Free Malware Removal Forum

[nwitte]

Hello,

My computer is very sluggish lately and have been getting this Hijack.WindowsUpdates every time I run MBAM. These are the two files as copied from the MBAM log :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

I can't seem to get rid of it. I ran Hijack; here is the log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:26:27 PM, on 12/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\purewari.dll,fubupetu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: pozejimog - {df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: jugezatag - {df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8812 bytes


Here is the uninstall file:

Sansa Media Converter
2Wire Wireless Client
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AnswerWorks 5.0 English Runtime
Apple Software Update
AT&T Yahoo! Applications
AT&T Yahoo! Browser Configuration
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Battlefield 1942
Best Buy Digital Music Store
Best Buy Rhapsody
Caillou's Kindergarten
Cars
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
DB CIF Cam
Dell Driver Reset Tool
Digital Content Portal
Disney Micro
Disney Micro
Disney Pix 2.2
Disney Pix Micro Downloader
ESPN RunTime
Frogger2
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Grand Theft Auto Vice City
GTA San Andreas
GTAIII
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash Player
Madden NFL 2004
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Halo
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.16)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Musicmatch for Windows Media Player
Nicktoons Basketball
OCR Software by I.R.I.S 7.0
Pac-Man All-Stars
PokerStars.net
PowerDVD 5.5
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
Quicken 2008
QuickTime
RealPlayer
Rhapsody
Rhapsody Player Engine
Saitek NT Controller Drivers
SBC Self Support Tool
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shutterfly Plugin
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SpongeBob SquarePants - Battle for Bikini Bottom
SpongeBob SquarePants Employee of the Month
SpongeBob SquarePants® Operation Krabby Patty
SUPERAntiSpyware Professional
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
WordPerfect Office 12

Please help!


Neil

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[jmw3]

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:

• Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

• Double-Click on dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

[nwitte]

Replying from another computer...

Ran DDS and saved files. Gmer locked my computer up - no mouse movement, no response to Ctrl/Alt/Del, nothing. Not sure if I should force the computer off or not.

Advice?

[nwitte]

Ok. shut it down hard (hate to do that). After restart it's working better. In progress now. Thank you so much for helping me out. After reading some other people's difficulty with having Gmer lock up, it may be a bit before I get the stuff posted.

[jmw3]

OK... no problem.

If you still have trouble with Gmer there are other things we can try.

Post when ready

[nwitte]

Alright, Gmer is not working. It locked my computer up several times at different points in the scan every time. The last time I got the Windows message that the program had a problem and had to close, followed immediately by Windows going to the blue screen windows-is-shutting-down business I'm not sure trying it again is safe. We may need to try something else. Anyhow, here are the two DDS logs.

DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Neil Witte at 22:02:52.35 on Sat 01/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.26 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Neil Witte\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\neilwi~1\startm~1\programs\startup\2wires~1.lnk - c:\program files\2wire\WebWorks.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/sh ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/sh ... tor/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/Shar ... /cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\purewari.dll,fubupetu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pozejimog - {df81915d-5b8c-4067-b857-5a1dffe3cbae} - No File
STS: {df81915d-5b8c-4067-b857-5a1dffe3cbae} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli sahewowe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neilwi~1\applic~1\mozilla\firefox\profiles\cvd9104d.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-19 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-19 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-19 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-10 285392]
S1 8615af80;8615af80;c:\windows\system32\drivers\8615af80.sys --> c:\windows\system32\drivers\8615af80.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [2008-12-25 38656]

=============== Created Last 30 ================

2009-12-31 03:24:48 0 d-----w- c:\program files\TrendMicro
2009-12-19 23:57:17 0 ----a-w- c:\windows\iPlayer.INI

==================== Find3M ====================

2009-11-11 01:29:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 22:04:10.77 ===============



Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/15/2005 12:04:02 AM
System Uptime: 1/5/2010 6:37:53 PM (100 hours ago)

