16 replies to this topic

[Umom]

HI, here are my scans. Why does this keep coming back?


Thank you!!





Avira AntiVir Personal
Report file date: Sunday, January 18, 2009 23:55

Scanning for 1224506 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: WEBSTER-UU3AMDO

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 04:54:03
ANTIVIR2.VDF : 7.1.1.114 2048 Bytes 1/14/2009 04:54:04
ANTIVIR3.VDF : 7.1.1.137 304128 Bytes 1/18/2009 04:54:06
Engineversion : 8.2.0.57
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.26 340347 Bytes 1/19/2009 04:54:17
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.5 393588 Bytes 1/19/2009 04:54:16
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/19/2009 04:54:15
AEHEUR.DLL : 8.1.0.84 1540471 Bytes 1/19/2009 04:54:14
AEHELP.DLL : 8.1.2.0 119159 Bytes 1/19/2009 04:54:12
AEGEN.DLL : 8.1.1.10 323957 Bytes 1/19/2009 04:54:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 1/19/2009 04:54:08
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, January 18, 2009 23:55

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'SSU.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ashWebSv.exe' - '1' Module(s) have been scanned
Scan process 'ashMaiSv.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CinemaNowSvc.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'ashDisp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ashServ.exe' - '1' Module(s) have been scanned
Scan process 'aswUpdSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WRConsumerService.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\SsiEfr.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\wrLZMA.dll
[WARNING] The file could not be opened!


End of the scan: Monday, January 19, 2009 00:18
Used time: 23:23 Minute(s)

The scan has been done completely.

5330 Scanning directories
264052 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
264049 Files not concerned
2018 Archives were scanned
3 Warnings
0 Notes


Database version: 1666
Windows 5.1.2600 Service Pack 3

1/19/2009 12:25:16 AM
mbam-log-2009-01-19 (00-25-16).txt

Scan type: Quick Scan
Objects scanned: 53886
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:44 AM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168053853437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167688362421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphot.../HPSWUpdate.ocx
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 6908 bytes

[Rorschach112]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Umom]

[quote name='Rorschach112' date='Jan 19 2009, 11:33 PM' post='126310']
hello

Here in my combo fix scan. Thanks again for your time.

ComboFix 09-01-19.03 - Trish 2009-01-20 0:02:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2303.1882 [GMT -5:00]
Running from: c:\documents and settings\Trish\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090119-0] *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Trish\Application Data\WeatherDPA
c:\documents and settings\Trish\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\windows\system32\encapi32.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 23:25 . 2009-01-19 23:25 <DIR> d--hs---- c:\documents and settings\Trish\PrivacIE
2009-01-19 23:21 . 2009-01-19 23:21 <DIR> d--h-c--- c:\windows\ie8
2009-01-19 17:22 . 2009-01-19 17:23 250 --a------ c:\windows\gmer.ini
2009-01-18 14:52 . 2009-01-18 14:52 <DIR> d-------- c:\program files\LimeWire
2009-01-18 14:52 . 2009-01-18 20:55 <DIR> d-------- c:\documents and settings\Trish\Application Data\LimeWire
2009-01-18 14:40 . 2009-01-18 14:40 <DIR> d-------- c:\documents and settings\Trish\Application Data\Graboid Inc
2009-01-18 00:59 . 2009-01-18 00:59 <DIR> d-------- c:\windows\logs
2009-01-18 00:55 . 2009-01-18 00:55 <DIR> d-------- c:\program files\CCleaner
2009-01-15 14:23 . 2008-05-19 18:16 186,407 --a------ c:\windows\system32\nvapps.nvb
2009-01-15 14:22 . 2009-01-15 14:22 <DIR> d-------- C:\NVIDIA
2009-01-15 14:22 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-07 14:22 . 2009-01-07 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-28 21:20 . 2008-12-28 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\fluxDVD
2008-12-28 01:39 . 2008-12-28 13:34 <DIR> d-------- c:\program files\XP Codec Pack
2008-12-27 17:02 . 2008-12-27 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2008-12-27 16:38 . 2008-12-27 16:38 <DIR> d-------- c:\documents and settings\Trish\Application Data\MozillaControl
2008-12-27 16:38 . 2008-12-27 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2008-12-27 16:37 . 2009-01-15 22:45 <DIR> d-------- c:\program files\VideoLAN
2008-12-27 16:37 . 2009-01-18 14:40 <DIR> d-------- c:\program files\Graboid
2008-12-20 11:57 . 2008-12-20 11:57 <DIR> d-------- c:\program files\Windows XP Fun Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 18:30 --------- d-----w c:\program files\a-squared Free
2009-01-19 17:57 --------- d-----w c:\documents and settings\Trish\Application Data\Move Networks
2009-01-19 05:26 --------- d-----w c:\program files\Trend Micro
2009-01-15 03:58 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-15 03:07 --------- d-----w c:\program files\InterActual
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-08 04:57 --------- d-----w c:\program files\DivX
2008-12-29 02:20 --------- d-----w c:\program files\Common Files\mpDRM
2008-12-29 02:20 --------- d-----w c:\program files\Common Files\fluxDVD
2008-12-29 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\mpDRM
2008-12-27 02:42 --------- d-----w c:\program files\Google
2008-12-14 23:35 --------- d-----w c:\documents and settings\All Users\Application Data\CinemaNow
2008-12-14 23:34 --------- d-----w c:\program files\CinemaNow
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 02:58 --------- d-----w c:\program files\Flickr Uploadr
2008-12-11 02:58 --------- d-----w c:\documents and settings\Trish\Application Data\Flickr
2008-12-03 19:49 --------- d-----w c:\program files\XoftSpySE
2008-11-18 00:49 164 ----a-w C:\install.dat
2008-11-13 22:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-08-29 02:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-26 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe\[u]0[/u]SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Trish^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\Trish\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CinemaNowMediaManagerApp]
--a------ 2008-09-22 21:49 2022248 c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
--a------ 2008-04-13 19:12 10752 c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 07:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 14:01 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2004-11-11 20:50 212992 c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-26 22:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-11-17 08:42 577536 c:\windows\soundman.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-10-02 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-03-31 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-03-31 20560]
R4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2008-09-22 138616]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-11-05 1086840]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-02-01 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe []

2009-01-10 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-13 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2009-01-20 c:\windows\Tasks\User_Feed_Synchronization-{1A1362A7-8BE8-4C64-92FF-F72C9CB752F9}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]

2009-01-16 c:\windows\Tasks\wrSpySweeper_L06E757DDED54423EB100BC8BDB8B0D77.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]

2009-01-16 c:\windows\Tasks\wrSpySweeper_L06E757DDED54423EB100BC8BDB8B0D77.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]

2009-01-16 c:\windows\Tasks\wrSpySweeper_L06E757DDED54423EB100BC8BDB8B0D77.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-SiS KHooker - c:\windows\system32\khooker.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
FF - ProfilePath - c:\documents and settings\Trish\Application Data\Mozilla\Firefox\Profiles\oltkxahh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMPDRM.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2009-01-20 00:07:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
.
**************************************************************************
.
Completion time: 2009-01-20 0:09:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 05:09:37

Pre-Run: 62,832,222,208 bytes free
Post-Run: 62,771,539,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

235 --- E O F --- 2009-01-20 04:31:02

[Rorschach112]

hello

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[Umom]

Hello again,

I already had ATF cleaner and MBAM. ran KASPERSKY. They came up with nothing. Thought maybe it wwas gone,(he,he,he).
Ran CCleaner out of curiosity. Now SpySweeper found and quarantined TROJAN-AGENT-TDSS and VIRTUMONDE.
The ATF cleaner did not make any malware come up and the only time any anti-malware program finds it is during
a CCleaner scan. Why would that be? Is it the CCleaner that is infected? Now I have 2 instead of one, unless VIRTUMONDE is due to TROJAN-AGENT-TDSS. What is the next step? UGGH!

Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 20, 2009 15:58:15
Records in database: 1654946
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 58872
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:19:19

No malware has been detected. The scan area is clean.

The selected area was scanned.

-------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.33
Database version: 1671
Windows 5.1.2600 Service Pack 3

1/20/2009 1:00:05 PM
mbam-log-2009-01-20 (13-00-05).txt

Scan type: Quick Scan
Objects scanned: 54438
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Umom]

Hi,

I did not make sure all of the areas were checked that you told me to check. I will run through
kaspersky again to make sure.

[Umom]

Yes, they were all checked.

[Rorschach112]

Post a new HJT log

Can you get a log from Webroot when you run it ?

[Umom]

Ok, here you go. Spysweeper had a session log. Hope it has what you need, there isn't anything else available to print.

Thank you very much.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:56 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168053853437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167688362421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphot.../HPSWUpdate.ocx
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 7324 bytes
----------------------------------------------------------------------------------------------------------------------------------


