TechSpot

Problem with Hotmail. Attn. Bobbye

By Squidget1031
Dec 19, 2010
  1. Hi Bobbye,

    About nine months ago you helped me remove some spyware/malware from my home computer. Recently, my husband has been having some new problems: When he tries to log in to his Hotmail account the first entry of his password always fails, but works the second time. Then, when he goes into his Inbox, he can't read or delete his mail. I'm not sure if this is a Hotmail problem, or if it has to do with a repeat spyware/malware issue?

    We recently changed internet providers and have a new "security" system and I'm wondering if that may have led to some of these new problems. He also seems to be having trouble on other websites where new windows need to pop up. These problems do not seem to be affecting my user profile.

    The logs from the 8-step process are below:

    MALWAREBYTES:
    Malwarebytes' Anti-Malware 1.44
    Database version: 3928
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/29/2010 2:50:32 PM
    mbam-log-2010-03-29 (14-50-32).txt

    Scan type: Quick Scan
    Objects scanned: 236386
    Time elapsed: 22 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 10
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\gwr (Rogue.GreenAV) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\HelpAssistant.AREBRO\Local Settings\Temp\agsbgi.dll (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\gwr\Viruses.dat (Rogue.GreenAV) -> Quarantined and deleted successfully.


    DDS.TXT
    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Emily at 21:31:15.64 on Sun 12/19/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.160 [GMT -5:00]

    AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
    FW: CA Personal Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
    C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\mdmcls32.exe
    C:\WINDOWS\system32\svcprs32.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\CA\CA Internet Security Suite\casc.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Emily\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://att.yahoo.com
    mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\rrr anti-phishing\toolbar\caIEToolbar.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\progra~1\yahoo!\common\YIeTagBm.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\rrr anti-phishing\toolbar\caIEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Yahoo! Pager] 1
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [TkBellExe] "realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
    mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    LSP: c:\windows\system32\winsflt.dll
    LSP: c:\windows\system32\VetRedir.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    Notify: PFW - UmxWnp.Dll
    AppInit_DLLs: UmxSbxExw.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\emily\applic~1\mozilla\firefox\profiles\smny8jtr.default\
    FF - component: c:\program files\ca\ca internet security suite\rrr anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
    FF - plugin: c:\documents and settings\emily\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: CA Anti-Phishing Toolbar: caaphishtoolbar@ca.com - c:\program files\ca\ca internet security suite\rrr anti-phishing\toolbar\Firefox

    ============= SERVICES / DRIVERS ===============

    R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
    R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
    R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
    R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]
    R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-11-29 206152]
    R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-11-29 212992]
    R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-11-29 206160]
    R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]
    R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
    R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
    R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
    R2 WinExtManager;WinSock Extention Manager;c:\windows\system32\mdmcls32.exe [2010-11-29 2347760]
    R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2010-11-29 1377008]
    R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
    S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

    =============== Created Last 30 ================

    2010-12-19 21:04:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 21:04:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-19 21:04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-18 21:24:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-18 21:24:08 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-18 21:21:55 -------- d-----w- c:\program files\ISSThirdParty
    2010-12-18 21:18:14 -------- d-----w- c:\docume~1\emily\applic~1\VirtualStore
    2010-12-15 20:01:35 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 20:01:02 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2010-11-30 01:52:20 7 ----a-w- c:\windows\system32\mkghj.dll
    2010-11-30 01:50:01 -------- d-----w- c:\program files\CA
    2010-11-21 00:21:00 -------- d-----w- c:\program files\iPod
    2010-11-21 00:20:39 -------- d-----w- c:\program files\iTunes

    ==================== Find3M ====================

    2010-12-19 16:48:16 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-11-30 02:26:31 1054032 ----a-w- c:\windows\system32\cfgmig32.dll
    2010-11-30 02:26:25 95568 ----a-w- c:\windows\system32\vetredir.dll
    2010-11-30 02:26:25 128336 ----a-w- c:\windows\system32\isafeif.dll
    2010-11-30 01:51:34 5845744 ----a-w- c:\windows\system32\win32cpr.dll
    2010-11-30 01:51:34 1872624 ----a-w- c:\windows\system32\winsflt.dll
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-09-24 16:16:18 272976 ----a-w- c:\windows\system32\UmxSbxw.dll
    2010-09-24 16:16:18 113232 ----a-w- c:\windows\system32\UmxSbxExw.dll

