# Cannot access Windows Update page / Google redirects



## PeterDy

Hi!
This weekend I got some trojans/viruses that were redirecting my Google search results. I can surf the internet without problems, but cannot access the Windows update page. Malwarebytes, TrojanRemover, and Spybot found and removed some items, but a few hours later they would find them again. I just did a Malwarebytes and TrojanRemover scan and the results were clean. But, as I said, I still cannot access Windows Update and my Google results still redirect. 

Also, starting Monday, a Hitman scan said that "a proxy server was running on this computer." It said that again today--it said IE had the proxy server of 270.0.0.1:5555 on it. I have no idea what that means.

Please help! I would appreciate it greatly!!

PS: I just tried to submit this several times on my infected computer, and it didn't work! Some I'm submitting this now from my laptop.

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Peter Dy at 12:29:25.87 on Wed 04/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.446 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter Dy\Desktop\FixTrojan\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uDefault_Search_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [nwiz] nwiz.exe /install
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\bp go!zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173647583693
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.028125
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {923e52b5-7007-47e0-85f4-78a19ac94b84} - No File
STS: {8c5a69b1-3f23-4213-8750-a7b34fc883b0} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli
Hosts: 127.0.0.1	www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\peterd~1\applic~1\mozilla\firefox\profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\peter dy\local settings\application data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-6 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-6 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-6 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-04-07 02:20:14	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20:10	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20:01	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19:39	0	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00:36	0	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 20:27:13	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27:13	75264	----a-w-	c:\windows\system32\unacev2.dll
2010-04-06 20:27:13	69632	----a-w-	c:\windows\system32\ztvcabinet.dll
2010-04-06 20:27:13	162304	----a-w-	c:\windows\system32\ztvunrar36.dll
2010-04-06 20:27:13	153088	----a-w-	c:\windows\system32\UNRAR3.dll
2010-04-06 20:27:11	0	d-----w-	c:\program files\Trojan Remover
2010-04-06 20:27:11	0	d-----w-	c:\docume~1\peterd~1\applic~1\Simply Super Software
2010-04-06 20:27:11	0	d-----w-	c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-04-06 19:29:01	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28:57	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:32:49	0	d-----w-	c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-06 16:32:30	0	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32:30	0	d-----w-	c:\docume~1\peterd~1\applic~1\SUPERAntiSpyware.com
2010-04-06 01:29:54	0	d-----w-	C:\VundoFix Backups
2010-03-15 00:12:32	834	----a-w-	c:\windows\system32\.crusader
2010-03-15 00:00:22	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-03-15 00:00:11	0	d-----w-	c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-14 23:59:29	0	d-----w-	c:\program files\Hitman Pro 3.5
2010-03-11 01:33:26	3558912	-c----w-	c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-04 17:21:04	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-02-25 06:24:37	916480	----a-w-	c:\windows\system32\wininet.dll
2010-01-28 07:29:15	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06:54	163328	--sh--r-	c:\windows\system32\flvDX.dll
2008-02-20 02:55:22	10856	--sha-w-	c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16	31232	--sh--r-	c:\windows\system32\msfDX.dll

============= FINISH: 12:32:03.00 ===============


----------



## AdvancedSetup

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please *subscribe to this thread* to get immediate notification of replies as soon as they are posted. To do this click *Thread Tools*, then click *Subscribe to this Thread*. Make sure it is set to *Instant Notification*, then click *Subscribe*.

Please be patient with me during this time.


----------



## AdvancedSetup

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------




 Download ComboFix from below:

*Combofix download*


** IMPORTANT !!! Place combofix.exe on your Desktop*

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


You can get help on disabling your protection programs *here*

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.












The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

*The Recovery Console was successfully installed.*










Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

 When finished, it shall produce a log for you. Post that log in your next reply

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.*

---------------------------------------------------------------------------------------------

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------


----------



## PeterDy

Thank you so much for your help. Here is the ComboFix log.

ComboFix 10-04-09.01 - Peter Dy 04/10/2010 0:02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.458 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\42KJE738.ocx
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\MSIEHelper.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SERVICE


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-10 00:30	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-10 04:00	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 20:29 . 2010-04-06 20:29	198656	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-15 00:00 . 2010-04-09 16:43	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-03-15 00:00 . 2010-03-15 00:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 03:26 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-09 03:04 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-07 02:15 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 06:55 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2002-09-03 17:12	916480	----a-w-	c:\windows\system32\wininet.dll
2010-02-12 08:05 . 2010-02-05 08:59	--------	d-----w-	c:\program files\Microsoft Works
2010-02-12 04:46 . 2008-08-10 04:29	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{923e52b5-7007-47e0-85f4-78a19ac94b84} - (no file)
SharedTaskScheduler-{8c5a69b1-3f23-4213-8750-a7b34fc883b0} - (no file)
MSConfigStartUp-SecureClean4Tray - c:\program files\WhiteCanyon\SecureClean 4\sctray4.exe
AddRemove-WhenUCSync - c:\program files\ClockSync\Sync.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 00:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A83AC8]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e7f28
\Driver\ACPI -> ACPI.sys @ 0xf755acb8
\Driver\atapi -> atapi.sys @ 0xf7512852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf741ebb0
PacketIndicateHandler -> NDIS.sys @ 0xf742ba21
SendHandler -> NDIS.sys @ 0xf740987b
user & kernel MBR OK 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\GetRight\xx2gr.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\BCMSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-10 00:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 04:53