Session Log from Spy Sweeper




E-mail Attachment: On
6:39 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
6:39 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
6:39 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
6:39 PM: License Check Status (0): Success
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
6:38 PM: IE Hijack Shield: Resetting IE advanced data value.
6:38 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
6:38 PM: Shield States
6:38 PM: Spyware Definitions: 1371
6:38 PM: Webroot Software 6.0.2.39 started
6:38 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
6:24 PM: ApplicationMinimized - EXIT
6:24 PM: ApplicationMinimized - ENTER
6:24 PM: Deletion from quarantine completed. Elapsed time 00:00:00
6:24 PM: Processing: trojan-agent-tdss
6:24 PM: Deletion from quarantine initiated
6:24 PM: Deletion from quarantine completed. Elapsed time 00:00:00
6:24 PM: Processing: trojan-agent-tdss
6:24 PM: Deletion from quarantine initiated
6:24 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
6:24 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
6:09 PM: ApplicationMinimized - EXIT
6:09 PM: ApplicationMinimized - ENTER
6:09 PM: Deletion from quarantine completed. Elapsed time 00:00:00
6:09 PM: Processing: virtumonde
6:09 PM: Deletion from quarantine initiated
6:08 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:59 PM: ApplicationMinimized - EXIT
5:59 PM: ApplicationMinimized - ENTER
5:59 PM: BHO Shield: found: -- BHO installation allowed at user request
5:59 PM: BHO Shield: found: ssv.dll-- BHO installation allowed at user request
5:59 PM: BHO Shield: found: jp2ssv.dll-- BHO installation allowed at user request
5:58 PM: ApplicationMinimized - EXIT
5:58 PM: ApplicationMinimized - ENTER
5:58 PM: Removal process completed. Elapsed time 00:00:03
5:58 PM: Quarantining All Traces: yieldmanager cookie
5:58 PM: Quarantining All Traces: overture cookie
5:58 PM: Quarantining All Traces: 2o7.net cookie
5:58 PM: Removal process initiated
5:58 PM: Traces Found: 3
5:58 PM: Full Sweep has completed. Elapsed time 00:09:54
5:58 PM: File Sweep Complete, Elapsed Time: 00:06:42
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@topix[2].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@2o7[1].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\newsweek[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\left_maroonmaroon[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\hdr35[1].js". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\20070904_103943_text-head[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\20070904_103920_back[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\wslider[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\clear[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@msnportal.112.2o7[1].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\video[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\alarrow[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@live[1].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\butterfly[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\sclbullet[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\osb[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\86F1396496DFE1BAD68AB5F28409[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\primedns[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\pipe[2].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\pipe[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\32E46DE281A68B9C33FC582D2569D[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\hint[1]". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@webroot[2].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\newBox_bg_top[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\bot_shadow_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\versionbox_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\box_grn_dbl_top[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\box_grn_dbl_bot[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\box_grn_dbl_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@offermatica[2].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\top_shadow_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\side_shadows[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\bot_shadow_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\footer_bg_chex[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\bot_shadow_corners[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@spysweeper[1].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\7SMW75VK\standard[1]". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\top_shadow_bg[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\GQNNO36Z\side_shadows[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\global_spacer[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\top_shadow_corners[1].gif". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\3KZ3IMPY\desktop.ini". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Cookies\trish@www.webroot[2].txt". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\WINDOWS\system32\wbem\Logs\wbemcore.log". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\03OBE1UY\s9628281729295[1].htm". The operation completed successfully
5:57 PM: Warning: Failed to open file "C:\WINDOWS\system32\wbem\Logs\wmiprov.log". The operation completed successfully
5:55 PM: ApplicationMinimized - EXIT
5:55 PM: ApplicationMinimized - ENTER
5:51 PM: Starting File Sweep
5:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:51 PM: c:\documents and settings\trish\cookies\trish@yieldmanager[1].txt (ID = 3749)
5:51 PM: Found Spy Cookie: yieldmanager cookie
5:51 PM: c:\documents and settings\trish\cookies\trish@overture[2].txt (ID = 3105)
5:51 PM: Found Spy Cookie: overture cookie
5:51 PM: c:\documents and settings\trish\cookies\trish@2o7[1].txt (ID = 1957)
5:51 PM: Found Spy Cookie: 2o7.net cookie
5:51 PM: Starting Cookie Sweep
5:51 PM: Registry Sweep Complete, Elapsed Time:00:00:17
5:51 PM: Starting Registry Sweep
5:51 PM: Memory Sweep Complete, Elapsed Time: 00:02:50
5:48 PM: ApplicationMinimized - EXIT
5:48 PM: ApplicationMinimized - ENTER
5:48 PM: Starting Memory Sweep
5:48 PM: Start Full Sweep
5:48 PM: Sweep initiated using definitions version 1371
5:48 PM: License Check Status (0): Success
5:48 PM: Your definitions are up to date.
5:46 PM: ApplicationMinimized - EXIT
