28 replies to this topic

[jacktc]

I went through all of the steps that was required, and it has seemed to have removed some/most of problem. But on the last operation on hijack this I could not save the notepad to the desk top.

One of the problems I had with the infections was the Program files disappeared, the control panel and all of the related items were not showing up, Internet Explorer was gone and several pieces of software that was on the desktop was gone.

Everything seems to had reappeared except for Internet Explorer and my software. Is there anything else to do? I am accesing Inet through my MSN.

Thanks
jacktc

P.S.

I have been trying to add the note pad info - Antivir log OR a Bitdefender online scan log.
- MalwareBytes Anti-malware log- Hijackthis log to this post but unable to do so. Any ideas??

When I ran the Hijackthis I couldn't get it into note pad, unless it went into the Hijack this folder on my desktop but I didn't see it in there.

I copied/pasted what I have
Avira AntiVir Personal- Free AntiVirus
*************************************

Copyright © 2008 Avira GmbH.
All rights reserved.


Inhalt
******

0 Important information
1 System requirements
2 Important requirements for an installation
3 Support service
4 Contact address


0 Important information
***********************

Users who have up to now installed an ANSI version of the Avira
AntiVir Personal software pack on a Microsoft
Windows 2000 or Microsoft Windows XP operating system, receive
update information when attempting to update.

When updating, please proceed as follows:

1. Deinstall the installed version of the Avira AntiVir
Personal.
2. Download a current software pack from the downoad section of the
Avira AntiVir Personal website
http://www.free-av.com.
3. Install this software pack on your computer.

1 System requirements
*********************

In order for Avira AntiVir Personal to run properly, the computer
system must fulfill the following requirements:

- Computer: Pentium or higher, at least 266 MHz

- Operating system
- Microsoft Windows Vista (32 or 64 bit) or
- Microsoft Windows XP Home or Professional (32 or 64 bit), SP 2
recommended or
- Microsoft Windows 2000, SP 4 recommended

The display of the program interfaces can differ, depending on the
operating system used.

- 30 MB free memory on the hard disk (more if quarantine is used)

- Min. 100 MB temporary memory on the hard disk

- Min. 192 MB RAM (Windows XP or Professional)

- Min. 512 MB RAM (Windows Vista)

- For the installation of Avira AntiVir Personal:
administrator rights



2 Important requirements for an installation
********************************************

Ensure that the following requirements are fulfilled so that Avira
AntiVir Personal works properly on your computer:

- System requirements fulfilled
- No other on-access scanner (also called Guard) installed
- Installer has administrator rights
- Internet/Intranet connection available
- All running programs on the computer exited


3 Support service
*****************

All relevant information concerning our comprehensive support service
can be found on our website http://www.avira.com/classic-support.



4 Contact
*********

If you have any questions or requests concerning the Avira AntiVir
Personal product range, we will be pleased to help you. You find our
contact addresses on the internet at http://www.free-av.com/contact.

mbam:
Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 2

11:45:48 AM 9/1/2008
mbam-log-09-01-2008 (11-45-48).txt

Scan type: Quick Scan
Objects scanned: 43705
Time elapsed: 27 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 16
Folders Infected: 8
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\pdoskegl.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\rqbmvpso.dll (Adware.Vapsup) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f9e837bc-7f68-4e3c-82cf-87a3aa6bfb4e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b086d28b-e3d2-46b8-8bf9-56bbb5720a50} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f8377c68-4aaf-4045-9c82-3f25c0378cd3} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{45632a1f-8d26-4e09-98b7-2de331f7832b} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5371ff76-9602-4029-9626-be8cd757eb36} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{fd924082-30ca-4c7f-8866-9b494a03889d} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9da604e4-8a8f-47fb-b4f1-bb4bc73e546c} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a878ffb4-52de-4396-8f6e-a03417493f9a} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26027218-80b3-40fa-9fa1-70fd56aa5328} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26027218-80b3-40fa-9fa1-70fd56aa5328} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.bmva (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pdoskegl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rqbmvpso (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5371ff76-9602-4029-9626-be8cd757eb36} (Adware.Vapsup) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarerefer...=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0045964-95598) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\AVG Free Edition (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\CleanMyPC Popup Blocker (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Lavasoft Ad-Aware SE Personal (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\SpywareBlaster (Rogue.XLG) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\pdoskegl.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\rqbmvpso.dll (Adware.Vapsup) -> Delete on reboot.
C:\WINDOWS\qalkfxor.dll (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\rodqgpvldbv.dll (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\rvoelbxt.exe (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\eaxf.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jack\Local Settings\Temp\TDSSb3da.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\AVG Free Edition\AVG Free Control Center.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\AVG Free Edition\AVG Free Edition for Windows.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\AVG Free Edition\AVG Free Virus Vault.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\AVG Free Edition\Uninstall AVG Free Edition for Windows.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\CleanMyPC Popup Blocker\Online Help.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\CleanMyPC Popup Blocker\Uninstall CleanMyPC Popup Blocker.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Lavasoft Ad-Aware SE Personal\Ad-Aware SE Manual.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Lavasoft Ad-Aware SE Personal\Ad-Aware SE Personal.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Lavasoft Ad-Aware SE Personal\Uninstall Ad-Aware SE Personal.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy\Spybot - Search & Destroy.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy\Uninstall Spybot - Search & Destroy.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\SpywareBlaster\SpywareBlaster AutoUpdate Configuration.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\SpywareBlaster\SpywareBlaster Help.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\SpywareBlaster\SpywareBlaster.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.

