Hello,

My 2nd laptop seems to be in the infancy stages of being infected by a trojan and/or virus.

What I can do (still):
- boot in Windows XP
- desktop appears, but with no icons or "Start" taskbar in bottom left-hand corner of the screen
- activate and view Task Manager by pressing Ctrl-Alt-Delete
- visible cursor and able to move it

What I am unable to do:
- get into My Computer or Control Panel (to attempt to get into System Restore)
- run any Spyware, ComboFix, or Anti-Malware Malware Bytes

Here is the visual of the Task Manager (I am hoping that anyone might notice which .exe files are ACTUALLY viral files [imposters]):

40-41 processes

svchost.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
wdfmgr.exe LOCAL SERVICE
symlcsvc.exe SYSTEM
spoolsv.exe SYSTEM
brss01a.exe SYSTEM
brsvc01a.exe SYSTEM
SMAgent.exe SYSTEM
SNDSrvc.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE
svchost.exe SYSTEM
navapsvc.exe SYSTEM
svchost.exe NETWORK SERVICE
SPBBCS.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
lsass.exe SYSTEM
services.exe SYSTEM
winlogon.exe SYSTEM
csrss.exe SYSTEM
ISSVC.exe SYSTEM
smss.exe SYSTEM
ccSetMgr.exe SYSTEM
YahooAUService SYSTEM
ccProxy.exe SYSTEM
CDANTSRV.exe SYSTEM
winzip32.exe Jeff D.
ccEvtMgr.exe SYSTEM
acsd.exe SYSTEM
bcmwltry.exe SYSTEM
svchost.exe LOCAL SERVICE
wltrysvc.exe SYSTEM
wanmpsvc.exe SYSTEM
System.exe SYSTEM
System Idle Process.exe SYSTEM
taskmgr.exe Jeff D.
alg.exe LOCAL SERVICE
ctfmon.exe Jeff D.


Any guidance on how exactly to proceed (step-by-step) from here to regain the desktop and attempt to run anti-spyware to get rid of this trojan/virus would be very much appreciated.

Thanks in advance,

Jeff D.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply: DDS.txt and Attach.txt

Please post an update on this. Thanks.

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Post reopened at user request.

Ron,

Here are the logs you requested:

MBAM (quick scan)

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/27/2009 10:35:09 PM
mbam-log-2009-10-27 (22-35-09).txt

Scan type: Quick Scan
Objects scanned: 113457
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 8
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mysearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fac94900-96d9-47fa-ba33-7ef1bbfbbcec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mysearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6ca-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91797033 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rimawehodu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: urnt32.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\LoveFreeGames (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\urnt32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\web.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\8.DCR (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\license.txt (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\spacer.gif (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\Tennis.html (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\Tennis.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\uninstall.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\uninstall.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_01.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_02.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_03.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_04.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_05.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_06.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_07.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_08.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_09.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_10.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_11.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_12.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_13.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_14.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_15.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_16.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_17.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_18.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_19.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_20.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_21.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_22.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006EB072 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006F093F.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006F354B.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


The DDS.txt:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Jeff Dick at 22:42:45.56 on Tue 10/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.220 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jeff Dick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {7cc62ac7-3c0b-442d-9849-326be3c36fc6} - vodarowo.dll
BHO: c:\windows\system32\dbryk.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\dbryk.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TFNF5] TFNF5.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1241910677\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\at&t\wnclient\programs\AnyWho.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
Notify: igfxcui - igfxsrvc.dll
STS: c:\windows\system32\dbryk.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\dbryk.dll
LSA: Notification Packages = scecli urnt32.dll

============= SERVICES / DRIVERS ===============

R? CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver
R? mrtRate;mrtRate
R? Wdm1;USB Bridge Cable Driver
S? wlags48b;Wireless LAN PCCard Driver
S? YahooAUService;Yahoo! Updater

