391)

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB912945)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update Rollup 2 for Windows XP Media Center Edition 2005

Update Service

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VLC media player 1.0.1

WebFldrs XP

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Driver Package - AMD System (04/06/2006 1.0.1.0)

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows XP Hotfix - KB867282

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888239

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB925766

WinPcap 4.1.1

WinRAR archiver

WinZip Self-Extractor

==== Event Viewer Messages From Past Week ========

30/04/2010 16:10:57, error: NtServicePack [4374] - Windows XP Service Pack 2 installation failed, leaving Windows XP partially updated.

Service Pack 2 installation did not complete.

30/04/2010 16:10:34, error: NtServicePack [4373] - Windows XP Service Pack 2 installation failed.

Access is denied.

29/04/2010 22:44:19, error: NtServicePack [4374] - Windows XP Service Pack 2 installation failed, leaving Windows XP partially updated.

Service Pack 2 installation did not complete.

29/04/2010 22:32:51, error: NtServicePack [4373] - Windows XP Service Pack 2 installation failed.

Access is denied.

29/04/2010 22:16:52, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

29/04/2010 20:37:33, error: Service Control Manager [7028] - The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

29/04/2010 20:25:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvatabus nvraid

29/04/2010 20:25:50, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

29/04/2010 11:34:40, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

28/04/2010 11:03:29, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.

28/04/2010 11:03:29, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

28/04/2010 10:50:21, error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.

27/04/2010 10:47:37, error: ipnathlp [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.101. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.

25/04/2010 19:08:24, error: ipnathlp [30009] - The DHCP allocator encountered a network error while attempting to reply on IP address 240.49.70.102 to a request from a client. The data is the error code.

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-01 01:34:44

Windows 5.1.2600 Service Pack 2

Running: 13ep6zz2.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\agloapoc.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Classes\VAXObject.Chl\CLSID@ {6BF52A52-394A-11D3-B153-00C04F79FAA6}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28A10A1B-43AB-FFED-583E-55D818F30A8B}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28A10A1B-43AB-FFED-583E-55D818F30A8B}@nabademhiabokdbgbcgmmkijpkpn 0x6B 0x61 0x63 0x66 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28A10A1B-43AB-FFED-583E-55D818F30A8B}@malofgdfbebhdolonfhnoeoogk 0x6B 0x61 0x6E 0x65 ...

---- EOF - GMER 1.0.15 ----

The report is half of what is was out of safe mode but i'm sure you were expecting that

[gringo_pr]

Hello

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

update combofix

I would like you to download an updated virsion of combofix.

• Delete the version of combofix you have now on your desktop and download a new one from here
  

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

"information and logs"

• In your next post I need the following
  

1. report from combofix
   
2. let me know of any problems you may have had
   
3. How is the computer doing now?
   

Gringo

[Kaiser 1984]

ComboFix 10-04-30.03 - Michael 01/05/2010 14:12:45.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.447.194 [GMT 1:00]

Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WindowsUpdate

c:\recycler\S-1-5-21-7580067392-3461222767-887690573-1322

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))

.

2010-05-01 13:23 . 2010-05-01 13:23 -------- d-----w- c:\windows\LastGood

2010-04-30 03:35 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-29 21:29 . 2010-04-29 21:29 -------- d-----w- c:\windows\ServicePackFiles

2010-04-24 03:07 . 2010-04-24 03:07 -------- d-----w- c:\documents and settings\Michael\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

2010-04-04 11:21 . 2010-04-04 11:21 -------- d-----w- c:\program files\Common Files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-30 22:24 . 2008-12-22 07:53 -------- d-----w- c:\program files\uTorrent

2010-04-30 18:53 . 2008-12-19 20:17 36936 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-30 03:35 . 2007-01-27 05:48 -------- d-----w- c:\program files\Java

2010-04-29 21:33 . 2006-08-11 21:00 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-04-29 18:56 . 2009-02-08 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 18:54 . 2009-03-26 01:24 6153648 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-29 12:45 . 2009-10-27 12:13 2048 ----a-w- c:\windows\system32\Tr_sttool.dat