[rridgely]

Try running hijackthis again. Choose to do a system scan only.
When the scan is finished click save log and choose to save it somewhere you can find it. open the log up and copy/paste it into your next reply.

[jacktc]

rridgely, on Sep 2 2008, 08:26 PM, said:

Try running hijackthis again. Choose to do a system scan only.
When the scan is finished click save log and choose to save it somewhere you can find it. open the log up and copy/paste it into your next reply.

Here is what I was able to get. Also computer is now running slow,

Thanks
Jack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:42 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.magoos.ne...geUploader5.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8315 bytes

[rridgely]

Your computer is slow because your running 2 Antiviruses.
Uninstall either AVG or Antivir and thing should run better. Also run the below scan and post back the results:

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

[jacktc]

rridgely, on Sep 2 2008, 09:27 PM, said:

Your computer is slow because your running 2 Antiviruses.
Uninstall either AVG or Antivir and thing should run better. Also run the below scan and post back the results:

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

I went to the site and it said to turn off any virus software, but couldn't where to turn off the sofeware. I removed AVG. I also got a pop up , said was from Internet explorer , to install ActiveX. I just clicked off both to email back here. Since IE is not on my desktop any more I assumed it was taken over by the hacker and they were trying to get back in

[rridgely]

Dont worry about disabling antivir.
The active x was from kaspersky. Just do like the instructions say.

[jacktc]

rridgely, on Sep 2 2008, 11:37 PM, said:

Dont worry about disabling antivir.
The active x was from kaspersky. Just do like the instructions say.

Finally Got to scan.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 03, 2008 20:17:25
Records in database: 1188827
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 88319
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:42:34


File name / Threat name / Threats count
C:\Documents and Settings\Jack\Desktop\Dwnloads for use\Desktop stuff\fp2006-final-3.00-setup\fp2006-final-3.00-setup.exe Infected: not-virus:BadJoke.JS.RJump 1
C:\Documents and Settings\Jack\Desktop\Dwnloads for use\Desktop stuff\fp2006-final-3.00-setup.zip Infected: not-virus:BadJoke.JS.RJump 1
C:\Documents and Settings\Jack\My Documents\New Downloads\fp2006-final-3.00-setup.zip Infected: not-virus:BadJoke.JS.RJump 1
C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs Infected: not-virus:BadJoke.JS.RJump 1
C:\WINDOWS\Temp\TDSSbcb3.tmp Infected: Trojan-Downloader.Win32.Small.acrj 1

The selected area was scanned.

[rridgely]

C:\Documents and Settings\Jack\Desktop\Dwnloads for use\Desktop stuff\fp2006-final-3.00-setup.zip

I'm not sure what that is but unless your sure its safe you need to delete it.

You need to clear your temp files. If you have CCleaner installed just open it up and press run. If you dont have it installed get it here:
http://www.filehippo...nload_ccleaner/

Install it and then open it up and press run cleaner.

Reboot and post one last log with a report on how your pc is running.