5:46 PM: ApplicationMinimized - ENTER
5:46 PM: Deletion from quarantine completed. Elapsed time 00:00:00
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Processing: virtumonde
5:46 PM: Deletion from quarantine initiated
5:46 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:46 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:46 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:46 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:46 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:45 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:45 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:45 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
5:45 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
E-mail Attachment: On
5:45 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
5:45 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
5:45 PM: License Check Status (0): Success
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
5:45 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
5:44 PM: IE Hijack Shield: Resetting IE advanced data value.
5:44 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
5:44 PM: Shield States
5:44 PM: Spyware Definitions: 1371
5:44 PM: Webroot Software 6.0.2.39 started
5:44 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
E-mail Attachment: On
4:46 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
4:46 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
4:46 PM: License Check Status (0): Success
4:46 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
4:46 PM: IE Hijack Shield: Resetting IE advanced data value.
4:46 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
4:46 PM: Shield States
4:46 PM: Spyware Definitions: 1371
4:45 PM: Webroot Software 6.0.2.39 started
4:45 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
4:43 PM: ApplicationMinimized - EXIT
4:43 PM: ApplicationMinimized - ENTER
4:22 PM: None
4:22 PM: Traces Found: 0
4:22 PM: Full Sweep has completed. Elapsed time 00:09:04
4:22 PM: File Sweep Complete, Elapsed Time: 00:06:32
4:20 PM: ApplicationMinimized - EXIT
4:20 PM: ApplicationMinimized - ENTER
4:16 PM: Starting File Sweep
4:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:16 PM: Starting Cookie Sweep
4:16 PM: Registry Sweep Complete, Elapsed Time:00:00:15
4:16 PM: Starting Registry Sweep
4:16 PM: Memory Sweep Complete, Elapsed Time: 00:02:10
4:13 PM: Starting Memory Sweep
4:13 PM: Start Full Sweep
4:13 PM: Sweep initiated using definitions version 1371
E-mail Attachment: On
4:13 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
4:13 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
4:13 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
4:13 PM: IE Hijack Shield: Resetting IE advanced data value.
4:13 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
4:13 PM: Shield States
4:13 PM: License Check Status (0): Success
4:13 PM: Spyware Definitions: 1371
4:12 PM: Webroot Software 6.0.2.39 started
4:12 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
4:10 PM: ApplicationMinimized - EXIT
4:10 PM: ApplicationMinimized - ENTER
4:09 PM: None
4:09 PM: Traces Found: 0
4:09 PM: Full Sweep has completed. Elapsed time 00:07:45
4:09 PM: File Sweep Complete, Elapsed Time: 00:05:27
4:04 PM: Starting File Sweep
4:04 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:04 PM: Starting Cookie Sweep
4:04 PM: Registry Sweep Complete, Elapsed Time:00:00:14
4:04 PM: Starting Registry Sweep
4:04 PM: Memory Sweep Complete, Elapsed Time: 00:02:00
4:02 PM: Starting Memory Sweep
4:02 PM: Start Full Sweep
4:02 PM: Sweep initiated using definitions version 1371
4:01 PM: ApplicationMinimized - EXIT
4:01 PM: ApplicationMinimized - ENTER
4:01 PM: Deletion from quarantine completed. Elapsed time 00:00:00
4:01 PM: Processing: atlas dmt cookie
4:01 PM: Processing: specificclick.com cookie
4:01 PM: Processing: doubleclick cookie
4:01 PM: Processing: advertising cookie
4:01 PM: Processing: trojan-agent-tdss
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Processing: virtumonde
4:01 PM: Deletion from quarantine initiated
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:01 PM: File System Shield: found: Adware: virtumonde, version 1.0.0.0
4:00 PM: ApplicationMinimized - EXIT
4:00 PM: ApplicationMinimized - ENTER
3:35 PM: None
3:35 PM: Traces Found: 0
3:35 PM: Full Sweep has completed. Elapsed time 00:07:43
3:35 PM: File Sweep Complete, Elapsed Time: 00:05:24
3:30 PM: Starting File Sweep
3:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:30 PM: Starting Cookie Sweep
3:30 PM: Registry Sweep Complete, Elapsed Time:00:00:14
3:29 PM: Starting Registry Sweep
3:29 PM: Memory Sweep Complete, Elapsed Time: 00:02:00
3:27 PM: Starting Memory Sweep
3:27 PM: Start Full Sweep
3:27 PM: Sweep initiated using definitions version 1371
3:27 PM: Removal process completed. Elapsed time 00:00:02
3:27 PM: Quarantining All Traces: specificclick.com cookie
3:27 PM: Quarantining All Traces: doubleclick cookie
3:27 PM: Quarantining All Traces: atlas dmt cookie
3:27 PM: Quarantining All Traces: advertising cookie
3:27 PM: Removal process initiated
3:09 PM: Traces Found: 4
3:09 PM: Full Sweep has completed. Elapsed time 00:08:27
3:09 PM: File Sweep Complete, Elapsed Time: 00:06:01
3:02 PM: Starting File Sweep
3:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:02 PM: c:\documents and settings\trish\cookies\trish@specificclick[1].txt (ID = 3399)
3:02 PM: Found Spy Cookie: specificclick.com cookie
3:02 PM: c:\documents and settings\trish\cookies\trish@doubleclick[1].txt (ID = 17499)
3:02 PM: Found Spy Cookie: doubleclick cookie
3:02 PM: c:\documents and settings\trish\cookies\trish@atdmt[2].txt (ID = 2253)
3:02 PM: Found Spy Cookie: atlas dmt cookie
3:02 PM: c:\documents and settings\trish\cookies\trish@advertising[2].txt (ID = 2175)
3:02 PM: Found Spy Cookie: advertising cookie
3:02 PM: Starting Cookie Sweep
3:02 PM: Registry Sweep Complete, Elapsed Time:00:00:15
3:02 PM: Starting Registry Sweep
3:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:05
3:00 PM: Starting Memory Sweep
3:00 PM: Start Full Sweep
3:00 PM: Sweep initiated using definitions version 1371
E-mail Attachment: On
3:00 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
3:00 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
3:00 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
3:00 PM: IE Hijack Shield: Resetting IE advanced data value.