2010-04-29 11:19 . 2009-02-08 20:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 11:19 . 2009-02-08 20:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 11:05 . 2009-08-19 08:24 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc

2010-04-27 00:56 . 2009-05-16 17:16 -------- d-----w- c:\documents and settings\Michael\Application Data\Userplane

2010-04-27 00:56 . 2009-05-16 17:16 -------- d-----w- c:\program files\AdultWork Notifier

2010-04-27 00:55 . 2009-05-17 13:20 -------- d-----w- c:\program files\CCleaner

2010-04-24 11:55 . 2009-10-27 16:36 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-04-24 11:49 . 2009-10-27 16:36 38784 ----a-w- c:\documents and settings\Michael\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-04-22 01:37 . 2010-03-21 12:11 439816 ----a-w- c:\documents and settings\Michael\Application Data\Real\Update\setup3.10\setup.exe

2010-04-08 21:17 . 2009-06-16 21:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-04-02 10:10 . 2010-04-02 10:10 61440 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1cdccfae-n\decora-sse.dll

2010-04-02 10:10 . 2010-04-02 10:10 503808 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\msvcp71.dll

2010-04-02 10:10 . 2010-04-02 10:10 499712 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\jmc.dll

2010-04-02 10:10 . 2010-04-02 10:10 348160 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\msvcr71.dll

2010-04-02 10:10 . 2010-04-02 10:10 12800 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1cdccfae-n\decora-d3d.dll

2010-03-31 17:12 . 2009-03-15 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-30 10:27 . 2009-06-16 21:08 117760 ----a-w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe

2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe

2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\WinPcap

2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\StreamingStar

2010-03-14 20:13 . 2009-10-27 12:13 -------- d-----w- c:\program files\BSR Screen Recorder 4

2010-03-14 20:13 . 2010-03-14 20:13 81920 ----a-w- c:\windows\system32\bsrgvas.dll

2010-03-14 20:13 . 2010-03-14 20:13 692224 ----a-w- c:\windows\system32\bsrmgcv.dll

2010-03-14 20:13 . 2010-03-14 20:13 192512 ----a-w- c:\windows\system32\bsrmgps.dll

2010-03-14 20:12 . 2010-03-14 20:12 585728 ----a-w- c:\windows\system32\bsratswf.dll

2010-03-14 20:12 . 2010-03-14 20:12 147456 ----a-w- c:\windows\system32\bsratwmv.dll

2010-03-10 03:13 . 2009-10-02 22:24 -------- d-----w- c:\documents and settings\Michael\Application Data\gtk-2.0

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-08 2010864]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-25 185872]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-01 10:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-09-29 22:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2004-08-10 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-11 22:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [26/05/2009 10:05 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 66632]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 12872]

S1 211c6440;211c6440;c:\windows\system32\drivers\211c6440.sys --> c:\windows\system32\drivers\211c6440.sys [?]

S1 579f9ac2;579f9ac2;c:\windows\system32\drivers\579f9ac2.sys --> c:\windows\system32\drivers\579f9ac2.sys [?]

S1 761d6cee;761d6cee;c:\windows\system32\drivers\761d6cee.sys --> c:\windows\system32\drivers\761d6cee.sys [?]

S1 cc2c5d42;cc2c5d42;c:\windows\system32\drivers\cc2c5d42.sys --> c:\windows\system32\drivers\cc2c5d42.sys [?]

S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [15/01/2010 12:05 171520]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [23/11/2009 15:35 13224]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 19:19 50704]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [28/01/2009 22:35 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [28/01/2009 22:35 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [28/01/2009 22:35 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [28/01/2009 22:35 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [28/01/2009 22:35 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [28/01/2009 22:35 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [28/01/2009 22:35 115752]

S3 SE1008mdm;Sony Ericsson SE1008 Mobile Device Full USB Driver;c:\windows\system32\drivers\SE1008mdm.sys [30/11/2009 23:08 58536]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\4sfciw3f.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-01 14:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2174515030-3141958951-538735306-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28A10A1B-43AB-FFED-583E-55D818F30A8B}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"nabademhiabokdbgbcgmmkijpkpn"=hex:6b,61,63,66,68,64,6c,68,66,62,64,6b,65,66,

