[Solved] TR/DROP.TDss.way detected by Avira

Buzz · Jan 9, 2011

Hi guys...

Started my comp yesterday and Avira popped-up saying a had this trojan TR/DROP.TDss.way ... A0050325.exe

I did as Avira instructed.
Ran Super Anit-Spyware - no probs
Ran Spybot - no probs

My comp seems to running fine.

Here are the logs from the updated 8 step instructions:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08-Jan-11 6:08:00 PM
mbam-log-2011-01-08 (18-08-00).txt

Scan type: Quick scan
Objects scanned: 148438
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
..........................................................

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-08 20:48:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0 WDC_WD32 rev.01.0
Running: yx3lkee8.exe; Driver: C:\DOCUME~1\Buzzzzz\LOCALS~1\Temp\kgpyikog.sys

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----
............................................................

DDS (Ver_10-12-12.02) - NTFSx86
Run by Buzzzzz at 15:17:08.53 on 09-Jan-11
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2478 [GMT 7:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Buzzzzz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = local;*.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.78.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Google Update] "c:\documents and settings\buzzzzz\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\buzzzzz\applic~1\mozilla\firefox\profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\cfxhelper@triton\components\dwmxpcom.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
FF - plugin: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\buzzzzz\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-5 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 61960]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-21 133104]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2009-2-9 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2009-2-9 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2009-2-9 93904]
S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2009-2-9 73696]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2011-01-08 10:48:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 10:48:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 20:26:38 -------- d-----w- c:\windows\system32\NtmsData
2010-12-19 18:29:15 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2010-12-19 18:24:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-19 18:22:00 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-11 06:14:13 -------- d-----w- c:\docume~1\buzzzzz\applic~1\Avira

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 15:18:47.78 ===============

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03-Dec-08 1:00:14 AM
System Uptime: 08-Jan-11 5:57:52 PM (22 hours ago)

Motherboard: ACER | | MCP73VE
Processor: Intel Pentium III Xeon processor | SOCKET775 M/B | 2499/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 250 GiB total, 139.562 GiB free.
D: is FIXED (NTFS) - 48 GiB total, 32.444 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&1624BDC1&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&1624BDC1&0
Service: i8042prt