[jacktc]

[quote name='rridgely' post='113712' date='Sep 4 2008, 04:02 AM']C:\Documents and Settings\Jack\Desktop\Dwnloads for use\Desktop stuff\fp2006-final-3.00-setup.zip

I'm not sure what that is but unless your sure its safe you need to delete it.

You need to clear your temp files. If you have CCleaner installed just open it up and press run. If you dont have it installed get it here:
[url="http://www.filehippo.com/download_ccleaner/"]http://www.filehippo.com/download_ccleaner/[/url]

Install it and then open it up and press run cleaner.

Reboot and post one last log with a report on how your pc is running.[/quote]

I ran CCleaner again and computer still seems about the same, I guess I can put up with it as long as all the bugs are gone. Maybe I just have to much on it. Was there a problem in the file below that you didn't know what it was? I have a couple of programs I use stored in that file, hope they are not infected as I use them quite a lot. Also IE icon has never came back, do I go and reinstall IE?

[quote name='rridgely' post='113712' date='Sep 4 2008, 04:02 AM']C:\Documents and Settings\Jack\Desktop\Dwnloads for use\Desktop stuff\fp2006-final-3.00-setup.zip
Thanks for the help

Jack

[rridgely]

Kaspersky flagged something in that file as having BadJoke.JS.RJump. This isn't necessarily a virus but often it will flag stuff that could potentially be infected. I dont know whats in that zip file so there is no way for me to know... if however you trust it/know its origin is safe than it should be fine.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[jacktc]

rridgely, on Sep 4 2008, 02:47 PM, said:

Kaspersky flagged something in that file as having BadJoke.JS.RJump. This isn't necessarily a virus but often it will flag stuff that could potentially be infected. I dont know whats in that zip file so there is no way for me to know... if however you trust it/know its origin is safe than it should be fine.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

I went through all the steps you laid out above, but when I go toopen SDFix folder it appears ther is nothing there. I press install again and it seems to install several files, but there is never an SDFix folder appear on dashboard just the exe remains so there is no RunThis.bat to click on.

Jack

[rridgely]

 file.JPG   59.96K   6 downloads

Thats what it should look like when you open the folder. Click the one thats circled in red.

[jacktc]

rridgely, on Sep 4 2008, 05:50 PM, said:

file.JPG

Thats what it should look like when you open the folder. Click the one thats circled in red.

I created a file on my desk top and it looked like the one in your email. I opened my computer in safe mode double cliked on RunThis.bat and waited aprox 10 min. nothing happened tried it again and still won't start the cleanup.

Any suggestions? Can it be opened in the regular mode and not safe mode? I just went to my desk top and double cliked on the folder and it opemed, but it had a statement as follows: "SDFix Requires Administrater Account Priveledges"

Where do I get that??

[rridgely]

Are you on an admin account on your pc?

[jacktc]

rridgely, on Sep 4 2008, 11:33 PM, said:

Are you on an admin account on your pc?

No. It's personal pc

[rridgely]

I think you misunderstood.
Is your account on the computer an administrator account? Go to control panel> user accounts> user account> you should see your account name, does it say administrator?

[jacktc]

rridgely, on Sep 4 2008, 11:47 PM, said:

I think you misunderstood.
Is your account on the computer an administrator account? Go to control panel> user accounts> user account> you should see your account name, does it say administrator?

I did miss understand, I had forgotten about that as I.ve never had to sign off on anything to download. Do I deactivate it for now? I didn't see a place to sign off when I was trying to run SDFix. I can go there again and look closer this time.

[jacktc]

jacktc, on Sep 5 2008, 10:52 AM, said:

I did miss understand, I had forgotten about that as I.ve never had to sign off on anything to download. Do I deactivate it for now? I didn't see a place to sign off when I was trying to run SDFix. I can go there again and look closer this time.

I've tried everything to start the SDFix scan but can't get it to go. I went back into Safe Mode and my desktop dosen't show up to click on SDFix, the only thing there was my MSN icon and Recycle Bin. I closed out and restarted again and then put SDFix in recycle bin thining I would be able to open recycle bin and move SDFix to desktop. I started in safe mode again and opened recycle bin and it was empty, so couldn't do it that way. I started computer normal and checked recycle bin and SDFix was still there so I moved it back to desktop.

I've wasted a lot of your time and mine trying to fix problem, so I think I'll just hang it up and hope everything is gone and just deal with the slow computer for awhile.

