Free Malware Removal Forum

[556]

Hi,

I'm new to this board. I seemed to acquire the dreaded Antivirus XP08 earlier today. I've read some threads and it seems like each case is somewhat unique.

If someone could give me assistance in getting rid of this I would really appreciate it.

This has changed my wall paper and it takes forever to access the internet as well as their pop ups constantly.

Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:53 PM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lphcehoj0er71.exe
C:\Program Files\rhcahoj0er71\rhcahoj0er71.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pphcehoj0er71.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINDOWS\system32\xpuupdate.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lphcehoj0er71] "C:\WINDOWS\system32\lphcehoj0er71.exe"
O4 - HKLM\..\Run: [SMrhcahoj0er71] "C:\Program Files\rhcahoj0er71\rhcahoj0er71.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [AROReminder] "C:\Program Files\Advanced Registry Optimizer\aro.exe" -rem
O4 - HKCU\..\Run: [A00F2A770D4.exe] "C:\DOCUME~1\user\LOCALS~1\Temp\_A00F2A770D4.exe"
O4 - HKCU\..\Run: [A00F2CB76EF.exe] "C:\DOCUME~1\user\LOCALS~1\Temp\_A00F2CB76EF.exe"
O4 - Startup: SpeedPlexer.lnk = C:\Program Files\SpeedPlexer\SpeedPlexer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.e-constructionloans.com/scripts/tdserver.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7592856390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/ap ... 2mdlax.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cld.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: __c00B3579 - C:\WINDOWS\system32\__c00B3579.dat (file missing)
O20 - Winlogon Notify: __c00C074A - C:\WINDOWS\system32\__c00C074A.dat (file missing)
O20 - Winlogon Notify: __c00C1C44 - C:\WINDOWS\system32\__c00C1C44.dat
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10682 bytes

[suebaby41]

Welcome to the Malware removal Forums. Since it has been a few days since you scanned your computer with HijackThis, please post a new HijackThis Log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

[556]

Hi and thank you for helping me.

Per your request I just reran HiJackThis and here is the latest log file

I greatly appreciate your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:15 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINDOWS\system32\xpuupdate.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lphcehoj0er71] "C:\WINDOWS\system32\lphcehoj0er71.exe"
O4 - HKLM\..\Run: [SMrhcahoj0er71] "C:\Program Files\rhcahoj0er71\rhcahoj0er71.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [AROReminder] "C:\Program Files\Advanced Registry Optimizer\aro.exe" -rem
O4 - HKCU\..\Run: [A00F2A770D4.exe] "C:\DOCUME~1\user\LOCALS~1\Temp\_A00F2A770D4.exe"
O4 - HKCU\..\Run: [A00F2CB76EF.exe] "C:\DOCUME~1\user\LOCALS~1\Temp\_A00F2CB76EF.exe"
O4 - Startup: SpeedPlexer.lnk = C:\Program Files\SpeedPlexer\SpeedPlexer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.e-constructionloans.com/scripts/tdserver.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7592856390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/ap ... 2mdlax.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cld.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: __c001E5F - C:\WINDOWS\system32\__c001E5F.dat
O20 - Winlogon Notify: __c00B3579 - C:\WINDOWS\system32\__c00B3579.dat (file missing)
O20 - Winlogon Notify: __c00C074A - C:\WINDOWS\system32\__c00C074A.dat (file missing)
O20 - Winlogon Notify: __c00C1C44 - C:\WINDOWS\system32\__c00C1C44.dat (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9866 bytes

[suebaby41]

Step 1

Please download, install and run Trojan Remover to automatically remove XPAntiVirus. Trojan Remover will work for a full 30 day trial period. When the trial period ends, you will be asked to purchase a license in order to continue to use the software.

Step 2

• Please download, install and run RegSeeker.
  
• Select Clean The Registry.
• When it completes, click Select All.
• Click Delete All.
• Click the white "X" in the red square in the upper right corner of window to exit the program.