=============== Created Last 30 ================

2009-10-28 02:10:04 0 d-----w- C:\GenericFix
2009-10-28 01:59:24 0 d-----w- c:\windows\pss
2009-10-28 01:53:44 60416 ----a-w- c:\windows\system32\drivers\Combo-Fix.sys
2009-10-28 01:38:03 0 d-s---w- C:\Combo-Fix-09A
2009-10-28 01:04:20 98816 ----a-w- c:\windows\sed.exe
2009-10-28 01:04:20 77312 ----a-w- c:\windows\MBR.exe
2009-10-28 01:04:20 236544 ----a-w- c:\windows\PEV.exe
2009-10-28 01:04:20 161792 ----a-w- c:\windows\SWREG.exe
2009-10-28 01:04:04 0 d-s---w- C:\Combo-Fix-09
2009-10-28 00:55:52 0 d-----w- C:\Combo-Fix
2009-10-28 00:42:09 0 d-----w- c:\docume~1\jeffdi~1\applic~1\Malwarebytes
2009-10-28 00:42:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:41:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-28 00:39:09 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 23:15:23 388608 ----a-w- c:\windows\system32\cmd.execf
2009-10-22 22:52:50 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52:48 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52:47 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:48:40 38 ----a-w- C:\40.tmp
2009-10-21 22:48:36 64000 ----a-w- C:\3E.tmp
2009-10-20 08:38:07 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-10-20 08:38:06 50688 ----a-w- c:\windows\system32\ff_acm.acm
2009-10-20 08:38:01 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37:57 0 d-----w- c:\program files\ffdshow
2009-10-20 01:42:36 0 d-----w- c:\program files\GPL MPEG Decoder
2009-10-19 23:15:46 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca511216750fbe.mof
2009-10-17 09:18:01 0 d-----w- c:\docume~1\jeffdi~1\applic~1\GetRightToGo
2009-10-17 08:27:16 0 d-----w- c:\docume~1\jeffdi~1\applic~1\AVS4YOU
2009-10-17 08:27:14 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-10-17 08:22:54 0 d-----w- c:\program files\common files\AVSMedia
2009-10-17 08:22:18 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22:09 0 d-----w- c:\program files\AVS4YOU
2009-10-17 08:18:52 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44:30 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56:34 0 d-----w- c:\program files\Media Player Classic
2009-10-16 04:56:33 0 d-----w- c:\program files\QuickTime Alternative
2009-10-12 06:10:56 0 d-sha-r- C:\cmdcons
2009-10-12 06:05:08 388608 ----a-w- c:\windows\system32\CF31564.exe
2009-10-11 23:36:53 44 ----a-w- c:\windows\SMWizard.INI
2009-10-11 07:53:12 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51:35 0 d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28:18 0 d-----w- c:\docume~1\jeffdi~1\applic~1\ESTSoft
2009-10-11 07:25:37 0 d-----w- c:\program files\ESTsoft
2009-10-11 07:14:30 0 d-sh--w- c:\documents and settings\jeff dick\PrivacIE
2009-10-11 07:01:42 0 d-sh--w- c:\documents and settings\jeff dick\IETldCache
2009-10-11 06:57:12 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56:16 0 d-----w- c:\windows\ie8updates
2009-10-11 06:55:07 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55:06 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55:05 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55:05 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55:04 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50:16 0 dc-h--w- c:\windows\ie8
2009-10-11 06:47:36 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:47:20 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-11 06:45:54 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45:09 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-10-28 01:07:24 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 22:44:04.31 ===============


And the Attach.txt:

=== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Alps Pointing-device Driver
ALShow
ALTools Update
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ArcSoft Camera Suite
AT&TWorldNet Service
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Belkin Wireless Utility
C-Dilla Licence Management System
Camera Window
Canon Camera WIA Driver
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon PowerShot S45 WIA Driver
Canon Utilities FileViewerUtility 1.0
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.6
Canon Utilities ZoomBrowser EX
CC_ccProxyExt
ccCommon
ccPxyCore
CoreAAC Audio Decoder (remove only)
Drag'n Drop CD+DVD
Family Feud Hollywood Edition (remove only)
Family Tree Maker
ffdshow [rev 3109] [2009-10-19]
FileViewerUtility 1.0
Golf King
GPL MPEG-1/2 DirectShow Decoder Filter
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
ijji
Image Transfer
ImageMixer for Sony
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
IntelliMover
InterVideo WinDVD 4
iTunes
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Love Free Games Tennis
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Managed DirectX (0900)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Office Professional Edition 2003
Microsoft Office XP Media Content
Microsoft Streets & Trips 2006
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MicroStaff WINASPI
MSN Music Assistant
MSRedist
MyLabels
MySoftware Fonts
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Notebook Maximizer
OpenSource Flash Video Splitter (remove only)
PaperPort
PhotoStitch
Quicken 2003 New User Edition
QuickTime
QuickTime Alternative 1.67
RealPlayer Basic
RemoteCapture 2.6
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Software Suite
Sony USB Driver
SoundMAX
SPBBC
Stamps.com Internet Postage
Super Collapse! 3
Symantec Script Blocking Installer
SymNet
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
Toshiba Hotkey Utility for Display Devices
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA System Stability Program
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================


You assistance and timely response would be appreciated.