3:00 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
3:00 PM: Shield States
3:00 PM: License Check Status (0): Success
3:00 PM: Spyware Definitions: 1371
2:59 PM: Webroot Software 6.0.2.39 started
2:59 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
2:58 PM: ApplicationMinimized - EXIT
2:58 PM: ApplicationMinimized - ENTER
2:57 PM: Your definitions are up to date.
2:57 PM: License Check Status (0): Success
2:53 PM: Your security definitions have been updated.
2:52 PM: License Check Status (0): Success
2:52 PM: Automated check for program update in progress.
E-mail Attachment: On
2:52 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
2:52 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
2:52 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
2:52 PM: License Check Status (0): Success
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
2:52 PM: IE Hijack Shield: Resetting IE advanced data value.
2:52 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
2:52 PM: Shield States
2:52 PM: Spyware Definitions: 1369
2:51 PM: Webroot Software 6.0.2.39 started
2:51 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
E-mail Attachment: On
12:52 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
12:52 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
12:52 PM: License Check Status (0): Success
Startup Shield: On
12:52 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
12:52 PM: IE Hijack Shield: Resetting IE advanced data value.
12:52 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
12:52 PM: Shield States
12:52 PM: Spyware Definitions: 1369
12:51 PM: Webroot Software 6.0.2.39 started
12:51 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
E-mail Attachment: On
12:43 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
12:43 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
12:43 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
12:43 PM: License Check Status (0): Success
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
12:42 PM: IE Hijack Shield: Resetting IE advanced data value.
12:42 PM: IE Hijack Shield: Resetting IE advanced data value.
12:42 PM: IE Hijack Shield: Resetting IE advanced data value.
12:42 PM: IE Hijack Shield: Resetting IE advanced data value.
12:42 PM: IE Hijack Shield: Resetting Search Page value.
12:42 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
12:42 PM: Shield States
12:42 PM: Spyware Definitions: 1369
12:42 PM: Webroot Software 6.0.2.39 started
12:42 PM: | Start of Session, Tuesday, January 20, 2009 |
***************
E-mail Attachment: On
00:07: Informational: ShieldEmail: Start monitoring port 25 for mail activities
00:07: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
00:07: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
00:07: License Check Status (0): Success
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
00:06: IE Hijack Shield: Resetting IE advanced data value.
00:06: IE Hijack Shield: Resetting IE advanced data value.
00:06: IE Hijack Shield: Resetting IE advanced data value.
00:06: IE Hijack Shield: Resetting IE advanced data value.
00:06: IE Hijack Shield: Resetting Search Page value.
00:06: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
00:06: Shield States
00:06: Spyware Definitions: 1369
00:06: Webroot Software 6.0.2.39 started
00:06: | Start of Session, 2009-01-20 |
***************
11:53 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:45 PM: ApplicationMinimized - EXIT
11:45 PM: ApplicationMinimized - ENTER
11:45 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:45 PM: Processing: trojan-agent-tdss
11:45 PM: Deletion from quarantine initiated
11:45 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:45 PM: Processing: trojan-agent-tdss
11:45 PM: Deletion from quarantine initiated
11:45 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:45 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:45 PM: Processing: trojan-agent-tdss
11:45 PM: Deletion from quarantine initiated
11:45 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:44 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:44 PM: ApplicationMinimized - EXIT
11:44 PM: ApplicationMinimized - ENTER
11:44 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:44 PM: Processing: trojan-agent-tdss
11:44 PM: Deletion from quarantine initiated
11:44 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:43 PM: ApplicationMinimized - EXIT
11:43 PM: ApplicationMinimized - ENTER
11:43 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:43 PM: Processing: trojan-agent-tdss
11:43 PM: Processing: trojan-agent-tdss
11:43 PM: Processing: trojan-agent-tdss
11:43 PM: Processing: trojan-agent-tdss
11:43 PM: Deletion from quarantine initiated
11:43 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:42 PM: ApplicationMinimized - EXIT
11:42 PM: ApplicationMinimized - ENTER
11:42 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:42 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:27 PM: ApplicationMinimized - EXIT
11:27 PM: ApplicationMinimized - ENTER
11:26 PM: IE Favorites Shield: Entry Allowed: https://ieonline.mic...ft.com/#ieslice
E-mail Attachment: On
11:25 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
11:25 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
11:25 PM: License Check Status (0): Success
Startup Shield: On
11:25 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
11:24 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
11:24 PM: Shield States
11:24 PM: Spyware Definitions: 1369
11:23 PM: Webroot Software 6.0.2.39 started
11:23 PM: | Start of Session, Monday, January 19, 2009 |
***************
11:12 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:11 PM: ApplicationMinimized - EXIT
11:11 PM: ApplicationMinimized - ENTER
11:11 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:11 PM: Processing: trojan-agent-tdss
11:11 PM: Deletion from quarantine initiated
11:11 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:11 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:11 PM: Processing: trojan-agent-tdss
11:11 PM: Processing: trojan-agent-tdss
11:11 PM: Processing: trojan-agent-tdss
11:11 PM: Deletion from quarantine initiated
11:11 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:08 PM: ApplicationMinimized - EXIT
11:08 PM: ApplicationMinimized - ENTER
11:08 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:07 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
10:39 PM: ApplicationMinimized - EXIT