==== System Restore Points ===================

RP104: 12-Oct-10 5:18:22 PM - System Checkpoint
RP105: 13-Oct-10 6:34:29 PM - System Checkpoint
RP106: 14-Oct-10 5:34:59 PM - Software Distribution Service 3.0
RP107: 15-Oct-10 7:11:52 PM - System Checkpoint
RP108: 16-Oct-10 8:37:01 PM - System Checkpoint
RP109: 17-Oct-10 4:22:46 PM - Installed Java(TM) 6 Update 22
RP110: 18-Oct-10 4:50:54 PM - System Checkpoint
RP111: 19-Oct-10 4:58:08 PM - System Checkpoint
RP112: 20-Oct-10 6:05:49 PM - System Checkpoint
RP113: 21-Oct-10 6:47:16 PM - System Checkpoint
RP114: 22-Oct-10 7:58:25 PM - System Checkpoint
RP115: 23-Oct-10 8:53:20 PM - System Checkpoint
RP116: 24-Oct-10 8:54:21 PM - System Checkpoint
RP117: 25-Oct-10 9:21:10 PM - System Checkpoint
RP118: 26-Oct-10 10:15:25 PM - System Checkpoint
RP119: 27-Oct-10 10:28:01 PM - System Checkpoint
RP120: 28-Oct-10 10:55:49 PM - System Checkpoint
RP121: 30-Oct-10 7:44:28 PM - System Checkpoint
RP122: 31-Oct-10 5:05:08 AM - Software Distribution Service 3.0
RP123: 01-Nov-10 10:20:41 AM - System Checkpoint
RP124: 04-Nov-10 6:16:06 PM - System Checkpoint
RP125: 05-Nov-10 8:34:20 PM - System Checkpoint
RP126: 06-Nov-10 9:14:03 PM - System Checkpoint
RP127: 07-Nov-10 10:06:55 PM - System Checkpoint
RP128: 08-Nov-10 10:23:45 PM - System Checkpoint
RP129: 09-Nov-10 11:23:23 PM - System Checkpoint
RP130: 11-Nov-10 12:37:33 AM - System Checkpoint
RP131: 12-Nov-10 1:01:39 AM - System Checkpoint
RP132: 13-Nov-10 1:10:51 AM - System Checkpoint
RP133: 13-Nov-10 3:40:52 AM - Software Distribution Service 3.0
RP134: 14-Nov-10 4:12:46 AM - System Checkpoint
RP135: 15-Nov-10 4:41:18 AM - System Checkpoint
RP136: 16-Nov-10 12:22:21 AM - Installed Google SketchUp Pro 7
RP137: 16-Nov-10 12:22:43 AM - Removed Google SketchUp 7
RP138: 17-Nov-10 12:42:09 AM - System Checkpoint
RP139: 18-Nov-10 2:13:57 AM - System Checkpoint
RP140: 19-Nov-10 2:17:26 AM - System Checkpoint
RP141: 20-Nov-10 2:52:32 AM - System Checkpoint
RP142: 21-Nov-10 1:58:16 PM - System Checkpoint
RP143: 22-Nov-10 2:02:31 PM - System Checkpoint
RP144: 23-Nov-10 2:33:54 PM - System Checkpoint
RP145: 24-Nov-10 3:49:45 PM - System Checkpoint
RP146: 25-Nov-10 4:46:00 PM - System Checkpoint
RP147: 26-Nov-10 6:32:32 PM - System Checkpoint
RP148: 27-Nov-10 7:26:33 PM - System Checkpoint
RP149: 28-Nov-10 7:34:12 PM - System Checkpoint
RP150: 29-Nov-10 7:40:57 PM - System Checkpoint
RP151: 30-Nov-10 8:35:03 PM - System Checkpoint
RP152: 01-Dec-10 9:14:57 PM - System Checkpoint
RP153: 02-Dec-10 9:35:08 PM - System Checkpoint
RP154: 03-Dec-10 10:19:23 PM - System Checkpoint
RP155: 04-Dec-10 11:27:27 PM - System Checkpoint
RP156: 06-Dec-10 12:37:47 AM - System Checkpoint
RP157: 07-Dec-10 1:14:07 AM - System Checkpoint
RP158: 08-Dec-10 1:16:35 AM - System Checkpoint
RP159: 09-Dec-10 2:53:39 AM - System Checkpoint
RP160: 10-Dec-10 5:00:17 AM - System Checkpoint
RP161: 11-Dec-10 12:17:08 PM - System Checkpoint
RP162: 12-Dec-10 12:47:34 PM - System Checkpoint
RP163: 13-Dec-10 5:55:46 PM - System Checkpoint
RP164: 14-Dec-10 6:04:04 PM - System Checkpoint
RP165: 15-Dec-10 6:50:50 PM - System Checkpoint
RP166: 16-Dec-10 7:17:16 PM - System Checkpoint
RP167: 17-Dec-10 9:57:23 PM - System Checkpoint
RP168: 18-Dec-10 10:35:06 PM - System Checkpoint
RP169: 19-Dec-10 10:36:11 PM - System Checkpoint
RP170: 20-Dec-10 1:34:25 AM - Software Distribution Service 3.0
RP171: 21-Dec-10 2:53:52 AM - System Checkpoint
RP172: 22-Dec-10 6:24:21 AM - System Checkpoint
RP173: 23-Dec-10 7:14:03 AM - System Checkpoint
RP174: 24-Dec-10 4:24:27 PM - System Checkpoint
RP175: 25-Dec-10 4:28:50 PM - System Checkpoint
RP176: 26-Dec-10 4:29:46 PM - System Checkpoint
RP177: 27-Dec-10 5:10:38 PM - System Checkpoint
RP178: 28-Dec-10 6:24:28 PM - System Checkpoint
RP179: 29-Dec-10 6:40:59 PM - System Checkpoint
RP180: 30-Dec-10 8:29:55 PM - System Checkpoint
RP181: 31-Dec-10 9:30:57 PM - System Checkpoint
RP182: 01-Jan-11 9:55:36 PM - System Checkpoint
RP183: 02-Jan-11 11:00:36 PM - System Checkpoint
RP184: 03-Jan-11 1:32:30 AM - Installed Google SketchUp 8
RP185: 04-Jan-11 1:36:05 AM - System Checkpoint
RP186: 05-Jan-11 2:25:06 AM - System Checkpoint
RP187: 06-Jan-11 2:44:14 AM - System Checkpoint
RP188: 07-Jan-11 2:48:27 AM - System Checkpoint
RP189: 08-Jan-11 4:27:33 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11
Altysoft Free Video Converter 2.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
Avira AntiVir Personal - Free Antivirus
Bonjour
C-motech Connection Manager(CCU650)
Canon MP Navigator EX 3.0
Canon MP250 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner (remove only)
ClearType Tuning Control Panel Applet
CopyTrans Suite Remove Only
Everything 1.2.1.371
ffdshow [rev 735] [2007-01-02]
Foxit PDF Editor
Foxit Reader
GoodSync
Google Chrome
Google Earth
Google SketchUp 8
Google SketchUp Pro 7
Google Update Helper
GoogleDesktop
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Hotspot Shield 1.56
Image Resizer Powertoy for Windows XP
iTunes
Java Auto Updater
Java(TM) 6 Update 22
K-Lite Mega Codec Pack 4.1.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MIKSOFT Mobile Media Converter
MobileMe Control Panel
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Picasa 3
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype™ 4.0
Smart Defrag
Software Update for Web Folders
SopCast 3.2.9
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Thai2English
The KMPlayer (remove only)
unikode for Thai
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Veetle TV 0.9.18
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinX DVD Author 5.5.8
ZoneAlarm
ZoneAlarm Toolbar

