Hey guys,

So my girlfriends computer has a virus on it called Windows System Defender. It installed itself while browsing the internet, no we don't remember what site it was. I looked up ways to remove it and I did everything it said to do and even removed an instances of it from the Registry. It still persists and continues to come back. After running a bunch of virus scanners it appears that I have gotten rid of the original virus but now have a new one that we can't figure out what it is and won't pop up on virus scanners. It also won't let us boot up in safe mood. It gives us a blank blue screen when we try to do so. I have posted a HJT log to see if that will show anything. Any help is much appreciated. Thanks.

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Note: Combofix will run without the Recovery Console installed.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

Okay I ran combofix and the ATF cleaner. I attached the combofix log to this post. Also the computer runs fine besides not letting us boot into any of the safe modes and redirecting us if we click on links sometimes. Also it will pop up with the Windows System Defender page saying that we have virus's and to install an antivirus. For safe mode, it loads up the drivers and then produces a blank blue screen.

Here is the new HJT log



Thank you for your help so far, we really appreciate it.

Please use copy / paste and post combofix file. I can't read it like this

ComboFix 09-11-07.02 - Diane 11/07/2009 18:38.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1430 [GMT -6:00] Running from: c:\documents and settings\Diane\My Documents\Downloads\ComboFix.exe AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Pat\My Documents\ZbThumbnail.info c:\windows\MailSwitch.ocx c:\windows\system32\Data Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 ))))))))))))))))))))))))))))))) . 2009-11-06 06:58 . 2009-11-06 06:58 127872 ----a-w- c:\documents and settings\Diane\Application Data\Move Networks\uninstall.exe 2009-11-06 06:58 . 2009-11-06 19:44 -------- d-----w- c:\documents and settings\Diane\Application Data\Move Networks 2009-11-04 05:10 . 2009-11-04 05:10 -------- d-----w- c:\program files\CCleaner 2009-11-04 04:01 . 2009-11-04 05:00 -------- d---a-w- c:\documents and settings\All

ComboFix 09-11-07.02 - Diane 11/07/2009 18:38.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1430 [GMT -6:00]
Running from: c:\documents and settings\Diane\My Documents\Downloads\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pat\My Documents\ZbThumbnail.info
c:\windows\MailSwitch.ocx
c:\windows\system32\Data

