Free Malware Removal Forum

[JayneM]

I have not attempted Service Pack 3, should I?

[km2357]

No, I can get to any site I need to, including this one, and I can update and register all my anti-virus programs.

I have not attempted Service Pack 3, should I?

Not just yet. Based on what I saw in your last DDS log and what Avast found, I'd like to get a fresh ComboFix run in. Since ComboFix is frequently updated, I'd like for you to do the following:

First, delete ComboFix.exe off of your computer.

Then, download the latest version of ComboFix from of the two links below. Be sure to save it to your Desktop:

Link 1
Link 2

Be sure you disable Avast before running ComboFix.

Run ComboFix and post the log in your next post/reply.

[JayneM]

Ran ComboFix...it did install the Windows XP recover module

ComboFix 10-07-24.06 - Owner 07/26/2010 7:46.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.238 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\i
c:\windows\system32\wmsoft55153.exe
c:\windows\system32\wmsoft70333.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-25 08:43 . 2010-07-25 08:43 -------- d-----w- c:\windows\LastGood
2010-07-21 05:03 . 2004-08-04 06:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-07-21 04:03 . 2010-07-21 04:03 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-18 00:36 . 2010-07-18 00:36 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01 . 2010-07-18 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-17 23:59 . 2010-07-17 23:59 -------- d-----w- c:\program files\Common Files\iS3
2010-07-17 23:59 . 2010-07-18 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-17 08:19 . 2010-07-17 08:19 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19 . 2010-07-17 08:19 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01 . 2010-07-17 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-07-16 18:10 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-16 18:10 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-16 18:10 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-16 18:10 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-16 18:10 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-16 18:10 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-16 18:09 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 18:09 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-16 17:09 . 2010-07-16 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2010-07-16 17:09 . 2010-07-16 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-16 17:09 . 2010-07-16 18:17 -------- d-----w- c:\program files\Symantec
2010-07-16 14:16 . 2010-07-16 14:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-16 10:33 . 2009-07-03 22:02 34 -c--a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences.dat
2010-07-16 08:14 . 2003-08-18 12:23 -------- d-----w- c:\windows\system32\config\systemprofile\.java
2010-07-16 08:14 . 2010-01-14 03:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2010-07-16 08:14 . 2010-01-05 04:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-16 08:14 . 2010-01-05 04:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-16 08:14 . 2003-08-12 22:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2010-07-16 08:14 . 2004-08-04 05:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14 . 2004-08-04 04:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11 . 2010-07-17 23:18 -------- d-----w- c:\program files\America Online 7.0
2010-07-16 08:06 . 2009-07-03 22:02 34 -c--a-w- c:\documents and settings\Default User\jagex_runescape_preferences.dat
2010-07-15 16:49 . 2003-08-18 12:23 -------- d-----w- c:\documents and settings\Default User\.java
2010-07-15 16:49 . 2010-01-14 03:05 -------- d-sh--w- c:\documents and settings\Default User\IECompatCache
2010-07-15 16:49 . 2010-01-05 04:36 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-07-15 16:49 . 2010-01-05 04:41 -------- d-sh--w- c:\documents and settings\Default User\PrivacIE
2010-07-15 16:49 . 2003-08-12 22:39 -------- d-sh--w- c:\documents and settings\Default User\UserData
2010-07-15 15:38 . 2004-08-04 05:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 15:37 . 2004-08-04 05:07 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-07-15 15:37 . 2004-08-04 05:07 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-07-15 15:37 . 2004-08-04 05:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-07-15 15:37 . 2004-08-04 04:58 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-07-15 15:37 . 2004-08-04 04:58 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-07-15 15:37 . 2004-08-04 04:58 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-07-15 15:37 . 2004-08-04 05:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-07-15 15:37 . 2004-08-04 06:56 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-07-15 15:37 . 2004-08-04 05:15 145792 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-07-15 15:37 . 2004-08-04 05:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-07-15 15:37 . 2004-08-04 05:10 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-07-15 11:04 . 2002-09-24 03:40 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 05:06 . 2010-07-15 05:14 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04 . 2010-07-15 05:05 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41 . 2010-07-15 03:42 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-07-14 02:19 . 2010-07-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-14 02:19 . 2010-07-14 02:19 -------- d-----w- c:\program files\Alwil Software
2010-07-11 15:48 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38 . 2010-07-06 17:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:38 . 2010-07-11 05:38 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-11 05:37 . 2010-07-11 05:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:27 . 2010-07-11 05:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-11 05:25 . 2010-07-11 05:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 05:23 . 2010-07-11 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-11 03:13 . 2010-07-11 03:32 -------- d-----w- c:\program files\Trend Micro
2010-07-10 11:26 . 2010-07-10 11:30 -------- d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09 . 2010-07-08 04:10 -------- d-----w- c:\program files\Database