Step 3

1. Please download ComboFix save it to your desktop. **Note: It is important that it is saved directly to your desktop**.
2. Close ALL browser windows (including this one).
3. According to your Internet connection, please disconnect from the Internet.
   • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
   • Turn your modem off.
   • Disconnect your modem cable from your computer.
   • Turn the device off for Handheld wireless connections.
4. Exit all processes and items in your System tray.
5. Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
6. Double click combofix.exe and follow the prompts.
7. A window will open with a warning. Type 1 and press Enter to begin the scan.
8. The scan will temporarily disable your desktop, and if interrupted, may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
9. Caution - do not touch your mouse/keyboard until the scan has completed. Touching your mouse/keyboard while the scan is running may cause it to stall.
10. When finished, ComboFix will produce a log for you and will automatically save the log file to C:\combofix.txt.
11. ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done, you can delete this folder - QooBox.
12. Note: ComboFix may reset a number of Internet Explorer's settings including making it the default browser. ComboFix resets some settings in IE in order to remove changes which may have been made by malware. It may also change the time format.
13. Please post the log from ComboFix and a new HijackThis log. Thanks.

[556]

Hi Suebaby41,

Thank you very much for your help with this.

I ran everything per the instructions and am posting the Combofix and the HijackThis log here.

There was one difference in running Combofix. Step #7 never occured. I never got the chance to type 1 and press enter. The scan seemed to run without it.

The following are things that I notice.

1) my wall paper is still different. It is the neon blue the Antivirus XP08 seemed to change it to.

2) I can't seem to access my email through my normal MSN web page when I click on the envelope. I have to go to a seperate MSN page and access through hotmail so it appears some of my settings did change.

3) My computer is operating at a faster speed!!! Love that.

4)I get a balloon pop up from my toobar that says:
You have files waithing to be written to the CD. Click the balloon. This is what started happening when the Antivirus XP08 took over.



So far that is it.

I really do appreciate all the help you are providing.

Please advise me if there is something else I should be doing.