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-06 06:58 . 2009-11-06 06:58 127872 ----a-w- c:\documents and settings\Diane\Application Data\Move Networks\uninstall.exe
2009-11-06 06:58 . 2009-11-06 19:44 -------- d-----w- c:\documents and settings\Diane\Application Data\Move Networks
2009-11-04 05:10 . 2009-11-04 05:10 -------- d-----w- c:\program files\CCleaner
2009-11-04 04:01 . 2009-11-04 05:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 01:20 . 2009-11-04 01:20 -------- d-----w- c:\program files\Alwil Software
2009-11-04 01:20 . 2009-11-04 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-04 01:20 . 2009-11-04 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-04 01:19 . 2009-11-04 01:19 -------- d--h--r- c:\documents and settings\Diane\Application Data\yahoo!
2009-11-04 01:19 . 2009-11-04 01:19 -------- d--h--w- c:\windows\PIF
2009-11-03 21:01 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-03 05:24 . 2009-11-03 05:24 117760 ----a-w- c:\documents and settings\Diane\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-03 05:23 . 2009-11-04 01:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 05:23 . 2009-11-03 05:23 -------- d-----w- c:\documents and settings\Diane\Application Data\SUPERAntiSpyware.com
2009-11-03 03:43 . 2009-11-03 03:43 -------- d-----w- c:\documents and settings\Pat\Application Data\Malwarebytes
2009-11-02 07:02 . 2009-08-29 07:36 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-02 07:02 . 2009-08-29 07:36 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-02 07:02 . 2009-08-29 07:36 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-02 07:02 . 2009-08-29 07:36 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-02 07:02 . 2009-08-29 07:36 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-11-02 07:02 . 2009-08-29 07:36 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-11-02 07:02 . 2009-08-28 10:28 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-11-02 07:02 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2009-11-02 01:42 . 2009-11-02 01:42 -------- d-----w- c:\documents and settings\Diane\Application Data\Malwarebytes
2009-11-02 01:42 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 01:42 . 2009-11-02 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 01:42 . 2009-11-04 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 01:42 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 00:42 . 2009-10-29 05:01 443384 ----a-w- c:\documents and settings\All Users\Application Data\e240f33\sqlite3.dll
2009-11-02 00:42 . 2009-10-29 05:01 710136 ----a-w- c:\documents and settings\All Users\Application Data\e240f33\mozcrt19.dll
2009-11-02 00:42 . 2009-11-02 02:13 -------- d-sh--w- c:\documents and settings\All Users\Application Data\e240f33
2009-11-02 00:40 . 2009-11-02 00:40 -------- d-s---w- c:\documents and settings\Diane\UserData
2009-11-01 14:37 . 2009-11-01 14:37 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Nova Development
2009-10-23 17:50 . 2009-10-23 17:50 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\MTV Networks
2009-10-23 17:50 . 2009-10-23 17:51 -------- d-----w- c:\documents and settings\Diane\Application Data\Creative
2009-10-22 16:18 . 2009-11-02 22:14 -------- d-----w- c:\documents and settings\Diane\Application Data\Corel
2009-10-18 20:10 . 2009-10-18 20:10 -------- d-----w- c:\documents and settings\Diane\Application Data\AdobeUM
2009-10-18 20:09 . 2009-10-18 20:09 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Adobe
2009-10-17 22:24 . 2009-11-03 02:01 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Temp
2009-10-17 07:11 . 2009-10-17 07:11 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Intuit
2009-10-17 07:10 . 2009-10-17 07:10 -------- d-----w- c:\documents and settings\Diane\Application Data\Intuit
2009-10-15 07:03 . 2009-10-28 02:45 123128 ----a-w- c:\documents and settings\Diane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 07:02 . 2009-10-15 07:57 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Powercinema
2009-10-15 07:02 . 2009-10-15 07:02 -------- d-----w- c:\documents and settings\Diane\Application Data\CyberLink
2009-10-14 13:19 . 2005-06-06 16:29 110592 ----a-w- c:\documents and settings\Diane\Application Data\U3\temp\cleanup.exe
2009-10-14 05:19 . 2009-11-02 14:41 -------- d-----w- c:\documents and settings\Diane\Application Data\U3
2009-10-14 04:14 . 2006-04-10 19:03 38400 ----a-w- c:\windows\system32\hpz3l054.dll
2009-10-14 04:13 . 2009-10-14 04:13 -------- d-----w- c:\program files\HP
2009-10-14 04:05 . 2009-10-14 04:27 110470 ----a-w- c:\windows\hpoins11.dat
2009-10-14 04:05 . 2005-07-19 01:38 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2009-10-14 04:05 . 2006-04-13 00:02 659456 ----a-w- c:\windows\system32\hpowiax2.dll
2009-10-14 04:05 . 2006-04-13 00:02 254026 ----a-w- c:\windows\system32\hpovst09.dll
2009-10-14 04:05 . 2006-04-13 00:02 827392 ----a-w- c:\windows\system32\hpotiop2.dll
2009-10-14 04:05 . 2006-01-04 08:12 77824 ----a-w- c:\windows\system32\HPZIDS01.dll
2009-10-14 04:05 . 2006-05-06 03:10 6947 ----a-w- c:\windows\hpomdl11.dat
2009-10-14 03:28 . 2009-10-14 03:28 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Mozilla
2009-10-13 00:58 . 2009-10-13 00:58 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\Identities
2009-10-13 00:58 . 2009-10-13 00:58 -------- d-----w- c:\documents and settings\Diane\Application Data\Windows Desktop Search
2009-10-13 00:58 . 2009-10-13 00:58 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\ArcSoft
2009-10-13 00:58 . 2009-10-13 00:59 -------- d-----w- c:\documents and settings\Diane\Application Data\ArcSoft
2009-10-13 00:58 . 2009-10-13 00:58 -------- d-----w- c:\documents and settings\Diane\Local Settings\Application Data\SupportSoft
2009-10-13 00:58 . 2009-10-13 00:58 128 ----a-w- c:\documents and settings\Diane\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 06:58 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Diane\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-11-03 04:54 . 2006-11-22 20:24 -------- d-----w- c:\program files\Trend Micro
2009-11-02 22:14 . 2006-11-29 05:28 1942 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-01 14:44 . 2007-09-03 21:04 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2009-10-27 19:54 . 2007-05-10 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 19:53 . 2007-08-05 05:10 -------- d-----w- c:\program files\Microsoft Works
2009-10-17 17:37 . 2006-11-22 20:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 23:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-16 21:09 . 2006-11-29 05:12 123128 -c--a-w- c:\documents and settings\Pat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 22:04 . 2009-08-14 22:04 239088 ----a-w- c:\documents and settings\Diane\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-02 02:14 . 2009-11-02 00:42 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"Google Update"="c:\documents and settings\Diane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-17 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-22 98304]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-06-29 1355042]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-12-20 28160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-9-11 118784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-22 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-11-22 532480]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-3 54776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\Diane\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Diane\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 11:37 AM 13088]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 4:47 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 4:47 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 4:47 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 4:47 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 4:47 PM 262215]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 VCR2PC;VCR2PC Analog Capture;c:\windows\system32\drivers\0140_ION.sys [6/1/2009 7:19 PM 243712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8189288322.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717664534-1867343407-3577083845-1012Core1ca5b7f8cf55806.job
- c:\documents and settings\Diane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-17 22:24]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717664534-1867343407-3577083845-1012UA.job
- c:\documents and settings\Diane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-17 22:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
uInternet Connection Wizard,ShellNext = hxxp://att.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Diane\Application Data\Mozilla\Firefox\Profiles\cvuxf9ho.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\Mozilla Firefox\components\rpff.dll
FF - plugin: c:\documents and settings\Diane\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Diane\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Diane\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CDB1DF1C-5D9C-4DCA-BEE6-9CA2738795BF} - c:\windows\system32\c778.dll
HKLM-Run-UnlockerAssistant - c:\documents and settings\Diane\Desktop\Unlocker\UnlockerAssistant.exe
AddRemove-ht1 - c:\documents and settings\all users\documents\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 18:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\`* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\à* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Diane\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-08 18:46
ComboFix-quarantined-files.txt 2009-11-08 00:46