==== Event Viewer Messages From Past Week ========

08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).
08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Hotspot Shield Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07-Jan-11 7:47:52 PM, error: Dhcp [1002] - The IP address lease 10.76.16.45 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.127.254 (The DHCP Server sent a DHCPNACK message).
07-Jan-11 4:40:38 PM, error: Dhcp [1002] - The IP address lease 10.63.16.7 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.23.254 (The DHCP Server sent a DHCPNACK message).
07-Jan-11 11:08:28 PM, error: Dhcp [1002] - The IP address lease 10.76.120.49 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.23.254 (The DHCP Server sent a DHCPNACK message).
06-Jan-11 2:47:16 AM, error: Dhcp [1002] - The IP address lease 10.63.8.32 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.63.23.254 (The DHCP Server sent a DHCPNACK message).
05-Jan-11 12:54:45 AM, error: Print [6161] - The document KBA_2009_price_list.xls owned by Buzzzzz failed to print on printer Canon MP250 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 1905796. Number of bytes printed: 144152. Total number of pages in the document: 11. Number of pages printed: 0. Client machine: \\W-924BCAF39F124. Win32 error code returned by the print processor: 13 (0xd).
05-Jan-11 11:15:10 PM, error: Dhcp [1002] - The IP address lease 10.42.24.107 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.63.15.254 (The DHCP Server sent a DHCPNACK message).
05-Jan-11 1:23:12 AM, error: Dhcp [1002] - The IP address lease 10.42.48.76 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.31.254 (The DHCP Server sent a DHCPNACK message).
04-Jan-11 8:04:22 PM, error: Dhcp [1002] - The IP address lease 10.42.48.115 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.55.254 (The DHCP Server sent a DHCPNACK message).
04-Jan-11 4:04:12 PM, error: Dhcp [1002] - The IP address lease 10.25.48.80 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.55.254 (The DHCP Server sent a DHCPNACK message).
04-Jan-11 2:40:35 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
04-Jan-11 2:34:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0021853BFF19 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

many thanks & kind regards,
Buzz

Bobbye · Jan 9, 2011

Good Morning! I'll help with the malware- although I'm not sure you have any. Antivirus program continue to show malware even if it's not active, so it depends on the location of TDSS shown in Avira. For instance, if it is showing System Volume for the location, that means that it is not active in the system, but is in a restore point.