Thanks
Jack

[rridgely]

You don't have to give up. I'm just busy and cant reply every 10minutes, but I have no problem continuing to help you.

Try running this:

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

[jacktc]

rridgely, on Sep 6 2008, 12:20 PM, said:

You don't have to give up. I'm just busy and cant reply every 10minutes, but I have no problem continuing to help you.

Try running this:

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

This is quite long.

ComboFix 08-09-05.02 - Jack 2008-09-06 13:46:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -4:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\esbagent.jpg
C:\WINDOWS\esblogo.jpg

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-05 13:09 . 2008-09-05 13:09 <DIR> d-------- C:\Documents and Settings\Administrator.COOPER-MAIN
2008-09-04 12:29 . 2008-09-04 12:29 <DIR> d-------- C:\%systemdrive%
2008-09-04 12:07 . 2008-09-03 05:41 <DIR> d-------- C:\SDFix
2008-09-03 18:14 . 2008-09-03 18:14 <DIR> d-------- C:\Program Files\Sun
2008-09-03 18:14 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-01 12:34 . 2008-09-01 12:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-09-01 12:06 . 2008-09-01 12:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-01 11:15 . 2008-09-01 11:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 11:15 . 2008-09-01 11:15 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-09-01 11:15 . 2008-09-01 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 11:15 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-01 11:15 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-01 11:04 . 2008-09-01 11:04 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Uniblue
2008-09-01 10:50 . 2008-09-01 10:50 <DIR> d-------- C:\Program Files\Avira
2008-09-01 10:50 . 2008-09-01 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-01 10:27 . 2008-09-01 10:27 <DIR> d-------- C:\Program Files\CCleaner
2008-08-31 15:48 . 2008-09-01 12:32 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-31 15:36 . 2008-08-31 15:36 <DIR> d-------- C:\Program Files\AVG
2008-08-31 15:36 . 2008-09-02 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-29 16:56 . 2008-08-29 16:57 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Inkscape
2008-08-29 16:55 . 2008-08-29 16:56 <DIR> d-------- C:\Program Files\Inkscape
2008-08-22 18:36 . 2008-09-01 10:38 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 14:08 --------- d-----w C:\Documents and Settings\Jack\Application Data\MSN6
2008-09-04 16:46 --------- d-----w C:\Program Files\FinePixViewer
2008-09-03 22:14 --------- d-----w C:\Program Files\Java
2008-08-31 22:48 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-08-26 18:06 --------- d-----w C:\Program Files\InstantAuctionSites
2008-08-24 20:40 --------- d-----w C:\Program Files\Keyword Buzz
2008-08-07 20:30 --------- d-----w C:\Program Files\XSitePro2
2008-08-07 20:28 1,394,293 ----a-w C:\WINDOWS\XSitePro2 Uninstaller.exe
2008-07-29 19:05 1,258,131 ----a-w C:\WINDOWS\XSitePro2 ClipArt Uninstaller.exe
2008-07-29 14:42 --------- d-----w C:\Program Files\Common Files\Thraex Software
2008-07-25 21:14 --------- d-----w C:\Program Files\MSECACHE
2008-07-23 18:08 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 01:31 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 01:31 --------- d-----w C:\Program Files\Windows Live
2008-07-07 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2006-08-23 22:03 81,920 ----a-w C:\Documents and Settings\Jack\Application Data\ezpinst.exe
2006-08-23 22:03 47,360 ----a-w C:\Documents and Settings\Jack\Application Data\pcouffin.sys
2007-12-08 18:03 8 --sh--r C:\WINDOWS\system32\5A9B70C505.sys
2007-12-08 18:05 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 4112384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-06-10 303104]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jack^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Jack\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jack^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Jack\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-02-07 02:03 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-09-13 22:36 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 12:42 4112384 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 12:42 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 02:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 12:42 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Performance Center - C:\Program Files\Ascentive\Performance Center\APCMain.exe
HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-SpySweeper - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.magoos.net/ImageUploader/ImageUploader5.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader5.inf
C:\Program Files\MSN\MSNCoreFiles\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader5.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 14:42:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-06 14:47:55
ComboFix-quarantined-files.txt 2008-09-06 18:46:51

Pre-Run: 100,982,034,432 bytes free
Post-Run: 101,322,764,288 bytes free

169 --- E O F --- 2008-09-01 01:03:06