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 11:48 . 2003-06-12 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-21 11:35 . 2004-11-14 03:08 25424 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 02:01 . 2009-11-24 01:48 -------- d-----w- c:\program files\TrojanHunter 5.2
2010-07-18 21:41 . 2002-10-29 21:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-18 01:21 . 2010-07-18 01:21 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-16 21:47 . 2010-07-16 21:47 2568656 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-16 18:18 . 2007-10-26 20:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-16 17:16 . 2002-10-30 01:28 -------- d-----w- c:\program files\AWS
2010-07-16 08:13 . 2003-05-12 03:11 -------- d-----w- c:\program files\Common Files\aolshare
2010-07-15 08:04 . 2008-09-11 05:07 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04 . 2008-09-11 05:07 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-14 22:40 . 2009-08-24 12:56 -------- d-----w- c:\program files\LimeWire
2010-07-11 15:47 . 2004-10-01 01:24 -------- d-----w- c:\program files\TrojanHunter 4.0
2010-07-11 05:23 . 2003-05-18 16:27 -------- d-----w- c:\program files\Lavasoft
2010-07-11 03:13 . 2010-07-11 03:13 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-11 02:21 . 2006-05-04 00:47 -------- d-----w- c:\program files\CCleaner
2010-07-08 23:20 . 2010-07-08 23:20 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
2010-07-08 05:02 . 2008-08-22 15:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-06 17:29 . 2010-07-11 05:25 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-06-28 23:20 . 2010-03-05 14:18 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-06-19 10:15 . 2003-05-12 00:46 -------- d-----w- c:\program files\hp deskjet 950c series
2010-05-21 19:14 . 2009-10-03 06:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39 . 2009-05-02 00:39 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20 . 2009-03-24 17:19 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35 . 2009-01-11 22:17 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2003-07-29 05:15 . 2007-10-23 17:54 307200 -c--a-w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 05:15 . 2007-10-23 17:54 303104 -c--a-w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 05:15 . 2007-10-23 17:54 311296 -c--a-w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 05:15 . 2007-10-23 17:54 290816 -c--a-w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 05:15 . 2007-10-23 17:54 122880 -c--a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2002-10-29 151597]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-26 241714]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2002-10-01 372736]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/16/2010 12:10 PM 165456]
S2 jmnozj;Shell Update;c:\windows\system32\svchost.exe -k netsvcs [11/14/2002 12:07 AM 14336]
S2 mrtRate;mrtRate; [x]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jmnozj
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:28]

2010-07-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2010-07-16 14:04]

2010-07-21 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2002-11-14 06:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: malwareremovalforum.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 07:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jmnozj]
"ServiceDll"="c:\windows\System32\wjnrtv.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2613756972-2128452398-4171163640-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-26 08:08:43
ComboFix-quarantined-files.txt 2010-07-26 14:08
ComboFix2.txt 2010-07-15 07:01

Pre-Run: 32,174,006,272 bytes free
Post-Run: 32,549,433,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6697E64E405BF69597C5947BFF1E1BEA

[km2357]

If it is still on your computer, delete CFScript.txt from your Desktop, you will be creating and running a new one.


Step # 1: Run CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  KILLALL::
  
  Driver::
  
  jmnozj
  
  NetSvc::
  
  jmnozj
  
  File::
  
  c:\windows\System32\wjnrtv.dll
  
  Folder::
  
  c:\program files\LimeWire
  
  Registry::
  
  [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jmnozj]

  
  
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
  
  Note: This CFScript is for use on JayneM's computer only! Do not use it on your computer.
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.

[JayneM]

Do I disable Avast while I do this?