Pre-Run: 58,381,230,080 bytes free
Post-Run: 60,789,747,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 10FF46828465015183E1F860911C3D68

Click Start, click Search, and then click For Files or Folders.
In the Search for files or folders named: box, type: eventlog.dll, and then click Search Now.

Let me know what you find

I'm off to bed but this should work for the missing file.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.



Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...




Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

Sorry for not getting back to you sooner, I was out at dinner. Anyways I did the search and found 2 entries.

One was found in C:\i386. The other was in C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e.

I did what you said with the file and dragged the notepad copy of it to ComboFix.







The computer doesn't run any differently then usual although the log in time for each user takes alot longer then it usually does. And we can't boot into safe mode, we get a Blank Blue Screen when we try to boot into safe mode after the drivers scroll across the screen. Hope this helps.

This sounds more like a software issue so I'd suggest you start a new topic in the PC help forum.

Do this first.

The following will implement some cleanup procedures as well as reset System Restore points:

• Click START then RUN
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  • 
  
  
  
  To be on the safe side, I would also change all my passwords.
  
  
  Here's my usual all clean post
  
  Log looks good
  
  
  
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       
    5. Change the Download signed ActiveX controls to Prompt
       
    6. Change the Download unsigned ActiveX controls to Disable
       
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
       
    8. Change the Installation of desktop items to Prompt
       
    9. Change the Launching programs and files in an IFRAME to Prompt
       
    10. Change the Navigate sub-frames across different domains to Prompt
        
    11. When all these settings have been made, click on the OK button.
        
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

Well I don't have her computer here with me but I just had her do a bunch of random searches and click on links in google and it appears to be gone. We can also now get to safe mode on the computer so it appears that the problem has indeed been solved. Thank you very much for your help and time. And I will make sure I make her keep the computer up to date.

Make sure she runs the fix to uninstall Combofix. There are infected files that were removed as part of Combofix.

Ran it myself and it is all removed. Thanks again for all your help.

Cool.

You're more then welcome.
Glad we were able to help

Peace be with you