    ============= FINISH: 21:38:49.01 ===============

    ATTACH.TXT
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/4/2006 5:01:11 PM
    System Uptime: 12/19/2010 9:17:38 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0JC474
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 144 GiB total, 115.772 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP159: 9/21/2010 7:27:28 AM - System Checkpoint
    RP160: 9/22/2010 8:27:28 AM - System Checkpoint
    RP161: 9/23/2010 9:11:14 AM - System Checkpoint
    RP162: 9/24/2010 9:28:50 AM - System Checkpoint
    RP163: 9/25/2010 10:50:58 AM - System Checkpoint
    RP164: 9/26/2010 12:40:49 PM - System Checkpoint
    RP165: 9/27/2010 1:25:52 PM - System Checkpoint
    RP166: 9/28/2010 1:28:49 PM - System Checkpoint
    RP167: 9/29/2010 3:00:19 AM - Software Distribution Service 3.0
    RP168: 9/30/2010 4:28:48 AM - System Checkpoint
    RP169: 10/1/2010 3:00:22 AM - Software Distribution Service 3.0
    RP170: 10/2/2010 3:22:03 AM - System Checkpoint
    RP171: 10/3/2010 3:34:01 AM - System Checkpoint
    RP172: 10/4/2010 4:34:01 AM - System Checkpoint
    RP173: 10/5/2010 5:02:32 AM - System Checkpoint
    RP174: 10/6/2010 5:21:59 AM - System Checkpoint
    RP175: 10/7/2010 6:34:22 AM - System Checkpoint
    RP176: 10/8/2010 7:51:51 AM - System Checkpoint
    RP177: 10/9/2010 8:39:49 AM - System Checkpoint
    RP178: 10/10/2010 9:03:48 AM - System Checkpoint
    RP179: 10/11/2010 11:11:23 AM - System Checkpoint
    RP180: 10/12/2010 11:58:15 AM - System Checkpoint
    RP181: 10/13/2010 3:00:24 AM - Software Distribution Service 3.0
    RP182: 10/14/2010 3:28:45 AM - System Checkpoint
    RP183: 10/15/2010 4:29:00 AM - System Checkpoint
    RP184: 10/16/2010 5:40:40 AM - System Checkpoint
    RP185: 10/17/2010 6:28:40 AM - System Checkpoint
    RP186: 10/18/2010 7:16:38 AM - System Checkpoint
    RP187: 10/19/2010 8:04:38 AM - System Checkpoint
    RP188: 10/20/2010 9:04:35 AM - System Checkpoint
    RP189: 10/21/2010 10:40:33 AM - System Checkpoint
    RP190: 10/22/2010 11:52:34 AM - System Checkpoint
    RP191: 10/23/2010 12:29:34 PM - System Checkpoint
    RP192: 10/24/2010 1:04:29 PM - System Checkpoint
    RP193: 10/25/2010 1:28:29 PM - System Checkpoint
    RP194: 10/26/2010 2:16:26 PM - System Checkpoint
    RP195: 10/27/2010 3:40:25 PM - System Checkpoint
    RP196: 10/28/2010 4:10:15 PM - System Checkpoint
    RP197: 10/29/2010 4:28:24 PM - System Checkpoint
    RP198: 10/30/2010 5:04:19 PM - System Checkpoint
    RP199: 10/31/2010 6:52:19 PM - System Checkpoint
    RP200: 11/1/2010 7:10:44 PM - System Checkpoint
    RP201: 11/2/2010 10:02:51 PM - System Checkpoint