[JayneM]

Got an error while ComboFix was preparing to print the log about reinstalling AOL. I finally had to close the window, then the log came up.

ComboFix 10-07-26.04 - Owner 07/27/2010 7:27.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.335 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\System32\wjnrtv.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\toolbarResult

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JMNOZJ
-------\Service_jmnozj


((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-21 05:03 . 2004-08-04 06:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-07-21 04:03 . 2010-07-21 04:03 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-18 00:36 . 2010-07-18 00:36 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01 . 2010-07-18 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-17 23:59 . 2010-07-17 23:59 -------- d-----w- c:\program files\Common Files\iS3
2010-07-17 23:59 . 2010-07-18 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-17 08:19 . 2010-07-17 08:19 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19 . 2010-07-17 08:19 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01 . 2010-07-17 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-07-16 18:10 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-16 18:10 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-16 18:10 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-16 18:10 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-16 18:10 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-16 18:10 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-16 18:09 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 18:09 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-16 17:09 . 2010-07-16 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2010-07-16 17:09 . 2010-07-16 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-16 17:09 . 2010-07-16 18:17 -------- d-----w- c:\program files\Symantec
2010-07-16 14:16 . 2010-07-16 14:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-16 10:33 . 2009-07-03 22:02 34 -c--a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences.dat
2010-07-16 08:14 . 2003-08-18 12:23 -------- d-----w- c:\windows\system32\config\systemprofile\.java
2010-07-16 08:14 . 2010-01-14 03:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2010-07-16 08:14 . 2010-01-05 04:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-16 08:14 . 2010-01-05 04:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-16 08:14 . 2003-08-12 22:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2010-07-16 08:14 . 2004-08-04 05:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14 . 2004-08-04 04:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11 . 2010-07-17 23:18 -------- d-----w- c:\program files\America Online 7.0
2010-07-16 08:06 . 2009-07-03 22:02 34 -c--a-w- c:\documents and settings\Default User\jagex_runescape_preferences.dat
2010-07-15 16:49 . 2003-08-18 12:23 -------- d-----w- c:\documents and settings\Default User\.java
2010-07-15 16:49 . 2010-01-14 03:05 -------- d-sh--w- c:\documents and settings\Default User\IECompatCache
2010-07-15 16:49 . 2010-01-05 04:36 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-07-15 16:49 . 2010-01-05 04:41 -------- d-sh--w- c:\documents and settings\Default User\PrivacIE
2010-07-15 16:49 . 2003-08-12 22:39 -------- d-sh--w- c:\documents and settings\Default User\UserData
2010-07-15 15:38 . 2004-08-04 05:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 15:37 . 2004-08-04 05:07 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-07-15 15:37 . 2004-08-04 05:07 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-07-15 15:37 . 2004-08-04 05:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-07-15 15:37 . 2004-08-04 04:58 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-07-15 15:37 . 2004-08-04 04:58 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-07-15 15:37 . 2004-08-04 04:58 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-07-15 15:37 . 2004-08-04 05:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-07-15 15:37 . 2004-08-04 06:56 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-07-15 15:37 . 2004-08-04 05:15 145792 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-07-15 15:37 . 2004-08-04 05:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-07-15 15:37 . 2004-08-04 05:10 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-07-15 11:04 . 2002-09-24 03:40 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 05:06 . 2010-07-15 05:14 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04 . 2010-07-15 05:05 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41 . 2010-07-15 03:42 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-07-14 02:19 . 2010-07-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-14 02:19 . 2010-07-14 02:19 -------- d-----w- c:\program files\Alwil Software
2010-07-11 15:48 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38 . 2010-07-06 17:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:38 . 2010-07-11 05:38 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-11 05:37 . 2010-07-11 05:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:27 . 2010-07-11 05:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-11 05:25 . 2010-07-11 05:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 05:23 . 2010-07-11 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-11 03:13 . 2010-07-11 03:32 -------- d-----w- c:\program files\Trend Micro
2010-07-10 11:26 . 2010-07-10 11:30 -------- d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09 . 2010-07-08 04:10 -------- d-----w- c:\program files\Database