Motherboard: Dell Inc. | | 0RD203
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 38.54 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1364: 10/12/2009 1:07:25 PM - System Checkpoint
RP1365: 10/13/2009 3:38:52 PM - System Checkpoint
RP1366: 10/14/2009 4:18:43 PM - System Checkpoint
RP1367: 10/15/2009 4:42:11 PM - System Checkpoint
RP1368: 10/16/2009 5:46:10 PM - System Checkpoint
RP1369: 10/17/2009 6:01:00 PM - System Checkpoint
RP1370: 10/18/2009 6:46:43 PM - System Checkpoint
RP1371: 10/19/2009 6:47:27 PM - System Checkpoint
RP1372: 10/20/2009 6:43:33 PM - Installed 2Wire Wireless Client
RP1373: 10/21/2009 8:59:29 AM - Avg8 Update
RP1374: 10/22/2009 10:51:18 AM - System Checkpoint
RP1375: 10/23/2009 5:13:54 PM - System Checkpoint
RP1376: 10/24/2009 10:52:25 PM - System Checkpoint
RP1377: 10/26/2009 2:55:57 AM - System Checkpoint
RP1378: 10/26/2009 9:51:44 PM - Installed SUPERAntiSpyware Professional
RP1379: 10/28/2009 5:51:08 AM - System Checkpoint
RP1380: 10/29/2009 11:46:23 AM - System Checkpoint
RP1381: 10/30/2009 6:50:39 PM - System Checkpoint
RP1382: 10/31/2009 10:28:53 PM - System Checkpoint
RP1383: 11/2/2009 4:37:02 AM - System Checkpoint
RP1384: 11/3/2009 9:49:02 AM - Avg8 Update
RP1385: 11/4/2009 5:53:40 PM - System Checkpoint
RP1386: 11/5/2009 10:40:00 PM - System Checkpoint
RP1387: 11/6/2009 9:48:53 AM - Avg8 Update
RP1388: 11/7/2009 2:28:56 PM - System Checkpoint
RP1389: 11/8/2009 2:14:32 PM - System Checkpoint
RP1390: 11/9/2009 3:11:51 PM - System Checkpoint
RP1391: 11/10/2009 7:26:51 PM - Installed AVG Free 9.0
RP1392: 11/12/2009 1:57:23 AM - System Checkpoint
RP1393: 11/12/2009 9:23:11 AM - Avg8 Update
RP1394: 11/13/2009 8:36:48 PM - System Checkpoint
RP1395: 11/14/2009 11:57:18 PM - System Checkpoint
RP1396: 11/16/2009 5:56:11 AM - System Checkpoint
RP1397: 11/17/2009 6:34:19 AM - System Checkpoint
RP1398: 11/18/2009 6:34:36 AM - System Checkpoint
RP1399: 11/19/2009 6:47:52 AM - System Checkpoint
RP1400: 11/20/2009 6:52:08 AM - System Checkpoint
RP1401: 11/20/2009 8:22:39 AM - Avg8 Update
RP1402: 11/20/2009 8:24:03 AM - Avg8 Update
RP1403: 11/21/2009 8:40:55 AM - System Checkpoint
RP1404: 11/22/2009 8:56:02 AM - System Checkpoint
RP1405: 11/23/2009 9:42:01 AM - System Checkpoint
RP1406: 11/24/2009 10:44:12 AM - System Checkpoint
RP1407: 11/25/2009 1:04:15 PM - System Checkpoint
RP1408: 11/26/2009 1:35:03 PM - System Checkpoint
RP1409: 11/27/2009 3:48:49 PM - System Checkpoint
RP1410: 11/28/2009 4:48:52 PM - System Checkpoint
RP1411: 11/28/2009 11:04:31 PM - Installed Battlefield 1942
RP1412: 11/29/2009 11:40:11 PM - System Checkpoint
RP1413: 12/1/2009 12:22:18 AM - System Checkpoint
RP1414: 12/2/2009 12:40:21 AM - System Checkpoint
RP1415: 12/3/2009 1:48:54 AM - System Checkpoint
RP1416: 12/4/2009 2:39:14 AM - System Checkpoint
RP1417: 12/5/2009 4:18:29 AM - System Checkpoint
RP1418: 12/6/2009 4:48:11 AM - System Checkpoint
RP1419: 12/7/2009 5:39:23 AM - System Checkpoint
RP1420: 12/8/2009 5:40:24 AM - System Checkpoint
RP1421: 12/9/2009 6:40:23 AM - System Checkpoint
RP1422: 12/10/2009 7:39:18 AM - System Checkpoint
RP1423: 12/11/2009 9:59:50 AM - System Checkpoint
RP1424: 12/12/2009 8:42:18 AM - Avg8 Update
RP1425: 12/12/2009 8:50:39 AM - Avg8 Update
RP1426: 12/13/2009 10:33:29 AM - System Checkpoint
RP1427: 12/14/2009 11:00:43 AM - System Checkpoint
RP1428: 12/15/2009 12:00:44 PM - System Checkpoint
RP1429: 12/16/2009 12:20:56 PM - System Checkpoint
RP1430: 12/17/2009 1:04:25 PM - System Checkpoint
RP1431: 12/18/2009 8:08:20 AM - Avg8 Update
RP1432: 12/19/2009 9:04:48 AM - System Checkpoint
RP1433: 12/20/2009 10:43:17 AM - System Checkpoint
RP1434: 12/21/2009 11:12:01 AM - System Checkpoint
RP1435: 12/22/2009 10:01:00 AM - Avg8 Update
RP1436: 12/23/2009 10:49:25 AM - System Checkpoint
RP1437: 12/24/2009 1:02:34 PM - System Checkpoint
RP1438: 12/25/2009 1:42:58 PM - System Checkpoint
RP1439: 12/26/2009 1:55:56 PM - System Checkpoint
RP1440: 12/27/2009 3:32:12 PM - System Checkpoint
RP1441: 12/28/2009 3:59:22 PM - System Checkpoint
RP1442: 12/29/2009 6:25:25 PM - System Checkpoint
RP1443: 12/30/2009 8:16:47 PM - System Checkpoint
RP1444: 12/30/2009 9:24:44 PM - Installed HiJackThis
RP1445: 12/31/2009 9:24:25 AM - Avg8 Update
RP1446: 1/2/2010 2:40:42 PM - System Checkpoint
RP1447: 1/3/2010 3:32:11 PM - System Checkpoint
RP1448: 1/4/2010 4:56:12 PM - System Checkpoint
RP1449: 1/5/2010 7:47:57 PM - System Checkpoint
RP1450: 1/6/2010 8:41:26 PM - System Checkpoint
RP1451: 1/7/2010 8:44:18 PM - System Checkpoint
RP1452: 1/8/2010 9:28:09 PM - System Checkpoint