    RP202: 11/3/2010 10:46:46 PM - System Checkpoint
    RP203: 11/4/2010 11:44:37 PM - System Checkpoint
    RP204: 11/6/2010 12:35:59 AM - System Checkpoint
    RP205: 11/7/2010 1:26:17 AM - System Checkpoint
    RP206: 11/8/2010 2:22:36 AM - System Checkpoint
    RP207: 11/9/2010 3:28:32 AM - System Checkpoint
    RP208: 11/10/2010 4:46:32 AM - System Checkpoint
    RP209: 11/11/2010 3:00:34 AM - Software Distribution Service 3.0
    RP210: 11/11/2010 8:27:50 PM - Software Distribution Service 3.0
    RP211: 11/12/2010 8:55:05 PM - System Checkpoint
    RP212: 11/13/2010 10:10:32 PM - System Checkpoint
    RP213: 11/14/2010 10:38:24 PM - System Checkpoint
    RP214: 11/15/2010 10:47:57 PM - System Checkpoint
    RP215: 11/16/2010 11:34:00 PM - System Checkpoint
    RP216: 11/18/2010 12:10:23 AM - System Checkpoint
    RP217: 11/19/2010 1:10:23 AM - System Checkpoint
    RP218: 11/20/2010 2:10:23 AM - System Checkpoint
    RP219: 11/21/2010 2:54:56 AM - System Checkpoint
    RP220: 11/22/2010 3:54:56 AM - System Checkpoint
    RP221: 11/23/2010 4:54:53 AM - System Checkpoint
    RP222: 11/24/2010 5:54:51 AM - System Checkpoint
    RP223: 11/25/2010 6:54:50 AM - System Checkpoint
    RP224: 11/26/2010 2:27:33 PM - System Checkpoint
    RP225: 11/27/2010 2:55:55 PM - System Checkpoint
    RP226: 11/28/2010 3:10:30 PM - System Checkpoint
    RP227: 11/29/2010 3:21:22 PM - System Checkpoint
    RP228: 11/29/2010 8:50:00 PM - CA Internet Security Suite
    RP229: 11/29/2010 9:42:04 PM - Software Distribution Service 3.0
    RP230: 11/30/2010 9:51:58 PM - System Checkpoint
    RP231: 12/1/2010 10:36:44 PM - System Checkpoint
    RP232: 12/2/2010 11:04:15 PM - System Checkpoint
    RP233: 12/4/2010 12:32:47 AM - System Checkpoint
    RP234: 12/5/2010 12:37:03 AM - System Checkpoint
    RP235: 12/6/2010 1:15:56 AM - System Checkpoint
    RP236: 12/7/2010 1:50:20 AM - System Checkpoint
    RP237: 12/7/2010 9:26:08 PM - Software Distribution Service 3.0
    RP238: 12/8/2010 10:48:26 PM - System Checkpoint
    RP239: 12/9/2010 10:54:18 PM - System Checkpoint
    RP240: 12/10/2010 11:51:21 PM - System Checkpoint
    RP241: 12/12/2010 1:14:38 AM - System Checkpoint
    RP242: 12/13/2010 1:50:09 AM - System Checkpoint
    RP243: 12/14/2010 2:50:09 AM - System Checkpoint
    RP244: 12/15/2010 5:02:08 AM - System Checkpoint
    RP245: 12/16/2010 3:00:20 AM - Software Distribution Service 3.0
    RP246: 12/17/2010 3:16:39 AM - System Checkpoint
    RP247: 12/17/2010 11:02:23 PM - Software Distribution Service 3.0
    RP248: 12/18/2010 3:56:51 PM - Restore Operation
    RP249: 12/18/2010 4:16:45 PM - Restore Operation
    RP250: 12/19/2010 7:02:52 PM - System Checkpoint