Pre-Run: 6,351,884,288 bytes free
Post-Run: 6,875,422,720 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8A6B690B095A8C1AF340DBA0C9577568


----------



## AdvancedSetup

Please run GMER again but this time make sure the SECTIONS item is selected as part of the scan and then post back the new log.


----------



## PeterDy

Thanks again. I've attached a new GMER scan. Also, pasted below is a new ComboFix scan I just did. Thanks!

ComboFix 10-04-12.01 - Peter Dy 04/12/2010 13:06:43.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.397 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-11 17:36 . 2010-04-11 17:36	1035032	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-11 17:36 . 2010-04-11 17:36	1685784	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-12 16:41	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-12 17:05	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 21:10 . 2009-12-11 22:05	3613560	----a-w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software\Trojan Remover\kiw2.exe
2010-04-06 20:29 . 2010-04-06 20:29	198656	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:33 . 2010-04-06 16:33	52224	----a-w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 16:33 . 2010-04-06 16:33	117760	----a-w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 16:03 . 2010-04-02 16:03	20846064	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-04-02 16:02 . 2010-04-02 16:03	8405312	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-04-02 16:02 . 2010-04-02 16:02	149000	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-04-02 16:02 . 2010-04-02 16:02	10309448	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-02 16:02 . 2010-04-02 16:02	79368	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-04-02 16:02 . 2010-04-02 16:02	64000	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:02 . 2010-04-02 16:02	52288	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-04-02 16:02 . 2010-04-02 16:02	50688	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-04-02 16:02 . 2010-04-02 16:02	49152	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:02 . 2010-04-02 16:02	118784	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-29 02:52 . 2010-03-29 02:52	439816	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\setup.exe
2010-03-15 17:55 . 2010-03-15 17:55	360584	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-15 17:55 . 2010-03-15 17:55	28424	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-15 17:55 . 2010-03-15 17:55	333192	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-15 00:00 . 2010-04-09 16:43	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-03-15 00:00 . 2010-03-15 00:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 15:48 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-09 03:26 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-09 03:04 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 06:55 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2002-09-03 17:12	916480	----a-w-	c:\windows\system32\wininet.dll
2010-02-12 08:05 . 2010-02-05 08:59	--------	d-----w-	c:\program files\Microsoft Works
2010-02-12 04:46 . 2008-08-10 04:29	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_DC7EBA8B521231D0160AB2.exe
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_9767AAD380EB35C76F7F05.exe
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_6FEFF9B68218417F98F549.exe
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - kxtdapow
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A1AAC8]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75b3f28
\Driver\ACPI -> ACPI.sys @ 0xf7526cb8
\Driver\atapi -> atapi.sys @ 0xf74de852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf73eabb0
PacketIndicateHandler -> NDIS.sys @ 0xf73f7a21
SendHandler -> NDIS.sys @ 0xf73d587b
user & kernel MBR OK 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-12 13:33:13
ComboFix-quarantined-files.txt 2010-04-12 17:32
ComboFix2.txt 2010-04-10 04:53

Pre-Run: 6,905,966,592 bytes free
Post-Run: 7,082,909,696 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F9EDAA768A907F83C6EDA62DBFF62441


----------



## AdvancedSetup

Please run the following and post back the results. We need to verify if you have another copy of this file so that we can replace it.


Go Start > Run and copy/paste the following single-line command into the Run box and click OK:



Code:


cmd /c PEV -l "%systemdrive%\IPSEC.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply please.


----------



## PeterDy

Thanks. I have run it several times, but the notepad log is always blank--no text.


----------



## AdvancedSetup

Okay let's try it with a normal batch file then. Close all open applications.

Start NOTEPAD and then using the mouse select all the text in the box below and right click and copy it.


Code:


@ECHO OFF
DIR /A /S %SystemDrive%\IPSEC.* >"%USERPROFILE%\Desktop\filecheck.txt"
"%USERPROFILE%\Desktop\filecheck.txt"
DEL /F /Q "%USERPROFILE%\Desktop\filecheck.txt"
DEL /F /Q  %0
Exit

Then paste it into NOTEPAD and chose File Save-As and save it as *"GETFILES.BAT"* including the quotes. In the *Save as type:* click it and select *All Files* and save it to your desktop.

Then quit NOTEPAD and find the file GETFILES.BAT you just created and double-click to run it.
It should open Notepad when it's done with searching for the entries for any of the IPSEC files we're looking for. 