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 11:48 . 2003-06-12 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-21 11:35 . 2004-11-14 03:08 25424 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 02:01 . 2009-11-24 01:48 -------- d-----w- c:\program files\TrojanHunter 5.2
2010-07-18 21:41 . 2002-10-29 21:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-18 01:21 . 2010-07-18 01:21 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-16 18:18 . 2007-10-26 20:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-16 17:16 . 2002-10-30 01:28 -------- d-----w- c:\program files\AWS
2010-07-16 08:13 . 2003-05-12 03:11 -------- d-----w- c:\program files\Common Files\aolshare
2010-07-15 08:04 . 2008-09-11 05:07 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04 . 2008-09-11 05:07 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-11 15:47 . 2004-10-01 01:24 -------- d-----w- c:\program files\TrojanHunter 4.0
2010-07-11 05:23 . 2003-05-18 16:27 -------- d-----w- c:\program files\Lavasoft
2010-07-11 02:21 . 2006-05-04 00:47 -------- d-----w- c:\program files\CCleaner
2010-07-08 05:02 . 2008-08-22 15:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-19 10:15 . 2003-05-12 00:46 -------- d-----w- c:\program files\hp deskjet 950c series
2010-05-21 19:14 . 2009-10-03 06:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39 . 2009-05-02 00:39 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20 . 2009-03-24 17:19 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35 . 2009-01-11 22:17 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2003-07-29 05:15 . 2007-10-23 17:54 307200 -c--a-w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 05:15 . 2007-10-23 17:54 303104 -c--a-w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 05:15 . 2007-10-23 17:54 311296 -c--a-w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 05:15 . 2007-10-23 17:54 290816 -c--a-w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 05:15 . 2007-10-23 17:54 122880 -c--a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2002-10-29 151597]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-26 241714]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2002-10-01 372736]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/16/2010 12:10 PM 165456]
S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:28]

2010-07-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2010-07-16 14:04]

2010-07-21 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2002-11-14 06:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: malwareremovalforum.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 07:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2613756972-2128452398-4171163640-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\program files\America Online 9.0b\waol.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\system32\wscntfy.exe
c:\program files\America Online 9.0b\shellmon.exe
.
**************************************************************************
.
Completion time: 2010-07-27 07:55:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 13:55
ComboFix2.txt 2010-07-26 14:08
ComboFix3.txt 2010-07-15 07:01

Pre-Run: 32,492,781,568 bytes free
Post-Run: 32,575,397,888 bytes free

- - End Of File - - A8ADC576AE1B65E94E8D86215108214F


Avast seemed to start back up too before the log finished and I shut it back down.

DDS

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2010 4:37:18 AM
System Uptime: 7/27/2010 7:38:36 AM (1 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2532/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 30.354 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/20/2010 7:46:29 PM - System Checkpoint
RP2: 7/20/2010 8:24:26 PM - After trying automatic system restore
RP3: 7/20/2010 9:44:46 PM - before sp2
RP4: 7/20/2010 9:45:14 PM - restore 2
RP5: 7/20/2010 10:34:07 PM - 11:30 pm before cd
RP6: 7/20/2010 10:50:16 PM - Installed Windows XP Service Pack 2.
RP7: 7/20/2010 11:29:50 PM - Installed Windows XP KB873339.
RP8: 7/20/2010 1:05:52 PM - Installed Windows XP Service Pack 2.
RP9: 7/20/2010 1:16:13 PM - Installed Windows XP KB873339.
RP10: 7/20/2010 1:18:52 PM - Installed Windows XP KB885835.
RP11: 7/23/2010 7:39:35 AM - System Checkpoint
RP12: 7/25/2010 3:10:36 AM - System Checkpoint
RP13: 7/26/2010 7:14:44 AM - System Checkpoint