    ==== Installed Programs ======================


    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 6.0.1
    Adobe Shockwave Player
    AIM 6
    AMRT
    AntiPhishing
    AOL Uninstaller (Choose which Products to Remove)
    AOLIcon
    APH placeholder
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoBase 3
    ArcSoft PhotoStudio 5
    AT&T Yahoo! Applications
    Audacity 1.2.6
    Bonjour
    BroadJump Client Foundation
    CA Anti-Virus Plus
    CA Backup and Migration
    CA Internet Security Suite
    CA Parental Controls
    CA Personal Firewall
    Canon CanoScan Toolbox 4.0
    CCleaner
    Corel Photo Album 6
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Game Console
    Dell System Restore
    DellSupport
    Digital Content Portal
    Digital Photo Navigator 1.5
    DNAMigrator
    Easy CD & DVD Creator 6
    EducateU
    ESET Online Scanner v3
    ESPNMotion
    Evil Dead Regeneration
    Facebook Plug-In
    FUJIFILM USB Driver
    Google AFE
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Auto Updater
    Java(TM) 6 Update 18
    Learn2 Player (Uninstall Only)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office XP Professional with FrontPage
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    MicroStaff WINASPI
    Modem Event Monitor
    Modem Helper
    Modem On Hold
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musicmatch for Windows Media Player
    NetZeroInstallers
    OmniPage SE
    Otto
    Pinball Panic
    PowerCinema NE for Everio
    PowerDirector Express
    PowerDVD 5.5
    PowerProducer
    QuickTime
    Qurb
    RAW FILE CONVERTER LE
    RealPlayer
    SBC Self Support Tool
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic Encoders
    SUPERAntiSpyware Free Edition
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Media Player 10 (KB910393)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WebFldrs XP
    WildTangent Web Driver
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    Windows Media Player 11
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    Yahoo! Photos Easy Upload Tool
    Yahoo! Photos Print-at-Home Tool
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    12/19/2010 9:12:36 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:35 PM, error: Service Control Manager [7034] - The WinSock Svchost Manager service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:35 PM, error: Service Control Manager [7034] - The WinSock Extention Manager service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:35 PM, error: Service Control Manager [7034] - The CaCCProvSP service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:34 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:34 PM, error: Service Control Manager [7034] - The CA Common Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:33 PM, error: Service Control Manager [7034] - The CAISafe service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:33 PM, error: Service Control Manager [7034] - The CAAMSvc service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7034] - The HIPS Policy Manager service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7034] - The HIPS Firewall Helper service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7034] - The HIPS Event Manager service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7034] - The HIPS Configuration Interpreter service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 9:12:32 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/17/2010 11:06:46 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.
    12/17/2010 11:02:32 AM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 001320B469C1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    12/16/2010 5:13:08 PM, error: Print [23] - Printer Lexmark 640 Series,0 failed to initialize because a suitable Lexmark 640 Series driver could not be found.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back! I see you've been using popcaploader games! That always leaves unwanted malware. There is also a rogue program named Rogue.Green.AV adding data. If you installed this, please remove it.

    It appears that you did 2 System Restores:
    RP248: 12/18/2010 3:56:51 PM - Restore Operation
    RP249: 12/18/2010 4:16:45 PM - Restore Operation

    Please don do any more restores while we're cleaning because if restore points are infected and you use one of them, you could reinfect the system. We'll remove those at the end of cleaning.
    ===================================
    There are some outdated programs on the system. They should be uninstalled as they are vulnerabilities, the program folder then removed and the current version installed: They are:
    Adobe Reader 6.0.1
    Adobe Acrobat - Reader 6.0.2 Update
    (Replace with current version v9.xx> Visit this Adobe Reader site )
    HijackThis 2.0.2
    (Will give link to current v2.0.4 to run later)
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 18
    (Current Java is v6u22> Check this site .Java Updates)
    Windows Media Player 10
    (You have the current v11)
    Remove the following in Add/Remove Programs. No updates)
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WildTangent Web Driver


    As I explained to you, Hotmail is a web-based email and going by what I see here, hacking into it can't be much of a challenge! Change password, close old account and open new one.
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  3. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    Hello again.

    I haven't used popcaploader games in a while ... But no more "Hedgehog Launch" for me from here on out! And I don't know what Rogue.Green.AV is? I did try System Restore as a feeble attempt to solve our problems before contacting you here. It obviously did not work. :)

    Anyway ...

    I've gone through and deleted the outdated programs you listed ... Although I'm having trouble locating Windows Media Player 10 to get rid of it! I ran ESET with no problem, but when I went to run Combofix, my Internet Security System (CA Internet Security) would not temporarily disable. I tried to uninstall it, and it only partially went away (the firewall component is still on my machine because of an error that keeps popping up during the uninstall) ... I even tried to get rid of it via Add/Remove programs with no luck and it is preventing the Combofix from running. Any suggestions for moving forward?