Thanks,
Jeff D.

Please UPDATE MBAM, you're database is very old.

Your version: 2775
Current version: 3059

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.


When that's done please uninstall these old compromised version of Java
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8

Ron,

I am unable to update Malwarebytes. When I select just the "Update" and not "Launch", I get the following error message:

Error Code 732(0,0).

Where do I go from here?

Your assistance and timely response would be appreciated,

Thanks,

Jeff D.

Please check your Private Message

Okay, please try to run the following. Leave your Internet connection enabled and allow Combofix to automatically download and install the Recovery Console for you.
Disable your AV

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Ron,

Before I run this, there are some obstacles: the only way I can connect to the Internet after booting is through the Task Manager (CTRL-ALT-DEL) using the Run command - I can save programs to the desktop but cannot access them after running them the first time (or at least I am not sure how) - my method of communication through this forum is via my other laptop. I have run ComboFix (likely an older version) on the infected laptop - after trying to disable the AV (I can only do this by locating the .exe process on the Task Manager and "end task" - all is does is end the process - since I cannot access My Computer, have no desktop icons on booting the laptop, or having no Start Menu to access any folders), it does run and gets through all 50 stages, prompts itself to reboot the laptop, but when the laptop reboots, it goes to the login screen (since there is more than one user). I know that ComboFix instructs not to login yourself, but nothing happens once the login screen appears after ComboFix reboots the laptop - so I click on my username, enter my password, and the laptop boots into a desktop with only the background and no desktop icons, Start Menu, or quick launch icons on the bottom right of the laptop display (pretty much back where I started). I am a little confused on what exactly you mean by ComboFix download and installing th Recovery Console. Another issue - in my attempts to get ComboFix to run, I have saved it in several names (Combo--Fix, ComboFix1, DiseaseKiller, etc.).

Should I still proceed the way you requested or you now having the above information, is there a different path to take?

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

Okay download and burn this from the clean computer or a friends computer if needed. Then run on the infected computer.


Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
• If the above link does not work please try this one: here
• The program will automatically burn the CD for you.
• Place the burned CD into the affected computer and start the computer from this CD.
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
• Click on the Configuration button.
  
  • Select Scan all files
  • Select Try to repair infected files and Rename files, if they cannot be removed
  • Select Scan for dialers
  • Select Scan for joke programs (Jokes)
  • Select Scan for games
  • Select Scan for spyware (SPR)
• Click on Virus scanner
• Click on Start scanner at the bottom of the screen
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

1. Please see the post here if you're unable to view the entire screen of Avira.
2. You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
3. Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Ron,
I'll go back one reply for you - after being able to delete (to the Recycle Bin) all the Pseudo ComboFix names and running the saved (newer version) of "Combo-Fix", here is the log :


ComboFix 09-10-30.01 - Jeff Dick 10/31/2009 14:49.5.1 - NTFSx86
Running from: c:\documents and settings\Jeff Dick\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPSR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_tcpsr
-------\Legacy_isapeep
-------\Service_isapeep