Highlight all in the Notepad window that opens and select copy and paste it to your next reply. As soon as you quit Notepad it will automatically delete the batch file and the text file so make sure you copy it to paste back while it's open.


----------



## PeterDy

Thanks again. Here is what I got. Hope I did it right.
--------------

Volume in drive C has no label.
Volume Serial Number is D462-770C

Directory of C:\I386

08/29/2002 06:00 AM 57,984 IPSEC.SYS
1 File(s) 57,984 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:14 AM 74,752 ipsec.sys
1 File(s) 74,752 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 03:19 PM 75,264 ipsec.sys
1 File(s) 75,264 bytes

Directory of C:\WINDOWS\SYSTEM32\DRIVERS

04/13/2008 03:19 PM 75,264 ipsec.sys
1 File(s) 75,264 bytes

Total Files Listed:
4 File(s) 283,264 bytes
0 Dir(s) 6,643,658,752 bytes free


----------



## AdvancedSetup

Please create a new batch file as shown below. Close all open applications before running the new batch file.

Start NOTEPAD and then using the mouse select all the text in the box below and right click and copy it.


Code:


@ECHO OFF
COPY C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys.bad
DEL /F /Q C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys
COPY C:\WINDOWS\ServicePackFiles\i386\ipsec.sys C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys
PAUSE

Then paste it into NOTEPAD and chose File Save-As and save it as *"FIXFILE.BAT"* including the quotes. In the *Save as type:* click it and select *All Files* and save it to your desktop.

Then quit NOTEPAD and find the file FIXFILE.BAT you just created and double-click to run it.
It should open a black DOS window and show that it has copied some files. Please post back the results on your next reply.

Then restart the computer and run a NEW GMER scan as before. Make sure you disable your Anti-Virus and close all open applications before running GMER.


----------



## PeterDy

I ran it, and yes, there were two lines that said "1 file has been copied." Then I rebooted and ran GMER again. I've attached that log here.


----------



## AdvancedSetup

Let's try the following please.

Using your mouse, *Highlight* and then Right-click | Copy the entire contents of the Code box below, including blank lines


Code:


TDL::
C:\WINDOWS\System32\DRIVERS\ipsec.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:









Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
 Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
 A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.


----------



## PeterDy

Thanks again for your help! I disabled AVG's resident shield. I also turned off SpybotSearch&Destroy. But after running ComboFix, it found "rootkit activity" and rebooted. When it rebooted, Spybot turned on again. I hope that isn't a problem.

ComboFix 10-04-14.01 - Peter Dy 04/14/2010 20:35:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.615 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
Command switches used :: c:\documents and settings\Peter Dy\Desktop\FixTrojan\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-14 16:41 . 2010-04-14 16:41	4076824	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-14 16:40 . 2010-04-14 16:40	2059544	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-14 16:40 . 2010-04-14 16:40	1274136 ----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-14 16:40 . 2010-04-14 16:40	1598744	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-14 16:40 . 2010-04-14 16:40	1515224	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-14 16:40 . 2010-04-14 16:40	598296	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-14 16:40 . 2010-04-14 16:40	313112	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-14 16:40 . 2010-04-14 16:40	341272	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-14 16:40 . 2010-04-14 16:40	4250976	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-14 16:40 . 2010-04-14 16:40	459544	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-14 16:40 . 2010-04-14 16:40	1086744	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-14 16:40 . 2010-04-14 16:40	556824	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-14 16:40 . 2010-04-14 16:40	301336	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-14 16:37 . 2010-04-14 16:37	1035032	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-14 16:36 . 2010-04-14 16:36	1685784	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-15 00:09	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-15 00:33	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 21:10 . 2009-12-11 22:05	3613560	----a-w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software\Trojan Remover\kiw2.exe
2010-04-06 20:29 . 2010-04-06 20:29	198656	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:33 . 2010-04-06 16:33	52224	----a-w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 16:33 . 2010-04-06 16:33	117760	----a-w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 16:03 . 2010-04-02 16:03	20846064	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-04-02 16:02 . 2010-04-02 16:03	8405312	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-04-02 16:02 . 2010-04-02 16:02	149000	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-04-02 16:02 . 2010-04-02 16:02	10309448	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-02 16:02 . 2010-04-02 16:02	79368	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-04-02 16:02 . 2010-04-02 16:02	64000	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:02 . 2010-04-02 16:02	52288	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-04-02 16:02 . 2010-04-02 16:02	50688	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-04-02 16:02 . 2010-04-02 16:02	49152	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:02 . 2010-04-02 16:02	118784	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-29 02:52 . 2010-03-29 02:52	439816	----a-w-	c:\documents and settings\Peter Dy\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 16:48 . 2002-09-03 16:35	75264	------w-	c:\windows\system32\drivers\ipsec.sys
2010-04-14 07:38 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-14 04:20 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-14 04:13 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-09 16:43 . 2010-03-15 00:00	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	------w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-15 00:12 . 2010-03-15 00:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 06:55 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2002-09-03 17:12	916480	------w-	c:\windows\system32\wininet.dll
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_DC7EBA8B521231D0160AB2.exe
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_9767AAD380EB35C76F7F05.exe
2010-02-05 04:19 . 2010-02-05 04:19	33982	----a-r-	c:\documents and settings\Peter Dy\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_6FEFF9B68218417F98F549.exe
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_17.24.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-15 00:31 . 2010-04-15 00:31	16384 c:\windows\Temp\Perflib_Perfdata_59c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A11AC8]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75b3f28
\Driver\ACPI -> ACPI.sys @ 0xf7526cb8
\Driver\atapi -> atapi.sys @ 0xf74de852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf73eabb0
PacketIndicateHandler -> NDIS.sys @ 0xf73f7a21
SendHandler -> NDIS.sys @ 0xf73d587b
user & kernel MBR OK 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-14 21:02:32
ComboFix-quarantined-files.txt 2010-04-15 01:02
ComboFix2.txt 2010-04-12 17:33
ComboFix3.txt 2010-04-10 04:53