    I will attach the ESET log as that is all I have right now:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=fd0ae9bab32f3c499074bc55cd960bec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-03-31 10:12:33
    # local_time=2010-03-31 06:12:33 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776613 100 96 0 22077800 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=146343
    # found=3
    # cleaned=0
    # scan_time=4478
    C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\JYX8AEM2\index[1].htm probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\HelpAssistant.AREBRO\Local Settings\Temp\CSM22.tmp a variant of Win32/Adware.Mongoose.A application 00000000000000000000000000000000 I
    C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=fd0ae9bab32f3c499074bc55cd960bec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-03-31 11:32:27
    # local_time=2010-03-31 07:32:27 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776613 100 96 0 22082553 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=146431
    # found=3
    # cleaned=0
    # scan_time=4520
    C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\JYX8AEM2\index[1].htm probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\HelpAssistant.AREBRO\Local Settings\Temp\CSM22.tmp a variant of Win32/Adware.Mongoose.A application 00000000000000000000000000000000 I
    C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=fd0ae9bab32f3c499074bc55cd960bec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-04-05 04:25:37
    # local_time=2010-04-05 12:25:37 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776869 100 96 0 22443559 0 0
    # compatibility_mode=8192 67108863 100 0 279612 279612 0 0
    # scanned=175016
    # found=8
    # cleaned=0
    # scan_time=6704
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.ARE\Local Settings\Temp\CSM22.tmp a variant of Win32/Adware.Mongoose.A application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1275\A0107071.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1276\A0110434.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1277\A0111118.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1277\A0111591.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1278\A0112750.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\04022010_124959\C_Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\JYX8AEM2\index[1].htm probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\04022010_124959\C_WINDOWS\$NtServicePackUninstall$\winlogon.exe Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=fd0ae9bab32f3c499074bc55cd960bec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-04-07 10:40:58
    # local_time=2010-04-07 06:40:58 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776533 100 96 0 22680248 0 0
    # compatibility_mode=8192 67108863 100 0 516301 516301 0 0
    # scanned=172602
    # found=8
    # cleaned=0
    # scan_time=8535
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1275\A0107071.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1276\A0110434.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1277\A0111118.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1277\A0111591.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1278\A0112750.dll a variant of Win32/TrojanDownloader.Mebload.Z trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\04022010_124959\C_Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\JYX8AEM2\index[1].htm probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\04022010_124959\C_WINDOWS\$NtServicePackUninstall$\winlogon.exe Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\04072010_160710\C_HelpAsst_backup\C\DOCUME~1\HELPAS~1.ARE\Local Settings\Temp\CSM22.tmp a variant of Win32/Adware.Mongoose.A application 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=fd0ae9bab32f3c499074bc55cd960bec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-21 04:52:33
    # local_time=2010-12-20 11:52:33 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=4864 16777191 100 0 903997 903997 0 0
    # compatibility_mode=5121 16777214 0 3 113791 113791 0 0
    # compatibility_mode=8192 67108863 100 0 22748706 22748706 0 0
    # scanned=95831
    # found=2
    # cleaned=0
    # scan_time=3226
    C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (unable to clean) 00000000000000000000000000000000 I
     
  4. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    I was able to get rid of the rest of CA Internet Security and run Combofix without any problems. I wasn't very happy with CA anyway (I didn't find it to be very user friendly). Can you recommend a good anti-virus/internet protection program that I could/should use from here on out?

    Here is the Combofix log:

    ComboFix 10-12-21.01 - Emily 12/21/2010 21:09:07.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.238 [GMT -5:00]
    Running from: c:\documents and settings\Emily\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\mkghj.dll
    c:\windows\system32\Oeminfo.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-22 to 2010-12-22 )))))))))))))))))))))))))))))))
    .

    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflte.dl1
    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflt.dl1
    2010-12-22 01:59 . 2010-12-22 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
    2010-12-21 03:50 . 2010-12-21 03:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-12-21 03:27 . 2010-12-21 03:27 -------- d-----w- c:\program files\Common Files\Java
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-21 03:26 . 2010-12-21 03:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
    2010-12-19 21:04 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-19 21:04 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-18 21:24 . 2010-12-18 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-18 21:20 . 2010-12-18 21:20 -------- d-----w- c:\documents and settings\Anthony\Application Data\dvdcss
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Emily\Application Data\VirtualStore
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Anthony\Application Data\VirtualStore
    2010-12-15 20:01 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 20:01 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2010-11-30 01:50 . 2010-12-22 02:04 -------- d-----w- c:\program files\CA
    2010-11-23 02:38 . 2010-11-23 02:38 -------- d-----w- c:\documents and settings\Anthony\Application Data\ArcSoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2005-08-16 10:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2005-08-16 10:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2005-08-16 10:18 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-09-28 20:44 . 2010-08-08 03:13 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-09-28 20:44 . 2008-06-17 19:45 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="1" [X]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-05 168448]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-3-23 217088]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
    2007-11-01 21:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1143160613\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    2006-02-17 16:59 124520 ----a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
    2002-02-21 01:01 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE\opware32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2004-01-09 20:01 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
    2003-05-01 22:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 20:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-04-15 05:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1143160613\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1143160613\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 2:51 PM 135664]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:51]