When we assist with cleaning a system, at the end-not before-we have you set a new, clean restore point, then drop the old one to prevent reinfection. So far, I don't see any indication of avtive malware in these logs. But I will have you run 2 scans to be sure.

First, some housekeeping: You have several outdated versions of Java in the Firefox addons and they need to be removed:
Open Firefox> Tools> Addons> Highlight and delete the following:
Java v6u12, u13, u14, u16, u17, u19, u20, 21, u22 The current version us v6u23, so you might as well bump it up one update:
Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs also if they show there as they are vulnerabilities for the system. Unfortunately, the Java updates don't overwrite the old one- someday I hope they fix that.
==========================================
Since you are using the FoxIt PDF reader, you no longer need to Adobe Reader and all it's bloat. FoxIt will do the same thing and it doesn't have the bloat. Uninstall the Adobe Reader in Add/Remove Programs in the Control Panel.
===========================================
The HijackThis program you have is also outdated and can be removed. I will give you a new link to run the current version.
=========================================
Please Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Re-enable your Antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2

Double click combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Query- Recovery Console image

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Once I see these logs, I'll know if the rootkit was removed or if any entries remain.

Edit to add: Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Buzz · Jan 9, 2011

Hi Bobbye ...

Thanks for all the advice and time taken ...

Java Updates: Done - have updated to version 23.
What about Java Quick Starter 1.0 - leave it or delete it ?
Yes, I knew it was good to get rid of older versions, but I only checked in ADD/REMOVE before, and that only shows the current version - so, now i know how/where to check. tks
........................................................................
Adobe Reader: i so much want to get rid of it, but I can't get my thai bank e-statements without it - I downloaded the update a while ago, but haven't been bothered to install. At least I haven't got it as my default pdf reader. Don't know how else I can get my bank e-statements without it ?

......................................................................
HijackThis: removed
But, I got some typical windows 'Note' saying to delete the file manually as well ?

....................................................................
Ran Eset - said it found 2 x variants of win32/hotspotshield application
Went to C:\Program Files\EsetOnlineScanner\ folder but no log.txt file was to be found ?

...................................................................
Downloaded Combofix and when tried to run got a Note saying: it couldn't run until AVG was uninstalled or use other tool ?
I haven't used AVG for at least a couple of years ?
Deleted Combofix icon and downloaded again but when tried to run - same note.

over to you Bobbye...
Buzz

Buzz · Jan 9, 2011

Just checked windows explorer and my C drive showing a folder - C:\$AVG - is showing nothing in it - but when I checked in properties it says 74 files 2 folders 16mb (Nov10,2009) ?

Buzz · Jan 9, 2011

C:\Program Files\ESET\ESET Online Scanner - just has the active x file and Eset uninstall file, but no log.txt

Bobbye · Jan 13, 2011

What about Java Quick Starter 1.0 - leave it or delete it ?

Click on Start> Run> type in services,msc> enter> double click on JavaQuickStart> Stop the Service> change the Startup type to Disabled. You don't need it to run or use Java.

Adobe Reader: i so much want to get rid of it, but I can't get my thai bank e-statements without it -

o yourself a favor. Download the Fox It PDF Reader and make it the default. Try downloading one of the PDF e-statements> it should open right up in Foxit. Mine does. I just click the PDF symbol.