==== Installed Programs ======================

Sansa Media Converter
2Wire Wireless Client
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AiO_Scan_CDA
AiOSoftwareNPI
AnswerWorks 5.0 English Runtime
Apple Software Update
AT&T Yahoo! Applications
AT&T Yahoo! Browser Configuration
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Battlefield 1942
Best Buy Digital Music Store
Best Buy Rhapsody
BufferChm
C5100
c5100_Help
Caillou's Kindergarten
Cars
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
DB CIF Cam
Dell Driver Reset Tool
Dell System Restore
Destinations
DeviceManagementQFolder
Digital Content Portal
Disney Micro
Disney Pix 2.2
Disney Pix Micro Downloader
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
ESPN RunTime
eSupportQFolder
Fax_CDA
Frogger2
FullDPAppQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Grand Theft Auto Vice City
GTA San Andreas
GTAIII
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash Player
Madden NFL 2004
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Halo
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Musicmatch for Windows Media Player
NewCopy_CDA
Nicktoons Basketball
OCR Software by I.R.I.S 7.0
Pac-Man All-Stars
PanoStandAlone
PhotoGallery
PokerStars.net
PowerDVD 5.5
ProductContextNPI
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
Quicken 2008
QuickTime
RandMap
Readme
RealPlayer
Rhapsody
Rhapsody Player Engine
Saitek NT Controller Drivers
Sansa Media Converter
SBC Self Support Tool
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shutterfly Plugin
SkinsHP1
SlideShow
SolutionCenter
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
SpongeBob SquarePants - Battle for Bikini Bottom
SpongeBob SquarePants Employee of the Month
SpongeBob SquarePants® Operation Krabby Patty
Status
SUPERAntiSpyware Professional
Toolbox
TrayApp
Unload
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3
WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

1/8/2010 12:54:56 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
1/5/2010 6:39:28 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
1/5/2010 6:39:28 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
1/5/2010 6:39:23 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
1/2/2010 1:31:31 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcorex.dll.old' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

==== End Of File ===========================

[jmw3]

Hi

OK, try this:
RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  Drivers
  Files
  Processes
  SSDT
  Stealth Objects
  Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File then Exit to close the program

To port in next reply:
RootRepeal log

[nwitte]

That worked better. Here's the log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/10 21:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5E08000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9752000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3A58000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xF3655000 Size: 8960 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xf36556d0

==EOF==

[jmw3]

Hi

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Java 2 Runtime Environment, SE v1.4.2_03
MarketResearch

If some programs listed are not present, please do not panic

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  A guide to do this can be found here
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
Update on how the computer is running

[nwitte]

Ok. Ran ComboFix and that seemed to remove the files. MBAM scan didn't detect them. MBAM did detect 3 Rootkit files however. Are these related to the programs you've been having me use? So now that those files are gone, are there some things that I should be doing to prevent this stuff in the future? I have a 7 and 12 yr old who use the computer along w/ my wife (none with Admin privileges). Here's the ComboFix log:



ComboFix 10-01-11.01 - Neil Witte 01/11/2010 21:33:27.1.2 - x86
Running from: c:\documents and settings\Neil Witte\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\bszip.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 14:53 . 2010-01-12 02:47 0 ----a-w- c:\documents and settings\Hope Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-02 19:34 . 2010-01-02 19:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-01 07:25 . 2010-01-01 07:26 -------- d-----w- c:\documents and settings\Neil Witte\Local Settings\Application Data\Temp
2010-01-01 07:25 . 2010-01-01 07:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-31 03:24 . 2009-12-31 03:24 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 02:47 . 2009-12-05 18:44 0 ----a-w- c:\documents and settings\Maia\Local Settings\Application Data\prvlcl.dat
2010-01-12 02:47 . 2009-11-14 01:58 0 ----a-w- c:\documents and settings\Adrian Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-11 03:06 . 2005-10-18 02:35 -------- d-----w- c:\program files\QUICKENW
2010-01-01 07:32 . 2005-10-18 04:10 -------- d-----w- c:\program files\Google
2009-12-24 20:07 . 2008-12-25 20:37 -------- d-----w- c:\program files\Disney Micro
2009-12-19 23:56 . 2008-01-31 00:16 -------- d-----w- c:\program files\InterActual
2009-11-29 05:11 . 2006-08-05 04:00 828 ----a-w- c:\windows\eReg.dat
2009-11-29 05:04 . 2009-11-29 05:04 -------- d-----w- c:\program files\EA GAMES
2009-11-29 05:04 . 2005-10-12 11:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 16:13 . 2009-11-21 21:41 -------- d-----w- c:\program files\Rhapsody
2009-11-14 01:05 . 2009-11-14 01:05 -------- d-----w- c:\documents and settings\Adrian Peterson\Application Data\Malwarebytes
2009-11-11 01:29 . 2009-01-20 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-11 01:29 . 2009-01-20 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-11 01:29 . 2009-01-20 01:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-11 01:29 . 2009-01-20 01:54 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-12-24 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-11 01:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 02:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 7:54 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 7:55 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
S1 8615af80;8615af80;c:\windows\system32\drivers\8615af80.sys --> c:\windows\system32\drivers\8615af80.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [12/25/2008 2:37 PM 38656]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Neil Witte\Application Data\Mozilla\Firefox\Profiles\cvd9104d.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
SharedTaskScheduler-{df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
SSODL-pozejimog-{df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Yahoo! Applications - c:\progra~1\Yahoo!\Common\uninstall.exe
AddRemove-{{598D99F7-B97C-424F-B899-69B339336411}} - c:\program files\InstallShield Installation Information\{{598D99F7-B97C-424F-B899-69B339336411}}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 22:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\cdm.dll.wusetup.362484.bak 92696 bytes executable
c:\windows\system32\wuapi.dll.mui.wusetup.382953.bak 23576 bytes executable
c:\windows\system32\wuapi.dll.wusetup.381375.bak 561688 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.384046.bak 51224 bytes executable
c:\windows\system32\wuaucpl.cpl.mui.wusetup.389953.bak 23576 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.388140.bak 213528 bytes executable
c:\windows\system32\wuaueng.dll.mui.wusetup.398500.bak 18456 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.394578.bak 1809944 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Neil Witte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-01-11 22:26:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 04:26

Pre-Run: 41,283,031,040 bytes free
Post-Run: 43,332,927,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 20FADB64A15AE01F0D09D23C99ED9EF7

[jmw3]

Hi

As stated in my opening post, please do not run any scans with any tools or programs unless I ask you to. Having said that could you post the contents of the last Malwarebytes log please. You can do that by opening Malwarebyte Anti-Malware, clicking the Logs tab then opening the most current log.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

Driver::
8615af80
File::
c:\windows\system32\drivers\8615af80.sys
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: &Search
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scan
Please make sure that all programs are closed when installing Java.

• Click here to visit Java's website
• Scroll down to Java Runtime Environment (JRE) 6 Update 17. Click on Download
• Select Windows from the drop-down list for Platform
• Select Multi-language from the drop-down list for Language
• Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
• Click on jre-6u17-windows-i586-p.exe link to download it and save this to a convenient location
• Double click on jre-6u17-windows-i586-p.exe to install Java
• After the Java installation has finished, go to Kaspersky website and perform an online antivirus scan
• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

Pictured tutorial if required.

To post in next reply:
Malwarebytes log
ComboFix log
Kaspersky Online Scan log

[nwitte]

Got everything but Kaspersky scan. It's running now (I'm on another computer) but is painfully slow. Might take 10-12 hours at current rate. Logs to post after that. Hope the MBAB scan didn't mess anything up. Asking me how it ran after the last scans made me think we might be done.

[jmw3]

No problem... Kaspersky can be slow. It is extremely thorough. Post when ready.

Hope the MBAB scan didn't mess anything up.

Should be OK. It just make is more difficult to find what is going on when users are running scans & fixes in the background

[nwitte]

Can't tell if Kaspersky is locking up or not. I'm on my 4th attempt. 98% done now but it's been sitting on one file for a long time with only the slightest indication of drive activity.