68,66,69,6c,6a,70,68,65,00,00

"malofgdfbebhdolonfhnoeoogk"=hex:6b,61,6e,65,66,64,61,70,6e,63,64,70,65,6b,62,

6a,6a,6c,6e,6f,63,70,00,00

[HKEY_LOCAL_MACHINE\software\Classes\VAXObject.Chl\CLSID]

@DACL=(02 0000)

@="{6BF52A52-394A-11D3-B153-00C04F79FAA6}"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3084)

c:\windows\system32\MSNCHATHOOK.DLL

c:\windows\system32\sysenv.dll

c:\windows\system32\CryptoAPI.dll

c:\windows\system32\MFC71U.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\acer\Empowering Technology\ePerformance\MemCheck.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\SoftwareDistribution\Download\eb9a3cecaccfdb2a115742a9b5d50b42\update\update.exe

.

**************************************************************************

.

Completion time: 2010-05-01 14:33:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-01 13:33

ComboFix2.txt 2009-06-12 20:00

Pre-Run: 18,861,785,088 bytes free

Post-Run: 18,816,053,248 bytes free

- - End Of File - - 8E13F900187AF0B91AFB4B3ABF8319E5

Finally those awful files have gone! Thank you so much! This PC was a gift but has been nothing but a curse! now 150 important security updates to download as well as multiple software and hardware updates lol

Thanks again Gringo!!!

[gringo_pr]

Hello

now 150 important security updates to download as well as multiple software and hardware updates lol

please don't do any of it yet - we still have work to do

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>

Driver::
211c6440
579f9ac2
761d6cee
cc2c5d42

RegNull::
[HKEY_USERS\S-1-5-21-2174515030-3141958951-538735306-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28A10A1B-43AB-FFED-583E-55D818F30A8B}*]

RegLockDel:: 
[HKEY_LOCAL_MACHINE\software\Classes\VAXObject.Chl\CLSID]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**

• When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  
• Ensure you are connected to the internet and click OK on the message box.
  

"information and logs"

• In your next post I need the following
  

1. log from combofix
   
2. let me know of any problems you may have had
   
3. How is the computer doing now?
   

Gringo

[Kaiser 1984]

ComboFix 10-05-01.04 - Michael 02/05/2010 0:29.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.447.127 [GMT 1:00]

Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_211c6440

-------\Service_579f9ac2

-------\Service_761d6cee

-------\Service_cc2c5d42

((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))

.

2010-05-01 22:52 . 2010-05-01 22:52 -------- d-----w- c:\windows\LastGood

2010-05-01 22:48 . 2010-05-01 22:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-05-01 14:22 . 2010-05-01 14:22 -------- d-----w- c:\windows\ie8updates

2010-05-01 14:06 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-05-01 14:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-05-01 14:02 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2010-05-01 14:02 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-05-01 14:02 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-05-01 14:02 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-05-01 14:02 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-05-01 14:02 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-05-01 14:02 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-05-01 14:02 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-05-01 14:02 . 2010-02-17 08:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-05-01 14:02 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-01 14:02 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-05-01 14:02 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-05-01 13:59 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll

2010-05-01 13:38 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-05-01 13:38 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-05-01 13:38 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-05-01 13:35 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2010-04-30 03:35 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-29 21:29 . 2010-05-01 14:11 -------- d-----w- c:\windows\ServicePackFiles

2010-04-24 03:07 . 2010-04-24 03:07 -------- d-----w- c:\documents and settings\Michael\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

2010-04-04 11:21 . 2010-04-04 11:21 -------- d-----w- c:\program files\Common Files\Java

2010-04-02 10:10 . 2010-04-02 10:10 61440 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1cdccfae-n\decora-sse.dll

2010-04-02 10:10 . 2010-04-02 10:10 503808 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\msvcp71.dll

2010-04-02 10:10 . 2010-04-02 10:10 499712 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\jmc.dll

2010-04-02 10:10 . 2010-04-02 10:10 348160 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7103a01e-n\msvcr71.dll