AVG is giving us a pain with Combofix! Do a search on your system for AVG. Delete everything for AVG. You may have to do this in Safe Mode. Be sure there is no AVG process on the Startup menu.

Then run Combofix

Buzz · Jan 13, 2011

Did a search in the wonderful 'windows explorer' - it actually found over 100 AVG folders/Files ... some wouldn't delete (I forgot how to run in 'safe mode') ... gave ComboFix another try with success ...

ComboFix 11-01-12.04 - Buzzzzz 14-Jan-11 2:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2441 [GMT 7:00]
Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 20:26 . 2011-01-08 10:07 -------- d-----w- c:\windows\system32\NtmsData
2010-12-19 18:29 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2010-12-19 18:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-19 18:22 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-18 18:12 . 2008-12-02 03:22 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2004-08-03 17:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-08-03 17:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-03 17:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2004-08-03 15:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-03 17:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-03 16:17 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 09:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"RTHDCPL"=RTHDCPL.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 12:56 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2010-10-26 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5EA7F988-C77D-4E9F-BD95-4DFB4D060C32} = 203.113.7.130 8.8.8.8
FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 03:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(960)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-01-14 03:02:26
ComboFix-quarantined-files.txt 2011-01-13 20:02

Pre-Run: 149,782,536,192 bytes free
Post-Run: 149,770,518,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A9787094351135DE26B92DE7A4C9AEE8

**********************************************************************************

When I type in services,msc (in Run) windows says it can not find the file ???

Already have Foxit reader as my default - but this particular thai phone company's on-line program will only let me open my phone account statement .pdf in bloody Adobe !
(maybe they will fix it soon - as Foxit becomes more popular in thailand - or, they've done an exclusive deal with Adobe)

thanx again for all your assistance,
Buzz

Bobbye · Jan 14, 2011

When I type in services,msc (in Run) windows says it can not find the file ???

That's because I accidently put a comma in instead of a period> my apology. It should read:

Click on Start> Run> type in services.msc> enter> double click on JavaQuickStart> Stop the Service> change the Startup type to Disabled. You don't need it to run or use Java.

=============================================

it actually found over 100 AVG folders/Files ... some wouldn't delete (I forgot how to run in 'safe mode')

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer (Windows key + E)> My Computer> double click on Local Drive (C)> Programs> find the AVG folder and do a right click> Delete.
Note: The only entry For AVG I saw in all of the logs was for BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
This is also referred to as a link scanner.
It doesn't get any better than WOT, IMO, which you have. Get rid of the AVG.
==========================================
Please run this Custom CFScript: I think I found your malware:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
KillAll::
File::
c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS
DDS::
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uStart Page = about:blank
Extra::
File::
c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
Firefox::
Firefox-: - Profile - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
Driver::
HssWd
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Make sure this addons has been removed from Firefox after running the above:
FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

"Automatically Collected" Information When you use the Hotspot Shield, we automatically record certain information from your web browser by using different types of proprietary technology. The automatically collected information does not identify a User personally, and AnchorFree only uses the automatically collected information in the aggregate to monitor the advertisements displayed on the Hotspot Shield.

It is considered a "Trojan.Adclicker" by Symantec.
===================
I'd like you to try the Eset scan again. If it still won't produce the log, run the following instead: Be sure your security is disabled to run the scan>
Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click Accept and the web scanner will begin to load

If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control

You will be prompted to install an ActiveX component from Kaspersky, click Install

If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT and then Scan Settings

In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases

Click OK

Now under select a target to scan:
[o] Select My Computer

The program will start to scan your system.

Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
====================================

Buzz · Jan 15, 2011

Hey Bobbye ...