Pre-Run: 6,259,056,640 bytes free
Post-Run: 6,425,362,432 bytes free

- - End Of File - - 6EFA16ED3BA3D66509F333C1DFD72A83


----------



## AdvancedSetup

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Print out the following instructions, as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Restart the machine, and select the Microsoft Windows Recovery Console option at the Boot Menu choices screen










You will be presented with the following:















Press the number 1 on your keyboard and hit Enter.

At the command prompt, type the following command and press Enter:

*cd system32\drivers*


At the next prompt, type the following bolded text, and press Enter:

*ren ipsec.sys ipsec.vir*

At the next prompt, type the following bolded text, and press Enter:

*copy c:\windows\system32\dllcache\IPSEC.sys*

You should see 1 file(s) copied.

At the command prompt, type the following command and press Enter:

*dir ipsec.**

You should see something like this (it doesn't have to be exact):

Directory of C:\WINDOWS\system32\drivers\ipsec.*

04/14/2008 01:10 AM 75,264 ipsec.sys
04/08/2010 19:50:36 75,264 ipsec.vir

2 File(s)

If you do not, try the commands again. It's important that you have ipsec.sys listed in the C:\windows\system32\drivers directory


Type *exit* when finished, and then press ENTER to quit Recovery Console. Let the computer start.

Let us know how it goes.

Once back in Windows...

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

*cmd /c PEV -l "%systemdrive%\ipsec.*" >Log.txt&Log.txt&del Log.txt*

A Notepad file will open. Post the contents of Log.txt in your next reply.

Also...

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

*cmd /c "mbr -t" >Log.txt&Log.txt&del Log.txt*

A Notepad file will open. Post the contents of Log.txt in your next reply.


----------



## PeterDy

Thanks again so much for your help! But before I proceed, some things happened today and I wanted to know if they might interfere with this fix:

1. Windows finally updated today! But it was an automatic update. I still can't access the website. In fact, now I cannot access any site via Internet Explorer.

2. In spite of the updates, I later got a fake anti-spyware virus/trogan/malware--I think it was avsoft--and I couldn't open any program or file on my machine. So, I did a Malwarebytes scan and got rid of it. 

So, please let me know if any of these recent events might mess up the fix you just gave me!


----------



## PeterDy

Oh, and should I disable my AVG anti-virus and SearchBot before proceeding?


----------



## AdvancedSetup

Yes if you can that would be best. Go ahead and proceed please.


----------



## PeterDy

Amigo/a, thanks again so much! I did everything you said. And there were the two ipsec files listed as you said. There was also a third file that ended in ipsec.sys.bad.

When I ran the first single-line command, the notepad log was empty, no text.

When I ran the second single-line command, I got this: 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
kernel: MBR read successfully
user & kernel MBR OK


----------



## AdvancedSetup

Please temporarily disable your Anti-Virus again and run a new scan with Combofix and post back that log.

Thanks.