10:39 PM: ApplicationMinimized - ENTER
10:39 PM: None
10:39 PM: Traces Found: 0
10:39 PM: Full Sweep has completed. Elapsed time 00:18:14
10:39 PM: File Sweep Complete, Elapsed Time: 00:15:30
10:39 PM: ApplicationMinimized - EXIT
10:39 PM: ApplicationMinimized - ENTER
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\background_gradient[2]". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\search[10].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\comments[1].png". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\go_bg[1].gif". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\2DPSEMUZ\tv_icon[1].gif". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\T30WVUXW\baynote-observer[1].js". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\873100993[1].js". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\T30WVUXW\pcx[1].js". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\search[8].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\2DPSEMUZ\pcx[1].js". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\2DPSEMUZ\search[2].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\T30WVUXW\search[1].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\search[7].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\search[6].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\search[6].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\search[4].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\search[4].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\settings[1].js". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\0DJ8W540\search[3].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\search[3].htm". The operation completed successfully
10:34 PM: Warning: Failed to open file "C:\Documents and Settings\Trish\Local Settings\Temporary Internet Files\Content.IE5\IKKP9S3J\search[1].htm". The operation completed successfully
10:23 PM: Starting File Sweep
10:23 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:23 PM: Starting Cookie Sweep
10:23 PM: Registry Sweep Complete, Elapsed Time:00:00:20
10:23 PM: Starting Registry Sweep
10:23 PM: Memory Sweep Complete, Elapsed Time: 00:02:18
10:21 PM: ApplicationMinimized - EXIT
10:21 PM: ApplicationMinimized - ENTER
10:21 PM: Starting Memory Sweep
10:21 PM: Start Full Sweep
10:21 PM: Sweep initiated using definitions version 1369
9:53 PM: ApplicationMinimized - EXIT
9:53 PM: ApplicationMinimized - ENTER
9:53 PM: None
9:53 PM: Traces Found: 0
9:53 PM: Context File Sweep has completed. Elapsed time 00:00:00
9:53 PM: File Sweep Complete, Elapsed Time: 00:00:00
9:53 PM: Starting File Sweep
9:53 PM: Start Context File Sweep
9:53 PM: Sweep initiated using definitions version 1369
9:53 PM: ApplicationMinimized - EXIT
9:53 PM: ApplicationMinimized - ENTER
9:53 PM: None
9:53 PM: Traces Found: 0
9:53 PM: Context File Sweep has completed. Elapsed time 00:00:00
9:53 PM: File Sweep Complete, Elapsed Time: 00:00:00
9:53 PM: Starting File Sweep
9:53 PM: Start Context File Sweep
9:53 PM: Sweep initiated using definitions version 1369
9:52 PM: ApplicationMinimized - EXIT
9:52 PM: ApplicationMinimized - ENTER
9:47 PM: ApplicationMinimized - EXIT
9:47 PM: ApplicationMinimized - ENTER
9:46 PM: ApplicationMinimized - EXIT
9:46 PM: ApplicationMinimized - ENTER
9:46 PM: Deletion from quarantine completed. Elapsed time 00:00:00
9:46 PM: Processing: trojan-agent-tdss
9:46 PM: Processing: trojan-agent-tdss
9:46 PM: Deletion from quarantine initiated
E-mail Attachment: On
9:46 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
9:46 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
9:46 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
9:46 PM: IE Hijack Shield: Resetting IE advanced data value.
9:46 PM: IE Hijack Shield: Resetting IE advanced data value.
9:46 PM: IE Hijack Shield: Resetting IE advanced data value.
9:46 PM: IE Hijack Shield: Resetting Home Page value.
9:46 PM: IE Hijack Shield: Resetting IE advanced data value.
9:46 PM: IE Hijack Shield: Resetting IE advanced data value.
Tracking Cookies Shield: Off
9:46 PM: Shield States
9:46 PM: License Check Status (0): Success
9:46 PM: Spyware Definitions: 1369
9:44 PM: Webroot Software 6.0.2.39 started
9:44 PM: | Start of Session, Monday, January 19, 2009 |
***************
9:35 PM: ApplicationMinimized - EXIT
9:35 PM: ApplicationMinimized - ENTER
9:35 PM: IE Security Shield: found: C:\Program Files\Internet Explorer\iexplore.exe -- IE Security modification allowed at user request
9:34 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
9:34 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
9:05 PM: ApplicationMinimized - EXIT
9:05 PM: ApplicationMinimized - ENTER
9:04 PM: Deletion from quarantine completed. Elapsed time 00:00:00
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Processing: trojan-agent-tdss
9:04 PM: Deletion from quarantine initiated
9:04 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
9:04 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
8:55 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
8:55 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
7:23 PM: Warning: ShieldEmail: S2C Buffer is full
7:22 PM: License Check Status (0): Success
E-mail Attachment: On
7:22 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
7:22 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
7:22 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
7:22 PM: Shield States
7:22 PM: Spyware Definitions: 1369
7:21 PM: Webroot Software 6.0.2.39 started
7:21 PM: | Start of Session, Monday, January 19, 2009 |
***************
5:08 PM: ApplicationMinimized - EXIT
5:08 PM: ApplicationMinimized - ENTER
5:08 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
5:07 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
4:20 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
4:20 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
4:20 PM: License Check Status (0): Success
4:20 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
4:19 PM: Shield States
4:19 PM: Spyware Definitions: 1369
4:19 PM: Webroot Software 6.0.2.39 started
4:19 PM: | Start of Session, Monday, January 19, 2009 |
***************
1:31 PM: ApplicationMinimized - EXIT
1:31 PM: ApplicationMinimized - ENTER
1:31 PM: License Check Status (0): Success
1:31 PM: Your definitions are up to date.
1:20 PM: IE Favorites Shield: Entry Allowed: http://forum.piriform.com/
1:20 PM: IE Favorites Shield: Entry Allowed: http://forum.piriform.com/