Thank you Thank you


ComboFix 08-08-23.03 - user 2008-08-24 20:49:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\JQW8H4ZD\interclick.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\JQW8H4ZD\interclick.com\ud.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\rhcahoj0er71
C:\Documents and Settings\user\Cookies\user@atd.agencytradingdesk[2].txt
C:\Documents and Settings\user\Cookies\user@contextweb[1].txt
C:\Documents and Settings\user\Cookies\user@insightexpressai[2].txt
C:\Documents and Settings\user\Cookies\user@revsci[1].txt
C:\Documents and Settings\user\Cookies\user@track.bestbuy[1].txt
C:\Documents and Settings\user\Cookies\user@tracking.dsmmadvantage[2].txt
C:\Documents and Settings\user\Cookies\user@turn[1].txt
C:\Documents and Settings\user\Cookies\user@wat.contextweb[1].txt
C:\Documents and Settings\user\Cookies\user@www.webschwab[2].txt
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msctrl.log
C:\Program Files\Microsoft Security Adviser\mssadv.log
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log
C:\Program Files\rhcahoj0er71
C:\WINDOWS\system32\__c001E5F.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\pphcehoj0er71.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-24 19:29 . 2008-08-24 19:30 <DIR> d-------- C:\Program Files\Trojan Remover
2008-08-24 19:29 . 2008-08-24 19:29 <DIR> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-08-24 19:29 . 2008-08-24 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-08-24 19:29 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-08-24 19:29 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-08-24 19:29 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-08-24 19:29 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-08-24 19:29 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-08-21 21:27 . 2008-08-21 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-21 21:11 . 2008-08-24 19:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 19:30 . 2008-08-20 19:30 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-20 19:24 . 2006-10-04 07:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-20 19:24 . 2006-10-04 07:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-20 19:24 . 2006-10-04 07:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-08-20 19:23 . 2008-08-20 19:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-20 19:21 . 2008-08-20 19:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-20 19:21 . 2008-08-20 19:22 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-19 21:06 . 2008-08-24 19:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-12 19:41 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:42 . 2008-08-09 14:42 29,808 --a------ C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-08-06 20:44 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 03:44 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2008-08-23 10:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-22 03:01 164 ----a-w C:\install.dat
2008-08-21 01:20 --------- d-----w C:\Program Files\PokerStars
2008-08-20 15:58 --------- d-----w C:\Program Files\Bodog Poker
2008-08-16 06:04 --------- d-----w C:\Documents and Settings\user\Application Data\AVGTOOLBAR
2008-08-09 23:04 1,538,928 ----a-w C:\WINDOWS\WRSetup.dll
2008-08-09 21:42 23,152 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2008-08-09 21:42 166,512 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2008-08-07 03:49 --------- d-----w C:\Program Files\Java
2008-07-31 00:43 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-07-24 17:20 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-22 05:07 --------- d-----w C:\Program Files\Advanced Registry Optimizer
2008-07-18 03:22 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-18 03:20 --------- d-----w C:\Program Files\Common Files\Real
2008-07-18 03:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-18 03:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-16 04:35 --------- d-----w C:\Documents and Settings\user\Application Data\Apple Computer
2008-07-10 14:39 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
2008-07-09 10:03 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 15:26 --------- d-----w C:\Program Files\ewido anti-malware
2008-07-06 15:12 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-06 15:12 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-06 15:12 --------- d-----w C:\Program Files\AVG
2008-07-06 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-06 14:59 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-06 14:59 --------- d-----w C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-16 16:35 56,912 ----a-w C:\Documents and Settings\user\g2mdlhlpx.exe
2007-05-08 20:13 24,265,736 ----a-w C:\Documents and Settings\user\dotnetfx.exe
2004-02-23 06:00 139,776 ----a-w C:\Documents and Settings\user\setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2007-03-23 11:45 2074752]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-24 10:47 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-06 08:12 1177368]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-17 20:18 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-08-19 20:08 914512]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 16:04 5418864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 14:42]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-06 08:12]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-06 08:12]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-08-25 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]
2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]
2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- A:\","C:\","D:\" []
.
- - - - ORPHANS REMOVED - - - -
Notify-__c001E5F - C:\WINDOWS\system32\__c001E5F.dat

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\uyhmdr32.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 21:35:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-24 21:53:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 04:52:33
Pre-Run: 104,344,113,152 bytes free
Post-Run: 105,401,790,464 bytes free
179 --- E O F --- 2008-08-23 10:12:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:45 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] "C:\Program Files\Trojan Remover\Trjscan.exe" /boot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [AROReminder] "C:\Program Files\Advanced Registry Optimizer\aro.exe" -rem
O4 - Startup: SpeedPlexer.lnk = C:\Program Files\SpeedPlexer\SpeedPlexer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.e-constructionloans.com/scripts/tdserver.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7592856390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/ap ... 2mdlax.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://cld.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9008 bytes

[suebaby41]

A few things you may do prior to cleaning:

1. Backup any important data first!!
   • How to use the Backup utility that is included in Windows XP to back up files and folders
   • Windows XP Backup Made Easy
     
   • How Do I Back Up Files on My Computer?
2. There are several online backup storage websites available. Some require a fee; some offer free backup storage.
   • Mozy Online Backup: Free. Automatic. Secure
   • Free Secure Online Storage--Xdrive
   • Media Max
3. Review the instructions on starting your computer in Safe Mode. (without networking support !). If you don’t know how to boot in Safe Mode, use this tutorial, How To Start Windows in Safe Mode.
4. Review the instructions on configuring Windows Explorer to Show All Hidden Files and Folders.
5. Perform all actions in the order given.
6. If you are unsure of any procedure, stop and ask!
7. Please reply to this thread. Do not start a new topic.
8. Complete all the steps. ABSENCE OF SYMPTOMS DOES NOT ALWAYS MEAN A CLEAN COMPUTER!!

During the cleaning process, if any other issues appear, please let us know. Please do not make any changes on your computer during the cleaning process or download and add programs on your computer unless instructed to do so. Thanks.