----------



## PeterDy

Thanks so much! Here is the new scan:
-------------------------

ComboFix 10-04-15.05 - Peter Dy 04/16/2010 21:40:11.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.554 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-16 01:11 . 2010-04-16 01:11	--------	d-sh--w-	c:\documents and settings\NetworkService\PrivacIE
2010-04-16 00:50 . 2010-04-16 01:35	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ukleqhtys
2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-17 00:35	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-17 01:39	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 20:29 . 2010-04-06 20:29	198656	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 19:04 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 18:56 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-15 18:46 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-14 07:38 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-09 16:43 . 2010-03-15 00:00	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	------w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-15 00:12 . 2010-03-15 00:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2002-09-03 17:09	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2002-09-03 17:12	916480	------w-	c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-09-03 16:42	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-09-03 16:50	2189952	------w-	c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04	2066816	------w-	c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-09-03 16:26	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-09-03 17:06	226880	----a-w-	c:\windows\system32\drivers\tcpip6.sys
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_17.24.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 00:27 . 2010-04-17 00:27	16384 c:\windows\Temp\Perflib_Perfdata_3f4.dat
+ 2002-09-03 16:35 . 2008-04-13 19:19	75264 c:\windows\SYSTEM32\DLLCACHE\ipsec.sys
+ 2010-01-13 14:01 . 2010-01-13 14:01	86016 c:\windows\SYSTEM32\DLLCACHE\cabview.dll
+ 2002-09-03 16:28 . 2010-01-13 14:01	86016 c:\windows\SYSTEM32\cabview.dll
+ 2010-02-05 09:07 . 2010-04-15 19:05	35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-25 13:18 . 2008-10-25 13:18	72568 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONFILTER.DLL
+ 2008-10-25 13:18 . 2008-10-25 13:18	98696 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONENOTEM.EXE
+ 2002-09-03 17:12 . 2009-12-24 06:59	177664 c:\windows\SYSTEM32\wintrust.dll
+ 2009-12-24 06:59 . 2009-12-24 06:59	177664 c:\windows\SYSTEM32\DLLCACHE\wintrust.dll
- 2008-05-09 10:53 . 2009-03-08 09:33	420352 c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
+ 2008-05-09 10:53 . 2010-03-10 06:15	420352 c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02	226880 c:\windows\SYSTEM32\DLLCACHE\tcpip6.sys
+ 2010-01-03 22:19 . 2010-02-24 13:11	455680 c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
+ 2010-02-12 04:33 . 2010-02-12 04:33	100864 c:\windows\SYSTEM32\DLLCACHE\6to4svc.dll
- 2010-02-05 09:07 . 2010-03-11 06:55	888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-02-05 09:06 . 2010-04-15 19:05	845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-05 09:06 . 2010-03-11 06:55	845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-05 09:07 . 2010-03-11 06:55	217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2010-02-05 09:07 . 2010-04-15 19:05	217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2010-02-05 09:06 . 2010-03-11 06:55	184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-02-05 09:06 . 2010-04-15 19:05	184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-02-05 09:06 . 2010-04-15 19:05	159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2010-02-05 09:06 . 2010-03-11 06:55	159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-25 12:52 . 2008-10-25 12:52	664968 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONBTTNOL.DLL
+ 2008-10-25 12:52 . 2008-10-25 12:52	604056 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONBTTNIE.DLL
+ 2010-04-15 18:56 . 2009-03-08 09:33	420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-15 18:56 . 2009-05-26 11:40	382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-15 18:56 . 2009-05-26 11:40	231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-01-03 22:19 . 2010-02-24 13:11	455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-08-05 01:44 . 2010-02-17 13:10	2189952 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
+ 2010-01-03 22:17 . 2010-02-16 13:25	2024448 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
+ 2010-01-03 22:17 . 2010-02-16 13:25	2066816 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2010-01-03 22:17 . 2010-02-16 14:08	2146304 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2010-02-21 05:03 . 2010-02-21 05:03	4472832 c:\windows\Installer\e2f18.msp
+ 2010-02-21 05:02 . 2010-02-21 05:02	4195840 c:\windows\Installer\e2efa.msp
+ 2010-03-12 03:59 . 2010-03-12 03:59	5031424 c:\windows\Installer\e2ee2.msp
- 2010-02-05 09:06 . 2010-03-11 06:55	1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-02-05 09:06 . 2010-04-15 19:05	1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-02-05 09:06 . 2010-04-15 19:05	1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2010-02-05 09:06 . 2010-03-11 06:55	1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-06 09:00 . 2009-03-06 09:00	6596472 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONMAIN.DLL
+ 2008-11-10 15:49 . 2008-11-10 15:49	1165680 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONLIBS.DLL
+ 2008-11-25 03:16 . 2008-11-25 03:16	1020776 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ONENOTE.EXE
+ 2009-08-05 01:44 . 2010-02-17 13:10	2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2010-01-03 22:17 . 2010-02-16 13:25	2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-01-03 22:17 . 2010-02-16 13:25	2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-01-03 22:17 . 2010-02-16 14:08	2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-04-15 18:58 . 2010-04-06 14:52	31971272 c:\windows\SYSTEM32\MRT.exe
+ 2010-03-22 20:03 . 2010-03-22 20:03	11732992 c:\windows\Installer\e2f30.msp
+ 2009-04-03 23:46 . 2009-04-03 23:46	17314688 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSO.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-16 22:02:51
ComboFix-quarantined-files.txt 2010-04-17 02:02
ComboFix2.txt 2010-04-15 01:02
ComboFix3.txt 2010-04-12 17:33
ComboFix4.txt 2010-04-10 04:53

Pre-Run: 5,995,032,576 bytes free
Post-Run: 5,971,886,080 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - FE1DD7EA38278FADCBC79D229EB575AD


----------



## PeterDy

I can access Windows Updates now and Google doesn't redirect! Woohoo! Thanks! Hopefully we got rid of it!