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-28 02:10 . 2009-10-28 02:10 -------- d-----w- C:\GenericFix
2009-10-28 01:38 . 2009-10-28 01:53 -------- d-----w- C:\Combo-Fix-09A
2009-10-28 01:04 . 2009-10-28 01:25 -------- d-----w- C:\Combo-Fix-09
2009-10-28 00:55 . 2009-10-28 00:56 -------- d-----w- C:\Combo-Fix
2009-10-28 00:42 . 2009-10-28 00:42 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Malwarebytes
2009-10-28 00:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41 . 2009-10-31 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41 . 2009-10-28 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 00:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:39 . 2009-10-28 00:39 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 22:52 . 2009-10-22 22:52 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52 . 2009-10-22 22:52 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52 . 2009-10-22 22:52 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 08:38 . 2009-10-17 01:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37 . 2009-10-20 08:38 -------- d-----w- c:\program files\ffdshow
2009-10-20 01:42 . 2009-10-20 01:42 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-sh--w- c:\documents and settings\Larry C. Dick\PrivacIE
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Local Settings\Application Data\Yahoo
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\Yahoo!
2009-10-17 09:18 . 2009-10-17 09:19 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\GetRightToGo
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\AVS4YOU
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-17 08:22 . 2008-08-13 15:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\AVS4YOU
2009-10-17 08:18 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44 . 2009-10-28 01:07 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\Media Player Classic
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-11 21:58 . 2009-10-14 00:09 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Temp
2009-10-11 21:56 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Google
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\ESTSoft
2009-10-11 19:11 . 2009-10-11 19:11 -------- d-sh--w- c:\documents and settings\Larry C. Dick\IETldCache
2009-10-11 07:53 . 2009-10-11 07:53 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51 . 2009-10-11 07:51 -------- d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28 . 2009-10-11 07:29 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\ESTSoft
2009-10-11 07:25 . 2009-10-11 07:25 -------- d-----w- c:\program files\ESTsoft
2009-10-11 07:14 . 2009-10-11 07:14 -------- d-sh--w- c:\documents and settings\Jeff Dick\PrivacIE
2009-10-11 07:02 . 2009-10-11 07:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-11 07:01 . 2009-10-11 07:01 -------- d-sh--w- c:\documents and settings\Jeff Dick\IETldCache
2009-10-11 06:57 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56 . 2009-10-28 01:28 -------- d-----w- c:\windows\ie8updates
2009-10-11 06:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50 . 2009-10-11 06:52 -------- dc-h--w- c:\windows\ie8
2009-10-11 06:47 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:45 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-11 06:42 . 2009-10-11 06:42 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Yahoo
2009-10-11 06:40 . 2009-10-11 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 06:38 . 2009-10-11 06:38 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 18:43 . 2003-04-29 19:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:25 . 2006-07-02 23:01 -------- d-----w- c:\program files\Java
2009-10-28 01:07 . 2003-04-29 16:32 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-21 22:49 . 2009-10-21 22:48 38 ----a-w- C:\40.tmp
2009-10-21 22:49 . 2009-10-21 22:48 64000 ----a-w- C:\3E.tmp
2009-10-16 04:57 . 2006-06-23 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:56 . 2006-07-23 04:52 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Apple Computer
2009-10-11 07:04 . 2006-05-03 05:07 72040 ----a-w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 06:42 . 2006-06-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-11 06:40 . 2006-06-10 20:26 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 07:56 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
[-] 2002-08-29 . A82B28BFC2E4455FE43022A498C0EF0A . 1004032 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 458752]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 58488]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-29 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"HostManager"="c:\program files\Common Files\AOL\1241910677\ee\AOLSoftware.exe" [2006-09-26 50736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-23 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-14 113664]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-5-14 36954]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2003-9-14 73728]
MySoftware NewsFlash.lnk - c:\program files\Common Files\MySoftware\NewsFlsh.exe [2003-9-14 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\DRIVERS\cben5.sys [2001-08-17 46108]
R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2005-06-10 15576]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2002-06-28 156672]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8063438622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-10-31 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Larry C. Dick.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2004-08-30 18:34]

2009-10-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-29 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{7cc62ac7-3c0b-442d-9849-326be3c36fc6} - vodarowo.dll
AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe
AddRemove-Tennis - c:\program files\LoveFreeGames\Tennis\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 15:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
.
Completion time: 2009-10-31 15:13
ComboFix-quarantined-files.txt 2009-10-31 19:13

Pre-Run: 25,532,477,440 bytes free
Post-Run: 25,544,589,312 bytes free

- - End Of File - - 8BFF9C33ABF4603CC065014DE639C78B

Hopefully this should help for the next step to fully restoring the laptop.

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

Okay, change your CFscript.txt file to the following and drop it or run it on Combofix again

Ron,

How exactly would I do this? Where do I locate the CFscript.txt file? How would I "drop" it or "run" it on ComboFix?

Your assistance and timely response would again be appreciated,

Thanks,
Jeff D.

I'm sorry. My fault. Please try the following.

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disconnect from the Internet.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Ron,

Another stumbling block here: there is nothing visible on my desktop except for the background - so even if I save it to the desktop, the only way I can access it is through th Task Manager and clicking on Browse and locating it in the Desktop folder.