2010-04-02 10:10 . 2010-04-02 10:10 12800 ----a-w- c:\documents and settings\caroline\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1cdccfae-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-01 22:30 . 2006-08-11 21:00 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-01 14:33 . 2009-08-06 11:13 -------- d-----w- c:\program files\Microsoft Silverlight

2010-04-30 22:24 . 2008-12-22 07:53 -------- d-----w- c:\program files\uTorrent

2010-04-30 18:53 . 2008-12-19 20:17 36936 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-30 03:35 . 2007-01-27 05:48 -------- d-----w- c:\program files\Java

2010-04-29 18:56 . 2009-02-08 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 18:54 . 2009-03-26 01:24 6153648 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-29 12:45 . 2009-10-27 12:13 2048 ----a-w- c:\windows\system32\Tr_sttool.dat

2010-04-29 11:19 . 2009-02-08 20:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 11:19 . 2009-02-08 20:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 11:05 . 2009-08-19 08:24 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc

2010-04-27 00:56 . 2009-05-16 17:16 -------- d-----w- c:\documents and settings\Michael\Application Data\Userplane

2010-04-27 00:56 . 2009-05-16 17:16 -------- d-----w- c:\program files\AdultWork Notifier

2010-04-27 00:55 . 2009-05-17 13:20 -------- d-----w- c:\program files\CCleaner

2010-04-24 11:55 . 2009-10-27 16:36 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-04-24 11:49 . 2009-10-27 16:36 38784 ----a-w- c:\documents and settings\Michael\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-04-22 01:37 . 2010-03-21 12:11 439816 ----a-w- c:\documents and settings\Michael\Application Data\Real\Update\setup3.10\setup.exe

2010-04-08 21:17 . 2009-06-16 21:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-31 17:12 . 2009-03-15 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-30 10:27 . 2009-06-16 21:08 117760 ----a-w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe

2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe

2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\WinPcap

2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\StreamingStar

2010-03-14 20:13 . 2009-10-27 12:13 -------- d-----w- c:\program files\BSR Screen Recorder 4

2010-03-14 20:13 . 2010-03-14 20:13 81920 ----a-w- c:\windows\system32\bsrgvas.dll

2010-03-14 20:13 . 2010-03-14 20:13 692224 ----a-w- c:\windows\system32\bsrmgcv.dll

2010-03-14 20:13 . 2010-03-14 20:13 192512 ----a-w- c:\windows\system32\bsrmgps.dll

2010-03-14 20:12 . 2010-03-14 20:12 585728 ----a-w- c:\windows\system32\bsratswf.dll

2010-03-14 20:12 . 2010-03-14 20:12 147456 ----a-w- c:\windows\system32\bsratwmv.dll

2010-03-10 06:15 . 2004-08-10 20:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 03:13 . 2009-10-02 22:24 -------- d-----w- c:\documents and settings\Michael\Application Data\gtk-2.0

2010-02-24 13:11 . 2008-12-25 18:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2008-12-25 18:15 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2008-12-25 18:15 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2004-08-10 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2008-12-25 18:15 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-08 2010864]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-25 185872]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-01 10:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-09-29 22:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2004-08-10 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-11 22:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/26/2009 10:05 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 66632]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 12872]

S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [1/15/2010 12:05 PM 171520]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [11/23/2009 3:35 PM 13224]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 7:19 PM 50704]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [1/28/2009 10:35 PM 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [1/28/2009 10:35 PM 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [1/28/2009 10:35 PM 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [1/28/2009 10:35 PM 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [1/28/2009 10:35 PM 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [1/28/2009 10:35 PM 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [1/28/2009 10:35 PM 115752]

S3 SE1008mdm;Sony Ericsson SE1008 Mobile Device Full USB Driver;c:\windows\system32\drivers\SE1008mdm.sys [11/30/2009 11:08 PM 58536]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\4sfciw3f.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-02 00:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2436)

c:\windows\system32\MSNCHATHOOK.DLL

c:\windows\system32\sysenv.dll

c:\windows\system32\CryptoAPI.dll

c:\windows\system32\MFC71U.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\acer\Empowering Technology\ePerformance\MemCheck.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

Completion time: 2010-05-02 00:42:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-01 23:42

ComboFix2.txt 2010-05-01 13:33

ComboFix3.txt 2009-06-12 20:00

Pre-Run: 15,064,858,624 bytes free

Post-Run: 15,052,181,504 bytes free

- - End Of File - - E40CBCEB0930B6339DB8E2D12FB1E905

No problems, ran fine. Pc is working well as far as i can tell. Windows SP3 and all updates ready to install once ok given =]

[gringo_pr]

Hello

these logs are looking better!!