----------



## AdvancedSetup

Yes we're just about done but still have a few more items to clear up.

*STEP 01*
Using your mouse, *Highlight* and then Right-click | Copy the entire contents of the Code box below, including blank lines


Code:


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:









Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
 Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
 A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

*STEP 02*
*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system. *Please follow these steps to remove older version Java components and update.*

Download the latest version of *Java Runtime Environment (JRE) 20* and save it to your desktop.
Scroll down to where it says *JDK 6 Update 20 (JDK or JRE)*
Click the *Download JRE* button to the right
Select the *Windows* platform from the dropdown menu.
Read the License Agreement and then check the box that says: "_I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement_". Click on *Continue.*The page will refresh.
Click on the link to download *Windows Offline Installation* and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on *Add or Remove Programs* and remove all older versions of Java.
Check (_highlight_) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the *Remove* or *Change/Remove* button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on * jre-6u20-windows-i586.exe* to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the *Settings* button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - *Leave BOTH Checked*

*Applications and Applets
Trace and Log Files*

Click OK on Delete Temporary Files Window
*Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.*
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.



*STEP 03*
What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at *Kaspersky Online Scanner*

* **Note***

To optimize scanning time and produce a more sensible report for review:
 Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
Click *Run* at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View scan report* at the bottom.
Click the *Save Report As...* button.
Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply.


----------



## PeterDy

OK. Did all three steps. Here are the results. I also saved the Kapersky log as an html file, since that was the default, but below is the txt version of it. 
--------------
ComboFix 10-04-17.07 - Peter Dy 04/18/2010 14:39:59.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.561 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
Command switches used :: c:\documents and settings\Peter Dy\Desktop\FixTrojan\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 03:44 . 2010-04-17 03:45	--------	d-----w-	c:\program files\QuickTime
2010-04-17 03:37 . 2010-04-17 03:37	--------	d-----w-	c:\program files\Bonjour
2010-04-16 01:11 . 2010-04-16 01:11	--------	d-sh--w-	c:\documents and settings\NetworkService\PrivacIE
2010-04-16 00:50 . 2010-04-16 01:35	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ukleqhtys
2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-18 18:30	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-18 18:39	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 20:29 . 2010-04-06 20:29	198656	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 01:45 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-18 01:38 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-15 19:04 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 07:38 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-09 16:43 . 2010-03-15 00:00	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	------w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-15 00:12 . 2010-03-15 00:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2002-09-03 17:09	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2002-09-03 17:12 916480	------w-	c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-09-03 16:42	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-09-03 16:50	2189952	------w-	c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04	2066816	------w-	c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2002-09-03 16:26	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-09-03 17:06	226880	----a-w-	c:\windows\system32\drivers\tcpip6.sys
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-04-17_01.53.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-18 18:23 . 2010-04-18 18:23	16384 c:\windows\Temp\Perflib_Perfdata_388.dat
+ 2010-04-17 03:38 . 2009-10-16 06:33	41472 c:\windows\SYSTEM32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaapl.sys
+ 2010-04-17 03:35 . 2010-04-17 03:35	791552 c:\windows\Installer\ac40a4.msi
+ 2010-04-17 03:38 . 2009-10-16 06:33	3003680 c:\windows\SYSTEM32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaaplrc.dll
+ 2010-04-17 03:44 . 2010-04-17 03:44	9472000 c:\windows\Installer\ac4863.msi
+ 2010-04-17 03:38 . 2010-04-17 03:38	3165184 c:\windows\Installer\ac40f6.msi
+ 2010-04-17 03:37 . 2010-04-17 03:37	1984000 c:\windows\Installer\ac40ba.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"DVDSentry"=c:\windows\System32\DSentry.exe
"nwiz"=nwiz.exe /install
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {D7204BFC-986B-4A6A-8D4E-A2471B9F35C1} - c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 14:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 15:03:03
ComboFix-quarantined-files.txt 2010-04-18 19:02
ComboFix2.txt 2010-04-17 02:02
ComboFix3.txt 2010-04-15 01:02
ComboFix4.txt 2010-04-12 17:33
ComboFix5.txt 2010-04-18 18:38

Pre-Run: 7,390,351,360 bytes free
Post-Run: 7,464,157,184 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 77806E9B7528CD04C561BF6FCC0C6A78

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 19, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 19, 2010 02:44:12
Records in database: 3947387
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 425108
Threats found: 4
Infected objects found: 5
Suspicious objects found: 3
Scan duration: 09:04:24


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir	Infected: Packed.Win32.Katusha.j	1
C:\Documents and Settings\Peter Dy\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx	Suspicious: Exploit.HTML.Iframe.FileDownload	3
C:\Documents and Settings\Peter Dy\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx	Infected: Email-Worm.Win32.Swen	3
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0037234.sys	Infected: Rootkit.Win32.TDSS.ap	1

Selected area has been scanned.