Could I save it to my 5GB Flashdrive on my uninfected laptop then connect it to my infected laptop - I can copy paste it to the laptop, but again, I am unable to see any icons on my desktop. Is there a way to do this and run ComboFix with the script? I also have an old Norton 2005 trial version of AV on the laptop - how can I disable this?

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

P.S. - How would I open a new notepad session? I have never done this before.
Thanks again.

You can copy and save it to your desktop and through Task Manager you can run this. Type in NOTEPAD and launch it. Then save the document to the Dekstop for your profile.
"C:\Documents and Settings\<username>\Desktop\combofix.exe" "C:\Documents and Settings\<username>\Desktop\cfscript.txt"
Or something like this
%USERNAME%\Desktop\combofix.exe %USERNAME%\Desktop\cfscript.txt

Where <username> is the name of your account.

Try to run the following first and see if it helps or not.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

Once you've gotten one of them to run then try to immediately run the Combofix script.

Ron,

Here is the log from the most recent ComboFix run (I think with the CFscript - if not, please let me know and I will try at again)

ComboFix 09-10-30.01 - Jeff Dick 11/01/2009 14:49.6.1 - NTFSx86
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-28 02:10 . 2009-10-28 02:10 -------- d-----w- C:\GenericFix
2009-10-28 01:38 . 2009-10-28 01:53 -------- d-----w- C:\Combo-Fix-09A
2009-10-28 01:04 . 2009-10-28 01:25 -------- d-----w- C:\Combo-Fix-09
2009-10-28 00:55 . 2009-10-28 00:56 -------- d-----w- C:\Combo-Fix
2009-10-28 00:42 . 2009-10-28 00:42 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Malwarebytes
2009-10-28 00:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41 . 2009-10-31 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41 . 2009-10-28 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 00:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:39 . 2009-10-28 00:39 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 22:52 . 2009-10-22 22:52 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52 . 2009-10-22 22:52 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52 . 2009-10-22 22:52 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 08:38 . 2009-10-17 01:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37 . 2009-10-20 08:38 -------- d-----w- c:\program files\ffdshow
2009-10-20 01:42 . 2009-10-20 01:42 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-sh--w- c:\documents and settings\Larry C. Dick\PrivacIE
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Local Settings\Application Data\Yahoo
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\Yahoo!
2009-10-17 09:18 . 2009-10-17 09:19 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\GetRightToGo
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\AVS4YOU
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-17 08:22 . 2008-08-13 15:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\AVS4YOU
2009-10-17 08:18 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44 . 2009-10-28 01:07 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\Media Player Classic
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-11 21:58 . 2009-10-14 00:09 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Temp
2009-10-11 21:56 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Google
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\ESTSoft
2009-10-11 19:11 . 2009-10-11 19:11 -------- d-sh--w- c:\documents and settings\Larry C. Dick\IETldCache
2009-10-11 07:53 . 2009-10-11 07:53 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51 . 2009-10-11 07:51 -------- d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28 . 2009-10-11 07:29 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\ESTSoft
2009-10-11 07:25 . 2009-10-11 07:25 -------- d-----w- c:\program files\ESTsoft
2009-10-11 07:14 . 2009-10-11 07:14 -------- d-sh--w- c:\documents and settings\Jeff Dick\PrivacIE
2009-10-11 07:02 . 2009-10-11 07:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-11 07:01 . 2009-10-11 07:01 -------- d-sh--w- c:\documents and settings\Jeff Dick\IETldCache
2009-10-11 06:57 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56 . 2009-10-28 01:28 -------- d-----w- c:\windows\ie8updates
2009-10-11 06:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50 . 2009-10-11 06:52 -------- dc-h--w- c:\windows\ie8
2009-10-11 06:47 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:45 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-11 06:42 . 2009-10-11 06:42 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Yahoo
2009-10-11 06:40 . 2009-10-11 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 06:38 . 2009-10-11 06:38 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 19:25 . 2003-04-29 19:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:25 . 2006-07-02 23:01 -------- d-----w- c:\program files\Java
2009-10-28 01:07 . 2003-04-29 16:32 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-10-21 22:49 . 2009-10-21 22:48 38 ----a-w- C:\40.tmp
2009-10-21 22:49 . 2009-10-21 22:48 64000 ----a-w- C:\3E.tmp
2009-10-16 04:57 . 2006-06-23 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:56 . 2006-07-23 04:52 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Apple Computer
2009-10-11 07:04 . 2006-05-03 05:07 72040 ----a-w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 06:42 . 2006-06-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-11 06:40 . 2006-06-10 20:26 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 07:56 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
[-] 2002-08-29 . A82B28BFC2E4455FE43022A498C0EF0A . 1004032 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-31_19.04.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-04-29 16:32 . 2009-11-01 19:40 47122 c:\windows\system32\perfc009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 47122 c:\windows\system32\perfc009.dat
+ 2003-04-29 16:32 . 2009-11-01 19:40 368218 c:\windows\system32\perfh009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 368218 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 458752]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 58488]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-29 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"HostManager"="c:\program files\Common Files\AOL\1241910677\ee\AOLSoftware.exe" [2006-09-26 50736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-23 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\DRIVERS\cben5.sys [2001-08-17 46108]
R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2005-06-10 15576]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2002-06-28 156672]