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.
  

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

• I would like you to rerun MBAM
  
• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Online Scan

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic and also let me know how things are now.
  

"information and logs"

• In your next post I need the following
  

1. Log From MBAM
   
2. Log From ESET
   
3. let me know of any problems you may have had
   
4. How is the computer doing now?
   

Gringo

[Kaiser 1984]

Here's my MBAM log;

+Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4058

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

02/05/2010 01:47:58

mbam-log-2010-05-02 (01-47-58).txt

Scan type: Quick scan

Objects scanned: 136430

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Unfortunatly the online scan keeps crashing my IE so cannot do that

[gringo_pr]

Greetings

Ok please try this one

:Kaspersky scan:

• Please go to

Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
    

  [*]Click on My Computer under Scan.

  [*]Once the scan is complete, it will display the results. Click on View Scan Report.

  [*]You will see a list of infected items there. Click on Save Report As....

  [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  [*]Please post this log in your next reply.

gringo

[Kaiser 1984]

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, May 2, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, May 02, 2010 16:53:34

Records in database: 4031822

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 75081

Threats found: 5

Infected objects found: 14

Suspicious objects found: 0

Scan duration: 02:29:33

File name / Threat / Threats count

C:\WINDOWS\system32\lspccv.dll/C:\WINDOWS\system32\lspccv.dll Infected: Packed.Win32.TDSS.w 7

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1301700638.exe.vir Infected: Trojan-Dropper.Win32.Agent.asuo 1

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\615289520.exe.vir Infected: Trojan.Win32.Agent.cmlp 1

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\setupapi.dll.vir Infected: Trojan.Win32.Agent.bzzx 1

C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\setupapi.dll.vir Infected: Trojan.Win32.Agent.bzzx 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\E.tmp.vir Infected: Trojan.Win32.Agent.bzzx 1

C:\WINDOWS\system32\lspccv.dll Infected: Packed.Win32.TDSS.w 1

C:\WINDOWS\system32\pro32.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.g 1

Selected area has been scanned.

[gringo_pr]

Hello

Open Notepad.

Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\WINDOWS\system32\lspccv.dll"
"C:\WINDOWS\system32\pro32.exe") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...

Fill in the next values:

Location: Desktop

File name: del.bat

File type: All files (*.*).

Now, click Save.

Doubleclick del.bat.

Post the contents of the logfile that opens in your next reply.

gringo

[Kaiser 1984]

Deleting files

"C:\WINDOWS\system32\lspccv.dll" not deleted

"C:\WINDOWS\system32\pro32.exe" deleted

[gringo_pr]

Hello

That file is being hard.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\system32\lspccv.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

please send me the report

gringo

[Kaiser 1984]

Had to attach as post was too long

ComboFix.txt

[gringo_pr]

Hello Kaiser 1984

Well it looks like you was able to do the updates so that is good and the last set of logs are clean.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:Uninstall ComboFix:

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 
  

:DeFogger:

• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  
  • The application window will appear
    
  • Click the Re-enable button to re-enable your CD Emulation drivers
    
  • Click Yes to continue
    
  • A 'Finished!' message will appear
    
  • Click OK
    
  • DeFogger will now ask to reboot the machine - click OK
    

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:

• please visit this page that gives instructions to do this
  

http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

• Turn On Automatic Updates
  1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
  2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
  If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
  or visit

http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

• you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
  I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee.
    
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
    

please read this great article by miekiemoes How to prevent Malware:

and

this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints

If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

[Kaiser 1984]

Thank you so much for your help gringo!

I will donate something next week when i have money as you have a been a great help!

Lets put an end to malware!!

Best regards

Kaiser =]

[gringo_pr]

You are very welcome

gringo