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterVideo WinDVD 4
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows XP Service Pack 2
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The WAN Miniport (ATW) Service service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
7/21/2010 5:35:26 AM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: The specified module could not be found.
7/20/2010 9:19:11 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/20/2010 7:21:38 PM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/20/2010 7:21:38 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 8:09:24.76 on Tue 07/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.203 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [AOL Fast Start] "c:\program files\america online 9.0b\AOL.EXE" -b
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [TkBellExe] c:\program files\common files\real\update_ob\realsched.exe -osboot
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\hp\region\customizeIe.wsf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: malwareremovalforum.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 9682232875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3 ... 02-win.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-16 165456]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-07-26 14:10:38 35400 ----a-w- c:\windows\Owner000.acl
2010-07-26 13:42:40 0 d-sha-r- C:\cmdcons
2010-07-21 05:03:45 81920 ------w- c:\windows\system32\ieencode.dll
2010-07-21 04:50:11 19528 ----a-w- c:\windows\002063_.tmp
2010-07-21 04:03:06 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-20 19:05:12 19528 ----a-w- c:\windows\000001_.tmp
2010-07-18 01:21:19 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-18 00:36:49 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-17 23:59:42 0 d-----w- c:\program files\common files\iS3
2010-07-17 23:59:39 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-17 08:19:46 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19:46 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01:55 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-16 18:09:53 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 17:09:53 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-07-16 17:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-16 17:09:42 0 d-----w- c:\program files\Symantec
2010-07-16 14:20:36 3144 -c--a-w- c:\windows\system32\dllcache\srgb.icm
2010-07-16 14:16:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-16 08:14:03 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14:03 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11:13 40960 ----a-w- c:\windows\SET5678.tmp
2010-07-16 08:11:04 0 d-----w- c:\program files\America Online 7.0
2010-07-15 15:38:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 11:04:12 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 11:04:12 1246208 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-15 05:06:51 0 d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04:10 0 d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41:01 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-07-15 02:37:14 98816 ----a-w- c:\windows\sed.exe
2010-07-15 02:37:14 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 02:37:14 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 02:37:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 02:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-15 08:04:37 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04:37 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2009-08-17 04:55:16 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x1\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat
2009-09-07 15:35:20 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x2\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 8:09:40.07 ===============

[km2357]

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u21.
• Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Remove the following old versions of Java:
  
  
• Java 2 Runtime Environment Standard Edition v1.3.1_02
  
  Java 2 Runtime Environment, SE v1.4.0_01
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
  
• From your desktop double-click on the download to install the newest version.

Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Post the MalwareBytes' Log in your next post/reply.

[JayneM]

I removed the old Java program and installed the new. Ran ATF clearner
Ran the malware bytes program, here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4372

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/30/2010 2:03:35 PM
mbam-log-2010-07-30 (14-03-35).txt

Scan type: Quick scan
Objects scanned: 129481
Time elapsed: 17 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.


don't know if I should have but here are the new DDS logs


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:15:59.09 on Fri 07/30/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.252 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [AOL Fast Start] "c:\program files\america online 9.0b\AOL.EXE" -b
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [TkBellExe] c:\program files\common files\real\update_ob\realsched.exe -osboot
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\hp\region\customizeIe.wsf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: malwareremovalforum.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 9682232875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-16 165456]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-07-30 15:50:04 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-30 15:49:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 15:49:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 15:49:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 15:49:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-30 15:43:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 14:10:38 35400 ----a-w- c:\windows\Owner000.acl
2010-07-26 13:42:40 0 d-sha-r- C:\cmdcons
2010-07-21 05:03:45 81920 ------w- c:\windows\system32\ieencode.dll
2010-07-21 04:50:11 19528 ----a-w- c:\windows\002063_.tmp
2010-07-21 04:03:06 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-20 19:05:12 19528 ----a-w- c:\windows\000001_.tmp
2010-07-18 01:21:19 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-18 00:36:49 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-17 23:59:42 0 d-----w- c:\program files\common files\iS3
2010-07-17 23:59:39 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-17 08:19:46 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19:46 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01:55 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-16 18:09:53 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 17:09:53 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-07-16 17:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-16 17:09:42 0 d-----w- c:\program files\Symantec
2010-07-16 14:20:36 3144 -c--a-w- c:\windows\system32\dllcache\srgb.icm
2010-07-16 14:16:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-16 08:14:03 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14:03 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11:13 40960 ----a-w- c:\windows\SET5678.tmp
2010-07-16 08:11:04 0 d-----w- c:\program files\America Online 7.0
2010-07-15 15:38:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 11:04:12 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 11:04:12 1246208 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-15 05:06:51 0 d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04:10 0 d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41:01 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-07-15 02:37:14 98816 ----a-w- c:\windows\sed.exe
2010-07-15 02:37:14 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 02:37:14 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 02:37:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 02:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-15 08:04:37 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04:37 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2009-08-17 04:55:16 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x1\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat
2009-09-07 15:35:20 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x2\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 14:17:53.26 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2010 4:37:18 AM
System Uptime: 7/30/2010 2:06:50 PM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2533/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 30.139 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/20/2010 7:46:29 PM - System Checkpoint
RP2: 7/20/2010 8:24:26 PM - After trying automatic system restore
RP3: 7/20/2010 9:44:46 PM - before sp2
RP4: 7/20/2010 9:45:14 PM - restore 2
RP5: 7/20/2010 10:34:07 PM - 11:30 pm before cd
RP6: 7/20/2010 10:50:16 PM - Installed Windows XP Service Pack 2.
RP7: 7/20/2010 11:29:50 PM - Installed Windows XP KB873339.
RP8: 7/20/2010 1:05:52 PM - Installed Windows XP Service Pack 2.
RP9: 7/20/2010 1:16:13 PM - Installed Windows XP KB873339.
RP10: 7/20/2010 1:18:52 PM - Installed Windows XP KB885835.
RP11: 7/23/2010 7:39:35 AM - System Checkpoint
RP12: 7/25/2010 3:10:36 AM - System Checkpoint
RP13: 7/26/2010 7:14:44 AM - System Checkpoint
RP14: 7/30/2010 7:59:46 AM - System Checkpoint
RP15: 7/30/2010 9:33:22 AM - Removed Java 2 Runtime Environment, SE v1.4.0_01
RP16: 7/30/2010 9:43:05 AM - Installed Java(TM) 6 Update 21