Had a bit of a hic-cup last nite (Jan 14) ... when in 'safe mode' looking for AVG files to delete - I couldn't find any - didn't do anything else - the mouse froze - couldn't bring up task manager (CTL ALT Del) - comp wouldn't switch off - had to 'off' the UPS(cut power) to turn it off - (it was late here, so went to bed and re-tried in the arvo) - switched on again and let run - got stuck with blue Windows screen (as if it was still loading after hearing the windows start-up tune) - froze again - had to shut the power off again - tried the same thing again with same results - turned power on again and restarted in safe mode - ok - shut down comp no probs using (start) 'turn off computer' , just see if it would shut down ok ... restarted again in safe mode, but this time chose the 'restore point' option - restored to a point Jan 13th pm ... computer booted up no probs ...

..................................................................................................
Found c:\program files\avg\avg9\avgssie.dll in Windows Exp and deleted it and all remains of AVG files and folders.

....................................................................................................
Downloaded Combofix again and 'dropped' the CFScript.txt into it and successfully scanned - log pasted below.

..................................................................................................
Deleted c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com thru WExp

................................................................................................
Noticed another 'Hotspot Shield' Folder - not under program files - just on itself C:\Hotspot Sheild with a sub-folder hsswd, and a hssstate xml doc1kb 15Jan20117.27pm
- did not try to open the hsswd folder

................................................................................................
Ran ESET successfully - log below

(by the way the version ESET i used didn't automatically generate a logfile at C:\Program Files\EsetOnlineScanner\log.txt
- when the scan finishes it gives the option to view a 'list of threats' found - click - 2 options: either copy to clipboard or export text file (see below)

Completely uninstalled ESET

............................................................................................

that's it bro... over to you !

ComboFix 11-01-14.01 - Buzzzzz 15-Jan-11 18:52:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2491 [GMT 7:00]
Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Buzzzzz\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS"
"c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\hotspot shield\hssie\HssIE.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HSSWD
-------\Service_HssWd

((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-15 08:59 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2011-01-15 08:59 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
2011-01-15 08:59 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
2011-01-15 08:59 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
2011-01-15 08:59 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
2011-01-15 08:59 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\program files\Firefox
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\Buzzzzz\Local Settings\Application Data\AVG Security Toolbar
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- C:\$AVG
2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 20:26 . 2011-01-08 10:07 -------- d-----w- c:\windows\system32\NtmsData
2010-12-19 18:29 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2010-12-19 18:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-19 18:22 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-18 18:12 . 2008-12-02 03:22 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-03 17:56 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-03 17:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-08-03 17:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-03 17:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2004-08-03 15:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-03 17:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-03 16:17 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 09:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"RTHDCPL"=RTHDCPL.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 12:56 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2010-10-26 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(960)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
.
**************************************************************************
.
Completion time: 2011-01-15 19:01:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-15 12:01
ComboFix2.txt 2011-01-13 20:02

Pre-Run: 149,032,837,120 bytes free
Post-Run: 148,891,992,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 710E6DC8C690BD26167148CB7C717640

Eset: 'export to text' file...

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP125\A0036618.exe a variant of Win32/HotSpotShield application
C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP143\A0039869.exe a variant of Win32/HotSpotShield application
C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP168\A0046593.exe a variant of Win32/HotSpotShield application
C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP189\A0050366.exe a variant of Win32/HotSpotShield application
Operating memory a variant of Win32/HotSpotShield application

Buzz · Jan 15, 2011

Hi Bobbye ...

Am writing this from my laptop as my PC crashed bad.
Was watching something on YouTube and the screen just froze ... only way to shutdown was power-off ... started up again and whilst I was hitting F8 - the windows blackscreen crash message came up "This computer closed un-expectically ....." which way would you like to re-start ... I went for safe mode but it just froze again ...

any help muchly appreciated, cheers,
Buzz

Buzz · Jan 15, 2011

I forgot to mention - PC was running fine - right before watching about 10 mins of YouTube - I bumped the 'on/off' button on the PC case - ZAlone prompt came up & wanted to shut down or cancel ... I chose cancel, same as with the Firefox prompt when it popped-up ... maybe this could've caused the crash ?