1:15 PM: ApplicationMinimized - EXIT
1:15 PM: ApplicationMinimized - ENTER
1:15 PM: Deletion from quarantine completed. Elapsed time 00:00:00
1:15 PM: Processing: trojan-agent-tdss
1:15 PM: Processing: trojan-agent-tdss
1:15 PM: Processing: trojan-agent-tdss
1:15 PM: Processing: trojan-agent-tdss
1:15 PM: Deletion from quarantine initiated
12:58 PM: ApplicationMinimized - EXIT
12:58 PM: ApplicationMinimized - ENTER
12:58 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
E-mail Attachment: On
10:49 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:49 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
10:49 AM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
10:49 AM: License Check Status (0): Success
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
10:49 AM: Shield States
10:49 AM: Spyware Definitions: 1369
10:49 AM: Webroot Software 6.0.2.39 started
10:49 AM: | Start of Session, Monday, January 19, 2009 |
***************
10:44 AM: ApplicationMinimized - EXIT
10:44 AM: ApplicationMinimized - ENTER
10:44 AM: IE Favorites Shield: Entry Allowed: http://www.accuweather.com/enhanced-radar....athertraveler=0
10:44 AM: IE Favorites Shield: Entry Allowed: http://www.accuweather.com/maps-satellite....p;anim=1large=1
10:44 AM: IE Favorites Shield: Entry Allowed: http://www.accuweather.com/maps-satellite....p;anim=1large=1
10:43 AM: IE Favorites Shield: Entry Allowed: http://www.accuweather.com/maps-satellite....p;anim=1large=1
10:43 AM: IE Favorites Shield: Entry Allowed: http://www.accuweather.com/maps-satellite....p;anim=1large=1
E-mail Attachment: On
10:39 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:39 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
10:39 AM: License Check Status (0): Success
10:39 AM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
10:39 AM: Shield States
10:39 AM: Spyware Definitions: 1369
10:38 AM: Webroot Software 6.0.2.39 started
10:38 AM: | Start of Session, Monday, January 19, 2009 |
***************
12:05 AM: IE Favorites Shield: Entry Allowed: http://internetrotsy...wareremoval.htm
12:05 AM: IE Favorites Shield: Entry Allowed: http://internetrotsy...wareremoval.htm
11:46 PM: ApplicationMinimized - EXIT
11:46 PM: ApplicationMinimized - ENTER
11:46 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:46 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
11:45 PM: ApplicationMinimized - EXIT
11:45 PM: ApplicationMinimized - ENTER
11:45 PM: IE Favorites Shield: Entry Allowed: http://www.nhc.noaa.gov/index.shtml
E-mail Attachment: On
11:19 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
11:19 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
11:19 PM: License Check Status (0): Success
11:19 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
11:19 PM: Shield States
11:19 PM: Spyware Definitions: 1369
11:18 PM: Webroot Software 6.0.2.39 started
11:18 PM: | Start of Session, Sunday, January 18, 2009 |
***************
E-mail Attachment: On
11:14 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
11:14 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
11:14 PM: License Check Status (0): Success
11:14 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
11:14 PM: Shield States
11:14 PM: Spyware Definitions: 1369
11:13 PM: Webroot Software 6.0.2.39 started
11:13 PM: | Start of Session, Sunday, January 18, 2009 |
***************
10:16 PM: ApplicationMinimized - EXIT
10:16 PM: ApplicationMinimized - ENTER
9:18 PM: ApplicationMinimized - EXIT
9:18 PM: ApplicationMinimized - ENTER
9:18 PM: License Check Status (0): Success
9:18 PM: Your definitions are up to date.
8:38 PM: Your definitions are up to date.
8:38 PM: License Check Status (0): Success
8:38 PM: Automated check for program update in progress.
E-mail Attachment: On
7:58 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
7:58 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
7:58 PM: License Check Status (0): Success
7:58 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
7:58 PM: Shield States
7:58 PM: Spyware Definitions: 1369
7:56 PM: Webroot Software 6.0.2.39 started
7:56 PM: | Start of Session, Sunday, January 18, 2009 |
***************
E-mail Attachment: On
7:52 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
7:52 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
7:52 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
7:51 PM: Shield States
7:51 PM: License Check Status (0): Success
7:51 PM: Spyware Definitions: 1369
7:51 PM: Webroot Software 6.0.2.39 started
7:51 PM: | Start of Session, Sunday, January 18, 2009 |
***************
7:38 PM: ApplicationMinimized - EXIT
7:38 PM: ApplicationMinimized - ENTER
7:38 PM: File System Shield: found: Trojan Horse: trojan-agent-tdss, version 1.0.0.0
7:37 PM: Your definitions are up to date.
7:37 PM: License Check Status (0): Success
7:37 PM: Automated check for program update in progress.
6:36 PM: Your definitions are up to date.
6:36 PM: License Check Status (0): Success
6:36 PM: Automated check for program update in progress.
5:36 PM: Your definitions are up to date.
5:36 PM: License Check Status (0): Success
5:36 PM: Automated check for program update in progress.
4:35 PM: Your definitions are up to date.
4:35 PM: License Check Status (0): Success
4:35 PM: Automated check for program update in progress.
3:34 PM: Your definitions are up to date.
3:34 PM: License Check Status (0): Success
3:34 PM: Automated check for program update in progress.
2:39 PM: IE Favorites Shield: Entry Allowed: http://storyreader.com/cgi-bin/showHome.cg...TEID=1ITEM=HOME
2:39 PM: IE Favorites Shield: Entry Allowed: http://storyreader.com/cgi-bin/showHome.cg...TEID=1ITEM=HOME
2:38 PM: IE Favorites Shield: Entry Allowed: http://storyreader.com/cgi-bin/showHome.cg...TEID=1ITEM=HOME
2:38 PM: IE Favorites Shield: Entry Allowed: http://storyreader.com/cgi-bin/showHome.cg...TEID=1ITEM=HOME
2:34 PM: Your definitions are up to date.
2:34 PM: License Check Status (0): Success
2:34 PM: Automated check for program update in progress.
E-mail Attachment: On
2:34 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
2:34 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
2:34 PM: License Check Status (0): Success
2:34 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: Off
2:34 PM: Shield States
2:34 PM: Spyware Definitions: 1369
2:32 PM: Webroot Software 6.0.2.39 started
2:32 PM: | Start of Session, Sunday, January 18, 2009 |
***************