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterVideo WinDVD 4
Java Auto Updater
Java(TM) 6 Update 21
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows XP Service Pack 2
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/30/2010 9:39:36 AM, error: Dhcp [1002] - The IP address lease 207.191.202.146 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/30/2010 2:10:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/30/2010 10:11:04 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The WAN Miniport (ATW) Service service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
7/27/2010 7:27:05 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
7/23/2010 9:20:38 AM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: The specified module could not be found.
7/23/2010 9:20:38 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

[km2357]

You're running a really old version of Internet Explorer. Go ahead and update it to IE 8.


Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?

[JayneM]

I'm going to log off after this post and run the virus scan you linked above. I have two questions besides that though.

When I restart the computer and Avast restarts, there are two shields down (every time), the Web Shield and the Network Shield, and I have to restart them manually.

Also, I am now using Firefox instead of Explorer for my web browser. Before I deleted Explorer I wanted to find out if there is any harm in doing so, and if there is a particular way to do it to make sure all elements of it are gone.

EDITED TO ADD:

I went to the website, disabled Avast and hit Accept, but it hangs up and will never go beyond that point, so I can't run the program.

The computer has been running much faster, but I'm thinking the Trojan is still hiding somewhere in my Restore files. Is it possible, since a Compaq keeps your reboot in the D drive, that my scans are missing it in there?

[km2357]

When I restart the computer and Avast restarts, there are two shields down (every time), the Web Shield and the Network Shield, and I have to restart them manually.

Once you've restarted the shields, do they stay enabled or do you have to keep turning them on? You can try updating Avast or if that doesn't work, try uninstalling then reinstalling Avast. If neither of those work, I'd suggest you post for help at the following forum, they'd be better equipped to help you out.

http://forum.avast.com/

Also, I am now using Firefox instead of Explorer for my web browser. Before I deleted Explorer I wanted to find out if there is any harm in doing so, and if there is a particular way to do it to make sure all elements of it are gone.

There should be no harm in uninstalling IE and replacing it with Firefox. There may be some websites out there that only work with IE, but those are few in number. The best way to remove IE is to uninstall via add/remove programs. That should get everything, there maybe leftovers in the registry, but those can be left alone, best not to go mucking around in the registry.

I went to the website, disabled Avast and hit Accept, but it hangs up and will never go beyond that point, so I can't run the program.

Since Kaspersky gave you trouble, we'll try another online scanner.

The computer has been running much faster, but I'm thinking the Trojan is still hiding somewhere in my Restore files. Is it possible, since a Compaq keeps your reboot in the D drive, that my scans are missing it in there

Good to hear that the computer has been running much faster

If the trojan is in your System Restore, it is harmless where it is. And in an upcoming post, I'll be showing you how to clear out any infected System Restore points and put in a new, clean one.