--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8063438622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-10-31 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Larry C. Dick.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2004-08-30 18:34]

2009-10-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-29 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 15:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
.
Completion time: 2009-11-01 15:55
ComboFix-quarantined-files.txt 2009-11-01 20:55
ComboFix2.txt 2009-10-31 19:13

Pre-Run: 25,548,931,072 bytes free
Post-Run: 25,520,250,880 bytes free

- - End Of File - - A1D36CA9993AA828050923C3A63D9840


This does not seem to look right.

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

nope, it says: Running from: F:\ComboFix.exe

If it was correct it would say it was running the CFscript.txt file. Please try it again.
If nothing else try to put the CFscrip.txt file on F:\CFscript.txt and then run it like this.

From either Start - Run or in Task Manager - File Run: F:\Combofix.exe f:\cfscript.txt

Okay - I was able to get the CFscript file to run through the Desktop - here is the log:

ComboFix 09-10-30.01 - Jeff Dick 11/02/2009 2:31.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.218 [GMT -5:00]
Running from: c:\documents and settings\Jeff Dick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff Dick\Desktop\CFscript.txt
* Created a new restore point

FILE ::
"C:\3E.tmp"
"C:\40.tmp"
"C:\mgilgqug.exe"
"C:\nvuytlnx.exe"
"C:\rpvxjx.exe"
"c:\windows\system32\zogonaha.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3E.tmp
C:\40.tmp
C:\mgilgqug.exe
C:\nvuytlnx.exe
C:\rpvxjx.exe
c:\windows\system32\zogonaha.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 07:30 . 2004-08-04 05:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-02 07:30 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-02 07:15 . 2009-10-31 22:31 3430299 ----a-r- C:\ComboFix.exe
2009-10-28 02:10 . 2009-10-28 02:10 -------- d-----w- C:\GenericFix
2009-10-28 01:38 . 2009-10-28 01:53 -------- d-----w- C:\Combo-Fix-09A
2009-10-28 01:04 . 2009-10-28 01:25 -------- d-----w- C:\Combo-Fix-09
2009-10-28 00:55 . 2009-10-28 00:56 -------- d-----w- C:\Combo-Fix
2009-10-28 00:42 . 2009-10-28 00:42 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Malwarebytes
2009-10-28 00:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41 . 2009-10-31 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41 . 2009-10-28 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 00:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 08:38 . 2009-10-17 01:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37 . 2009-10-20 08:38 -------- d-----w- c:\program files\ffdshow
2009-10-20 01:42 . 2009-10-20 01:42 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-sh--w- c:\documents and settings\Larry C. Dick\PrivacIE
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Local Settings\Application Data\Yahoo
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\Yahoo!
2009-10-17 09:18 . 2009-10-17 09:19 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\GetRightToGo
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\AVS4YOU
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-17 08:22 . 2008-08-13 15:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\AVS4YOU
2009-10-17 08:18 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44 . 2009-10-28 01:07 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\Media Player Classic
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-11 21:58 . 2009-10-14 00:09 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Temp
2009-10-11 21:56 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Google
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\ESTSoft
2009-10-11 19:11 . 2009-10-11 19:11 -------- d-sh--w- c:\documents and settings\Larry C. Dick\IETldCache
2009-10-11 07:53 . 2009-10-11 07:53 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51 . 2009-10-11 07:51 -------- d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28 . 2009-10-11 07:29 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\ESTSoft
2009-10-11 07:25 . 2009-10-11 07:25 -------- d-----w- c:\program files\ESTsoft
2009-10-11 07:14 . 2009-10-11 07:14 -------- d-sh--w- c:\documents and settings\Jeff Dick\PrivacIE
2009-10-11 07:02 . 2009-10-11 07:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-11 07:01 . 2009-10-11 07:01 -------- d-sh--w- c:\documents and settings\Jeff Dick\IETldCache
2009-10-11 06:57 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56 . 2009-10-28 01:28 -------- d-----w- c:\windows\ie8updates
2009-10-11 06:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50 . 2009-10-11 06:52 -------- dc-h--w- c:\windows\ie8
2009-10-11 06:47 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:45 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-11 06:42 . 2009-10-11 06:42 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Yahoo
2009-10-11 06:40 . 2009-10-11 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 06:38 . 2009-10-11 06:38 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 07:45 . 2003-04-29 19:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:25 . 2006-07-02 23:01 -------- d-----w- c:\program files\Java
2009-10-28 01:07 . 2003-04-29 16:32 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-10-16 04:57 . 2006-06-23 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:56 . 2006-07-23 04:52 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Apple Computer
2009-10-11 07:04 . 2006-05-03 05:07 72040 ----a-w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 06:42 . 2006-06-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-11 06:40 . 2006-06-10 20:26 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-31_19.04.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-04-29 16:32 . 2009-11-02 08:04 47122 c:\windows\system32\perfc009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 47122 c:\windows\system32\perfc009.dat
+ 2003-04-29 16:32 . 2009-11-02 08:04 368218 c:\windows\system32\perfh009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 368218 c:\windows\system32\perfh009.dat
+ 2003-04-29 16:31 . 2004-08-04 07:56 1032192 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 458752]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 58488]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-29 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"HostManager"="c:\program files\Common Files\AOL\1241910677\ee\AOLSoftware.exe" [2006-09-26 50736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-23 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 mrtRate;mrtRate; [x]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [4/29/2003 5:00 AM 46108]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8063438622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-10-31 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Larry C. Dick.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2004-08-30 18:34]