    2010-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:51]

    2010-12-22 c:\windows\Tasks\User_Feed_Synchronization-{2D1E7F2F-E2A0-478C-B3E5-9B3AEC900A94}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://att.yahoo.com
    mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\smny8jtr.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{0123B506-0AD9-43AA-B0CF-916C122AD4C5} - (no file)
    HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\casc.exe
    HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-21 21:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(720)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-12-21 21:19:56
    ComboFix-quarantined-files.txt 2010-12-22 02:19

    Pre-Run: 122,568,638,464 bytes free
    Post-Run: 122,580,180,992 bytes free

    - - End Of File - - C61B3BB6EE34529533547B203AA4ED48
     
  5. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    I got Combofix to work. Here is the log:

    ComboFix 10-12-21.01 - Emily 12/21/2010 21:09:07.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.238 [GMT -5:00]
    Running from: c:\documents and settings\Emily\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\mkghj.dll
    c:\windows\system32\Oeminfo.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-22 to 2010-12-22 )))))))))))))))))))))))))))))))
    .

    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflte.dl1
    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflt.dl1
    2010-12-22 01:59 . 2010-12-22 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
    2010-12-21 03:50 . 2010-12-21 03:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-12-21 03:27 . 2010-12-21 03:27 -------- d-----w- c:\program files\Common Files\Java
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-21 03:26 . 2010-12-21 03:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
    2010-12-19 21:04 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-19 21:04 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-18 21:24 . 2010-12-18 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-18 21:20 . 2010-12-18 21:20 -------- d-----w- c:\documents and settings\Anthony\Application Data\dvdcss
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Emily\Application Data\VirtualStore
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Anthony\Application Data\VirtualStore
    2010-12-15 20:01 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 20:01 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2010-11-30 01:50 . 2010-12-22 02:04 -------- d-----w- c:\program files\CA
    2010-11-23 02:38 . 2010-11-23 02:38 -------- d-----w- c:\documents and settings\Anthony\Application Data\ArcSoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2005-08-16 10:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2005-08-16 10:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2005-08-16 10:18 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-09-28 20:44 . 2010-08-08 03:13 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-09-28 20:44 . 2008-06-17 19:45 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="1" [X]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-05 168448]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-3-23 217088]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
    2007-11-01 21:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1143160613\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    2006-02-17 16:59 124520 ----a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
    2002-02-21 01:01 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE\opware32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2004-01-09 20:01 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
    2003-05-01 22:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 20:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-04-15 05:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1143160613\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1143160613\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 2:51 PM 135664]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:51]

    2010-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:51]

    2010-12-22 c:\windows\Tasks\User_Feed_Synchronization-{2D1E7F2F-E2A0-478C-B3E5-9B3AEC900A94}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://att.yahoo.com
    mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\smny8jtr.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{0123B506-0AD9-43AA-B0CF-916C122AD4C5} - (no file)
    HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\casc.exe
    HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-21 21:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(720)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-12-21 21:19:56
    ComboFix-quarantined-files.txt 2010-12-22 02:19

    Pre-Run: 122,568,638,464 bytes free
    Post-Run: 122,580,180,992 bytes free

    - - End Of File - - C61B3BB6EE34529533547B203AA4ED48
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, not too much going on here.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe 
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]
    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    These 2 LSP entries are described a part of Compouter Associates or Zone Alarm Security Suite:
    LSP: c:\windows\system32\winsflt.dll
    LSP: c:\windows\system32\VetRedir.dll


    Otherwise this looks pretty good.

    Let's do a HijackThis scan to be sure:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  7. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    Sorry for the double post ... I submitted and didn't notice that it had to be cleared by a moderator, panicked, and posted again! :)

    I have run the programs you specified and the logs are below:

    OTM:
    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe not found.
    File/Folder C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator(2)

    User: All Users

    User: Anthony
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Emily
    ->Temp folder emptied: 1076 bytes
    ->Temporary Internet Files folder emptied: 65850 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 27609063 bytes
    ->Flash cache emptied: 733 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 17048 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 26.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12242010_230401

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    CFScript:
    ComboFix 10-12-24.01 - Emily 12/24/2010 23:12:13.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.233 [GMT -5:00]
    Running from: c:\documents and settings\Emily\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Emily\My Documents\Downloads\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-25 to 2010-12-25 )))))))))))))))))))))))))))))))
    .