----------



## AdvancedSetup

Please ignore the other finds from Kaspersky as those are typically inaccurate for the email files found. If you have an Anti-Virus product that has an Email component then please have it scan your email and alert you to any emails that may be infected so that you can remove them or allow your AV to take care of it for you.

We need to run CF again and this time we'll have it collect that one file and upload it to our servers so that we can review it and add to our list as needed.
The program will alert you that it wants to send a file, please allow it.


Using your mouse, *Highlight* and then Right-click | Copy the entire contents of the Code box below, including blank lines


Code:


http://www.techsupportforum.com/f50/cannot-access-windows-update-page-google-redirects-474675.html#post2676031
Collect::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir
DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\ukleqhtys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:









Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
 Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
 A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.


----------



## PeterDy

Thanks! Here is the scan log: 

ComboFix 10-04-18.04 - Peter Dy 04/19/2010 21:12:18.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.565 [GMT -4:00]
Running from: c:\documents and settings\Peter Dy\Desktop\FixTrojan\ComboFix.exe
Command switches used :: c:\documents and settings\Peter Dy\Desktop\FixTrojan\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe.vir
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}\chrome.manifest
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}\chrome\content\_cfg.js
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}\chrome\content\c.js
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}\chrome\content\overlay.xul
c:\documents and settings\Peter Dy\Local Settings\Application Data\{D7204BFC-986B-4A6A-8D4E-A2471B9F35C1}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-18 19:23 . 2010-04-18 19:23	--------	d-----w-	c:\program files\Common Files\Java
2010-04-18 19:22 . 2010-04-18 19:22	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-04-17 03:44 . 2010-04-17 03:45	--------	d-----w-	c:\program files\QuickTime
2010-04-17 03:37 . 2010-04-17 03:37	--------	d-----w-	c:\program files\Bonjour
2010-04-16 01:11 . 2010-04-16 01:11	--------	d-sh--w-	c:\documents and settings\NetworkService\PrivacIE
2010-04-16 00:50 . 2010-04-16 01:35	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ukleqhtys
2010-04-07 02:20 . 2010-04-07 02:20	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-04-07 02:20 . 2010-04-07 02:20	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-04-07 02:20 . 2010-04-07 02:20	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-04-07 02:19 . 2010-04-07 02:19	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-04-07 02:19 . 2010-04-20 00:34	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-04-07 02:00 . 2010-04-20 01:11	--------	d-----w-	c:\windows\system32\CatRoot2
2010-04-06 20:27 . 2005-08-26 04:50	77312	----a-w-	c:\windows\system32\ztvunace26.dll
2010-04-06 20:27 . 2010-04-06 20:27	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Simply Super Software
2010-04-06 19:29 . 2010-03-29 19:24	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 19:28 . 2010-03-29 19:24	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 16:32 . 2010-04-06 19:26	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-06 16:32 . 2010-04-06 16:32	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\SUPERAntiSpyware.com
2010-04-06 01:29 . 2010-04-06 02:15	--------	d-----w-	C:\VundoFix Backups
2010-04-04 17:11 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-04 17:08 . 2010-04-04 17:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 00:30 . 2007-08-23 00:56	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\Apple Computer
2010-04-19 01:45 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\gtk-2.0
2010-04-19 01:37 . 2008-09-16 00:46	--------	d-----w-	c:\program files\Avidemux 2.4
2010-04-15 19:04 . 2010-02-05 06:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 07:38 . 2010-01-03 20:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-04-09 16:43 . 2010-03-15 00:00	15944	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:37 . 2007-05-23 05:10	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 02:35 . 2009-04-09 03:12	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\U3
2010-04-06 19:29 . 2010-01-31 17:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:21 . 2002-09-03 16:27	96512	------w-	c:\windows\system32\drivers\atapi.sys
2010-03-21 19:46 . 2008-09-16 00:47	--------	d-----w-	c:\documents and settings\Peter Dy\Application Data\avidemux
2010-03-15 00:12 . 2010-03-15 00:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-14 23:59 . 2010-03-14 23:59	--------	d-----w-	c:\program files\Hitman Pro 3.5
2010-03-14 20:38 . 2003-07-16 04:46	106712	----a-w-	c:\documents and settings\Peter Dy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2002-09-03 17:09	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2002-09-03 17:12	916480	------w-	c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-09-03 16:42	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-09-03 16:50	2189952	------w-	c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04	2066816	------w-	c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2002-09-03 16:26	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-09-03 17:06	226880	----a-w-	c:\windows\system32\drivers\tcpip6.sys
2010-01-28 07:29 . 2009-11-07 06:26	74452	---ha-w-	c:\windows\system32\mlfcache.dat
2006-05-03 09:06 . 2007-09-09 23:43	163328	--sh--r-	c:\windows\SYSTEM32\flvDX.dll
2008-02-20 02:55 . 2008-02-16 22:54	10856	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-09-09 23:43	31232	--sh--r-	c:\windows\SYSTEM32\msfDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\NetworkService\Local Settings\Application Data\ukleqhtys ----