As for Compaq, if you are talking about your Recovery Partition and not System Restore, we don't want to mess too much with that cause if we delete something from there we shouldn't, it could hinder your ability to recover your computer if you need to.

The online scanner I'm having you use should scan your computer fully, so we should be able to see if there is anything on the D: drive.


I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Make sure that Remove found threats is unchecked
12. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

[JayneM]

Was having problems getting the ESET scanner to work, will try again in a bit.

When I reboot or restart I'm getting a message that Veritas backup is trying to install but there is a problem. I have to cancel it about 10 times to make it stop trying to download this. Any idea what it is? From what I've read it is part of Symantec, which I don't even have, but there have been some vulnerabilities in it in the past, and with my computer basically reverting back to 2003 I wonder if one of those has been exploited.

Could you look at this new HIjack this log? I notice it in there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:28 PM, on 8/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://walledgarden.mchsd.com/walledGarden/HSD_PRODUCT/ProvisionedModemThankYou2.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.1");
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_entering_secure", false);
user_pref("signon.SignonFileName", "37848427.s");
user_pref("timebomb.first_launch_time", "1237848378046000");
user_pref("update_notifications.provider.0.last_checked", 1238599218);
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\qe31oah0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9682232875
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6529 bytes

[km2357]

Was having problems getting the ESET scanner to work, will try again in a bit.

Ok, try ESET again and if you still can't get it to work, I have one more online scanner we can try.

When I reboot or restart I'm getting a message that Veritas backup is trying to install but there is a problem. I have to cancel it about 10 times to make it stop trying to download this. Any idea what it is? From what I've read it is part of Symantec, which I don't even have, but there have been some vulnerabilities in it in the past, and with my computer basically reverting back to 2003 I wonder if one of those has been exploited.

Veritas is backup software/company that was purchased by Symantec. Since you don't have it anymore, let's fix it from showing up when your computer loads up.


Step # 1: Remove Hijackthis Entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
  
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Delete the following folder, if found:

C:\Program Files\VERITAS Software


In your next post/reply, I need to see the following:

1. ESET Log
2. A fresh HiJackThis Log

[JayneM]

Okay, I removed the program from the C drive, which really should not nessarily have removed it from the C drive, I don't think, but here is the log and I don't see the Symantec program (the weird thing is I have NEVER had Symantec). That also touches on the other problems I'm now having. My add/remove programs is not populating correctly. It only shows about 10 programs. I know there are certain things that can cause this, but I didn't want to start messing with it myself. I cannot delete Internet Explorer 6, and I cannot load Internet Explorer 8, it gets about halfway through then I get an error and have to reboot the computer. Also, the automatic updates are not working for Windows. Is this because I'm still running the older XP version? I wanted to delete AOL since it isn't even working anymore, and it runs so much junk in the background all the time, but it doesn't show up on the list either in the add/remove programs.

Also, my Compaq D drive has somehow gotten file folders from my C drive in there. I have no idea how that happened, I don't actually ever use the D drive for anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:13 PM, on 8/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://walledgarden.mchsd.com/walledGarden/HSD_PRODUCT/ProvisionedModemThankYou2.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.1");
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_entering_secure", false);
user_pref("signon.SignonFileName", "37848427.s");
user_pref("timebomb.first_launch_time", "1237848378046000");
user_pref("update_notifications.provider.0.last_checked", 1238599218);
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\qe31oah0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9682232875
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6430 bytes
******************************88

[km2357]

Based on all the present problems (and possible future problems) that you describe your computer having the next best/easiest/quickest step to get your computer back up to speed and malware-free is to do a complete reformat and reinstall of XP. Doing that will start you of fresh, removing any malware that may be left on the computer.

Since you have a Compaq that has a recovery partition (your D: drive), its best to either contact Compaq directly and follow their instructions on how to do a reformat and reinstall, via the link below:

http://welcome.hp.com/country/us/en/contact_us.html

Or you can take your computer to a local computer shop and have them do it.

Once you get your computer reformatted and reinstalled be sure to upgrade to XP SP3 as soon as possible.