2009-10-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-29 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 03:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\brsvc01a.exe
c:\windows\System32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\America Online 9.0\aoltray.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\Sony Corporation\Image Transfer\SonyTray.exe
c:\program files\Common Files\MySoftware\NewsFlsh.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2009-11-02 3:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 08:19
ComboFix2.txt 2009-11-01 20:55
ComboFix3.txt 2009-10-31 19:13

Pre-Run: 25,502,244,864 bytes free
Post-Run: 25,456,463,872 bytes free

- - End Of File - - 9F20BE80A1E5B4ECA1E57589E9206808



Some good news out of this: the Desktop has reappeared. Ready to go to the next step to cleaning this laptop completely.

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

Ron,

I decided to run a quick scan of Malwarebytes (version 3069 - not the newest but better than the 2775 version I had previously - still gave me the 732(0,0) error when I tried to update this).

Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 2

11/2/2009 7:57:23 PM
mbam-log-2009-11-02 (19-57-23).txt

Scan type: Quick Scan
Objects scanned: 122029
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jeff Dick\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

Okay, please run the following AV scanner and we'll see what it finds.

Please temporarily disable your current Anti-Virus in order to run this Online Scanner.
Using Internet Explorer:

• Vista and Windows 7 users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
• Click here to run the Eset Online Scanner using Internet Explorer.
• Click on the ESET Online Scanner button.
• Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
• By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.
• Click the top of the Window and select "Run ActiveX Control" and then click the Run button on the next dialog box.
• Click the Retry button if prompted to resend the request to load and run the ActiveX control from ESET
• Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
• Click on the Advanced settings selection in the middle and place a checkmark on the following items

• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

• Then click on the Start button and it will start downloading signature database files to update the program
• Once the database files are downloaded it should automatically start scanning your system for threats.
• When the scanner is done please click on the List of found threats and click on Export to text file...
• Save the file as NOD32_SCAN.TXT to your Desktop
• Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
• The next screen is advertisement to purchase the product. You can just close that window for now.
• If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
• Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Using Another Browser

• Please click here to launch the application which installs and launches ESET Online Scanner in a separate window.
• You will first need to save the file to your Desktop and double-click on it to run it. Vista and Windows 7 users need to right-click and choose "Run as Administrator"
• You will should be prompted with "Do you want to run this file?", click on the Run button.
• Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
• The program will download further files to use with the scanner and allow you to change options.
• Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
• Click on the Advanced settings selection in the middle and place a checkmark on the following items

• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

• Then click on the Start button and it will start downloading signature database files to update the program
• Once the database files are downloaded it should automatically start scanning your system for threats.
• When the scanner is done please click on the List of found threats and click on Export to text file...
• Save the file as NOD32_SCAN.TXT to your Desktop
• Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
• The next screen is advertisement to purchase the product. You can just close that window for now.
• If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
• Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Ron,

Here is the file you requested:

C:\Qoobox\Quarantine\C\ntldrs.vir Win32/Spy.Zbot.JF trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Seekmo\seekmo.exe.vir a variant of Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Seekmo\seekmohook.dll.vir Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\ClientAX.dll.vir Win32/Adware.180Solutions application cleaned by deleting - quarantined
F:\SDFix.exe Win32/PrcView application deleted - quarantined
F:\SmitfraudFix.exe multiple threats deleted - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP233\A0024693.inf Win32/AutoRun.Agent.EF worm cleaned by deleting - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP233\A0024694.inf Win32/AutoRun.Agent.EF worm cleaned by deleting - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP236\A0025830.inf Win32/AutoRun.Agent.EF worm cleaned by deleting - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP238\A0026020.inf Win32/AutoRun.Agent.EF worm cleaned by deleting - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP7\A0002089.exe Win32/PrcView application deleted - quarantined
F:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP7\A0002090.exe multiple threats deleted - quarantined
F:\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
F:\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined


The "F" files are from my 5GB flashdrive - so only pay attention to the "C:" files - I had left it connected in one of the USB's to the laptop.

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

Please try the following.


Show Hidden Files and Folders:

• Click Start and select My Computer
• Click the Tools item from the menu at the top of the window (if you don't see Tools press the Alt key on your keyboard and it will appear)
• Select Folder Options
• Click the View tab and make sure Show hidden files and folders is selected under Hidden files and folders
• Next, uncheck the box next to Hide protected operating system files (Recommended)
• Then, uncheck the box next to Hide extensions for known filetypes
• Click Apply then click OK

Then go to C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware and delete the rules.ref file.
Then just open the scanner (mbam.exe) and it will tell you there's a problem with the database and ask to download a new copy, just let it do so.

Ron,

I followed all instructions but when prompted to download a new copy, I still received the error with "Error code: 732 (0,0)"

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

I t

P.S. - Do I have to have an Internet connection to do this? If so, I will connect and try again.

PSS - OK, I was able to do this - I now have the latest version (3097) and currently performing a full scan. Would it also be wise to perform a full scan in Safe Mode as I did this for my other infected laptop and discovered some "infected objects" that were not discovered in normal Windows mode?

Ready to go to the next step to get this laptop cleaned up.

Thanks,
Jeff D.

Please post back the MBAM log when you have it.

Ron,

I ran MBAM in both Normal and Safe mode and came up with no infected files. I will still post the logs when I get home from work (approx. 7:00pm Eastern Standard Time).

thanks,
Jeff D.

Ron,

Here is the log for MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 5.1.2600 Service Pack 2

11/4/2009 1:45:31 AM
mbam-log-2009-11-04 (01-45-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193549
Time elapsed: 1 hour(s), 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the Safe Mode log:

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 5.1.2600 Service Pack 2 (Safe Mode)

11/4/2009 3:04:25 AM
mbam-log-2009-11-04 (03-04-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192209
Time elapsed: 36 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Your assistance and timely response would be appreciated.

Thanks,
Jeff D.

Okay, that's good. We seem to have removed the Malware and our program MBAM is now running again.

How is the computer running now?
Are there still any signs of an infection?

Are there any other left over issues you have questions about?

Please post an update on this.

I'll be closing your post soon, please post back if you have any questions.

Ron,

The laptop seems to be working fine. Installed a 60 day full trial version of AV software (Norton 2010) to reinforce security from trojans and viruses. Could you describe the function of the specific CFscript created into ComboFix that removed the bulk of the malware infecting the laptop? I would be interested to know.

Thanks again for your assistance with restoring the laptop.

Jeff D.

You had an infected copy of Explorer.exe which we had CF replace and remove some other infected files on the system that should not have been there.

Please click on START - RUN and type in COMBOFIX.EXE /U to remove Combofix. Then review the following.



I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
• Give the new Restore Point a name, then click "Create".
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use the Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr.exe
• Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.
• On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org