[Umom]

Hey it's me,

I was losing control of my mouse. Out of sheer panic I tried some other scans. PCtools Spyware doctor pulled out alot of stuff. I could not copy and paste but if you want to see the registry keys and values of what was detected I will post it here. The TROJAN-AGENT-TDSS and VIRTUMONDE were not on the list. It got Rogue_AntiSpyware_LLC, Application.NirCmd, ADWARE.ClientMan. Maybe it's gone?!!? (I probably just cursed my computer)

[Umom]

It's not gone. Yikes!! Yep, I'm in need of some serious help here

[Rorschach112]

how is your pc running

[Umom]

Slow in general. Starts up fine, Outlook seems ok, file sarching I get the little flashlight(bad), explorer is scary. It gets bogged down. My pc ran great that BAM. There is still somethingthat didn't get rooted out. Is there anything else to try?

[Umom]

These file came up in the last scan.

Threat Name - Adware.Maxifiles
Details - Spyware Doctor has blocked an application attempting to read from a file.
Risk Level - High
Infection - C:\DOCUMENTS AND SETTINGS\TRISH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\A263SX2X\ZZZZZ.ZZZ


/22/2009 11:28:23 AM:234 IntelliGuard: System Event Blocked
Threat Name - Adware.Maxifiles
Details - Spyware Doctor has blocked an application attempting to read from a file.
Risk Level - High
Infection - C:\DOCUMENTS AND SETTINGS\TRISH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\A263SX2X\ZZZZZZZZZZZZZZZZZZZZ.ZZZ

[Rorschach112]

Your logs are clean

You have two anti-virus programs running, Avast and Avira, you need to remove one of them


Post a new HJT log and tell me which one you removed

[Umom]

I did not see Avira antivirus in my program files. Here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:34 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168053853437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167688362421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphot.../HPSWUpdate.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7086 bytes

[Rorschach112]

your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

• Click the Pt. Restauration button and press OK to the prompts.
  
• Click the Corbeille button and press OK to the prompt.
  
• Click the Fichiers temp button and press OK to the prompt.
  
• Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  
• Once it is done click the Suppression button and let it remove anything it finds.
  
• Close the program

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
    
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
  
  
  
• Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
  Here
  
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
  
  
• Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.