    2010-12-23 08:00 . 2010-12-23 08:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflte.dl1
    2010-12-22 02:01 . 2010-12-22 02:01 -------- d-----w- c:\windows\system32\winsflt.dl1
    2010-12-22 01:59 . 2010-12-22 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
    2010-12-21 03:50 . 2010-12-21 03:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-12-21 03:27 . 2010-12-21 03:27 -------- d-----w- c:\program files\Common Files\Java
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-21 03:26 . 2010-12-21 03:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-21 03:26 . 2010-12-21 03:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
    2010-12-19 21:04 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 21:04 . 2010-12-19 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-19 21:04 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-18 21:24 . 2010-12-18 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-18 21:20 . 2010-12-18 21:20 -------- d-----w- c:\documents and settings\Anthony\Application Data\dvdcss
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Emily\Application Data\VirtualStore
    2010-12-18 21:18 . 2010-12-18 21:18 -------- d-----w- c:\documents and settings\Anthony\Application Data\VirtualStore
    2010-12-15 20:01 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 20:01 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2010-11-30 01:50 . 2010-12-22 02:04 -------- d-----w- c:\program files\CA

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2005-08-16 10:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2005-08-16 10:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2005-08-16 10:18 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-09-28 20:44 . 2010-08-08 03:13 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-09-28 20:44 . 2008-06-17 19:45 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-22_02.17.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-25 04:05 . 2010-12-25 04:05 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
    + 2010-12-23 08:00 . 2010-12-23 08:00 470528 c:\windows\Installer\66d15ec.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="1" [X]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]

    Hijack This:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:26:02 PM, on 12/24/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Emily\My Documents\Downloads\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 8745 bytes

    Thanks again for all of your help!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We had a glitch on the site that was sending posts to moderation and members didn't think the posts showed. I think it's fixed now- but there was a lot of deleting duplicate logs. Were you the one I had the AOL Suds problem with? We had a hard time finding out what it was and getting rid of it.

    Part of the Combofix log is missing. In the Regedit section, there are 2 entries: one for Yahoo pager and one for TkBellExe which is the updater for Real Player. Both entries are followed by an [X] indicating these aren't being used. But there are other sections below that.

    The same 2 processes show in the HIJT log as:
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] 1


    We can remove these entries easily then remove the cleaning tools- so let me know.This is just a bit of housekeeping, not malware. Otherwise both logs are okay.

    Did you hubby close the Hotmail account and change his password? It doesn't appear that the problem he had was due to any malware on the system. But rather as I told you, the account was hacked on the site.

    I hope you holiday has been nice. I'm taking a small break between festivities.
    Have a Happy and Peaceful Holiday![​IMG]
     
  9. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    I'm not sure if it was AOL Suds, but last time you helped me, my logs were REALLY long and it took a while to get rid of whatever was there.

    Would you like me to run Combofix again and resubmit it? I actually ended up running both OTM and Combofix twice last time, as my machine froze up when Combofix was preparing its log (and I hadn't saved the OTM log prior to running Combofix). That may have screwed something up.

    I'm fine with housekeeping ... I know we don't use Yahoo pager or Real Player ... Anything to keep this computer running smoothly.

    Yes, the old Hotmail account has been deleted. It was so full of spam that it was probably best to just start over fresh!

    Thanks again for all your help ... And on Christmas, too! :)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We'll remove the entries I mentioned:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    DDS::
    uRun: [Yahoo! Pager] 1
    mRun: [TkBellExe] "realsched.exe" -osboot
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
    ====================
    Use Windows Explorer (Windows key + E) and follow My Computer> Double click on Local Drive> Programs> Right click on Real Player> Delete. Then find folder for Yahoo Pager and do the right click> Delete.
    Exit Explorer.

    Since we have handled any malware previously, you can Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need more help.
     
  11. Squidget1031

    Squidget1031 TS Rookie Topic Starter Posts: 19

    Thanks again for everything. Things seem to be running smoothly on this end!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Stay clean!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...