[suebaby41]

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

I noticed that your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 9.

Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.

1. Detects and removes malware ( viruses, worms, trojans, etc. )
2. Detects and removes grayware and spyware
3. Restores damage caused by malware to your system.
4. Notifies about vulnerabilities in installed programs and connected network services.
5. Multi-platform support for: Windows, Linux, Solaris.
6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 5

Please download Ad-Aware 2008.
Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 6

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:

1. Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
2. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
3. Restrict the actions of potentially unwanted sites in Internet Explorer.

Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 7

ATF-Cleaner features include:

• Cleaning of all user temp folders, administrator only can use this feature.
• Cleaning of the Java cache, which seems to be harboring more and more malware.
• Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.

Please download the ATF-Cleaner by Atribune.
Instructions:

• Double-click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch (Windows XP) only
  • Java Cache
• The rest are optional - if you want to remove them all, check Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.

If you use the Firefox browser:

• Click Firefox at the top and choose: Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser:

• Click Opera at the top and choose: Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 8

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Step 9

The three poker sites listed below are blacklisted on several online websites. Before you choose poker sites, you may want to check the websites below to see if your online poker game is blacklisted.

1. CASINOMEISTER'S ROGUE PIT
2. Blacklisted Casinos
3. Evil Online Casinos
4. Online Casino Blacklist

Uninstall the following programs.

UltimateBet
PartyPoker.com
Absolute Poker

To uninstall UltimateBet.

1. Click Start > Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight UltimateBet, click Remove.
4. Close the Add or Remove Programs and the Control Panel windows.
5. Using Windows Explorer (Windows key+e), search for the UltimateBet folder. If the program folder is still there, select/highlight the UltimateBet folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
6. Follow Steps 1through 5 for Absolute Poker and PartyPoker.
7. Close Windows Explorer.

Step 10

Use ctrl + alt + del (Three keys together) to get task manager. Find these processes and end task them.
OR
Use the Process Manager in HijackThis:

• Open HijackThis.
• Click Open the Misc Tools Section
• Click Open Process manager, find these programs and kill process the following running processes (Do not worry if they are not there.)

pphcehoj0er71.exe
UltimateBet.exe

Step 11

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.

Please disable the following programs:

We need to disable Spy Sweeper. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

1. Open Spy Sweeper
2. Click Options
3. Click Program Options
4. Uncheck Load at windows startup.
5. Click Shields
6. Uncheck everything.
7. Uncheck Home Page Shield.
8. Uncheck Automatically restore default without notification.

Don't forget to reinstate Spy Sweeper when your machine is clean by rechecking everything you unchecked above.

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.

1. Right click on the icon in your System Tray.
2. Click Exit
3. Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.

Step 12

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} – https://cld.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 13

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 14

Reboot to Safe Mode ( without networking support !). If you don’t know how to boot in Safe Mode, use this tutorial, How To Start Windows in Safe Mode.

Step 15

NOTE: To avoid the risk of any of the files or folders not being found due to their having the Hidden attribute, go to My Computer (Windows key+e) Tools > Folder Options > View. Under Advanced Settings > Files and Folders > Hidden files and folders, first make sure that Show hidden files and folders has a dot in the circle before it which indicates that hidden files and folders are visible. If needed, see this tutorial, How to see hidden files in Windows.

Step 16

Using Windows Explorer, (My Computer (Windows key+e) search for and DELETE the following Files/folders indicated in BLUE. (Do not worry if they are not there):

C:\Documents and Settings\All Users\Start Menu\Programs\ Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\ Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\ Antivirus XP 2008.lnk
C:\Program Files\ rhcahoj0er71
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\rhcahoj0er71
C:\TempEI4\EI40_\msxml4.cab Not the legitimate Temp folder.
C:\WINDOWS\system32\ __c001E5F.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\ D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\pphcehoj0er71.exe

Step 13

Reboot to Normal Mode.

Step 14

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 15

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.

[NonSuch]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.