((((((((((((((((((((((((((((( SnapShot_2010-04-17_01.53.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 00:30 . 2010-04-20 00:30	16384 c:\windows\Temp\Perflib_Perfdata_3b8.dat
+ 2010-04-17 03:38 . 2009-10-16 06:33	41472 c:\windows\SYSTEM32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaapl.sys
+ 2010-04-18 19:22 . 2010-04-18 19:22	153376 c:\windows\SYSTEM32\javaws.exe
- 2009-11-18 03:22 . 2009-10-11 09:17	145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-04-18 19:22 . 2010-04-18 19:22	145184 c:\windows\SYSTEM32\javaw.exe
- 2009-11-18 03:22 . 2009-10-11 09:17	145184 c:\windows\SYSTEM32\java.exe
+ 2010-04-18 19:22 . 2010-04-18 19:22	145184 c:\windows\SYSTEM32\java.exe
+ 2010-04-17 03:35 . 2010-04-17 03:35	791552 c:\windows\Installer\ac40a4.msi
+ 2010-04-18 19:23 . 2010-04-18 19:23	180224 c:\windows\Installer\3f7d8.msi
+ 2010-04-18 19:21 . 2010-04-18 19:21	577536 c:\windows\Installer\3f7d1.msi
+ 2010-04-17 03:38 . 2009-10-16 06:33	3003680 c:\windows\SYSTEM32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaaplrc.dll
+ 2010-04-17 03:44 . 2010-04-17 03:44	9472000 c:\windows\Installer\ac4863.msi
+ 2010-04-17 03:38 . 2010-04-17 03:38	3165184 c:\windows\Installer\ac40f6.msi
+ 2010-04-17 03:37 . 2010-04-17 03:37	1984000 c:\windows\Installer\ac40ba.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-07 02:20	12464	----a-w-	c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=c:\windows\pss\Iomega Icons.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=c:\windows\pss\Iomega Startup Options.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup=c:\windows\pss\IomegaWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28	684032	----a-w-	c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-08 06:52	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"DVDSentry"=c:\windows\System32\DSentry.exe
"nwiz"=nwiz.exe /install
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDPromo

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/6/2010 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/6/2010 10:20 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 10:17 PM 308064]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\User_Feed_Synchronization-{4E5F70DD-8DD5-447A-8EE0-29841C8F7EF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Download with Go!Zilla - file://c:\program files\BP Go!Zilla v4.1\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Peter Dy\Application Data\Mozilla\Firefox\Profiles\0n6t0mgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 21:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-19 21:37:45
ComboFix-quarantined-files.txt 2010-04-20 01:37
ComboFix2.txt 2010-04-18 19:03
ComboFix3.txt 2010-04-17 02:02
ComboFix4.txt 2010-04-15 01:02
ComboFix5.txt 2010-04-20 01:10

Pre-Run: 8,002,576,384 bytes free
Post-Run: 8,201,134,080 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9A3340C3BA552CAA2B349EE09743B250
Upload was successful


----------



## AdvancedSetup

Please remove the following folder.

c:\documents and settings\NetworkService\Local Settings\Application Data\*ukleqhtys*



We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disconnect from the internet and disable your AntiVirus temporarily. 

Press the Windows key + R -> in the Run box which opens -> *copy/paste* in the following single line command & click OK


* ComboFix /Uninstall*​










This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.


*Clear & Reset System Restore's Cache*

Press the Windows key + R
Type or copy/paste control sysdm.cpl,,4 & press Enter
Click on Continue
Under Automatic Restore points
Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
Click Turn System Restore Off.
Click Apply

Turn System Restore back on now.

Check (tick) all the boxes under Create restore points automatically on the selected disks section.
Click OK.


============================================

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:


*Microsoft Windows Update* -

To update Windows, click on *Start* > *Windows Update* (or *Start* > *All Programs* > *Windows Update* if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .

This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

*SpywareBlaster* to help prevent spyware from installing in the first place.
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - *enable protection for all unprotected items*

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.


*Winpatrol*

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.


*MVPS HOST FILE*
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

*ANTIVIRUS SOFTWARE*
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

*Do not install more than one AntiVirus program because they will conflict with each other.*


 Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


 http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


 http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

*ERUNT* will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

*NTREGOPT* works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

*How did I get infected in the first place?*
 *PC Safety and Security--What Do I Need?*

If you want to fight back the Malware Writers that have made your life a misery, please take a look *here* and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.


----------



## PeterDy

Thanks for all your help! I really appreciate it!!

My System Properties window doesn't have the options you give. It has a System Restore tab and on that tab there is only one box to click: "Turn off system restore on all drives". It was checked, so I unchecked it. Then I checked it again, and it warned me that this would erase my restore points. I continued. Then I unchecked it again. Hope I did that right!

Thanks again!!


----------



## AdvancedSetup

Yes that was the correct thing to do. Take care and stay safe out there.


----------