Bobbye · Jan 15, 2011

Okay- the restore got the AVG back. You shouldn't do a SR while we're cleaning-except-unless it's the only way back into a system. And that is the reason we don't remove the restore points at the beginning! If you look at the Eset entries, you'll see this location for some of the HotSpotShield:
C:\System Volume Information\_restore>> these are the restore points. So when you restored, you may also have 'reinfected' the system.

But I need to make you awre of what you agreed to when you installed the HotSpotShield. There is a heated discussion on some forums about whether the is actually a False Positive:
The is part of the AnchorFree EULA for the HotSpotShield:

"9.1 Advertisements. AnchorFree may deliver third-party advertisements (“Advertisements”) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page. You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying Advertisements. Additionally from time to time, AnchorFree may prevent any user’s access to the product or continued use thereof until such user has successfully participated in applicable advertising programs, surveys, or other activities that collect and monetize users’ personal information. AnchorFree does not endorse any information, materials, products, or services contained in or accessible through Advertisements.

If you read this and knowingly accepted the terms, including the ads themselves, the HotSpotShield is not considered malware. But it will show in any security scans that include adware. If using it means enough that you don't mind or care about the ads-even if they are specific for you, then keep it.

Please make this decision so I will know whether to continue to try and remove it. What you see in C:\Hotspot Sheild is the Directory. It's a folder and will have sub-folders relted to the app or program itself.

I have script for you to run through Combofix, but we need to decide whether to continue to try and remove HotSpotShield, or whether you want to keep it. If you keep it: You have 2 options:
1. disable detection of adware
2. exclude the file from scanning
============================================
About the BSOD: We need to find what's causing it:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

Select log to query, select

Application

System

Under Select type to list, select:

Critical (Vista only)

Error

Click the radio button for Number of events

Type 10 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Load the log

In Notepad, click Edit> Select all

Then press Edit > Copy

Press Ctrl+V on your keyboard to paste the log to your next reply.

Try to run this after thr time of the BSOD. Events are time coded.
(Courtesy rev-Olie)

Buzz · Jan 16, 2011

Hi Bobbye ...

No probs - I do want to get rid of Hotspot Shield completely ... I only used occasionally anyway.

Turned on my PC today and got the BSOD -
"problem detected and windows etc....
WIN32K.sys
Page-Fault-in-nonpaged-area

Had to turn off power to shut down ... then on subsequent attempts to start-up - not getting anything - not even the BSOD - the ACER intro page shows for a nano second.
Normally when start-up the ACER page loads with 2 options:
Delete: to go into BIOS settings
F12: to go to boot menu

But, not even getting that come up now ... just a blank screen.

I don't think I have a boot-up disk. When I purchased this PC it came with Linux - but, I never used Linux - I had a local techo here convert it over from Linux to Windows XP Pro (copied version) which was a bit of a tricky job... I have the install disk he used to do that, that's all ...

So, what's the next move - how can I get a windows screen back so I can download VEW etc...?
(I've got no idea - have not done a back-up for ages either)

cheers and many thanks,
Buzz
(writing this from my laptop)
(I'm on Koh Samui - a small island in the tropical south of Thailand - not much tech assistance avbl here)

Bobbye · Jan 17, 2011

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Once you're in:
All Programs> Accessories> System Tools> System Restore> Restore the system to this date:
RP189: 08-Jan-11 4:27:33 PM - System Checkpoint

NOTE: If there is a later date, between 08-Jan and now, use that instead.

We may have to clean again but hopefully this will get you back in. This is a good example of why we don't drop the restore points at the beginning of cleaning!

Buzz · Jan 17, 2011

Hi Bobbye
,
It won't start even hitting F8 ... have tried a few times ... not even getting the Acer opening menu.now... sometimes just the Acer logo flashes up briefly ... that's it ... just a black empty screen after power 'on'

See my post#9 - PC was freezing in both safe and normal mode - only way to get windows back was to shoot for a restore point - I really don't know what else I could've done ?

any more suggestions muchly appreciated ...

Bobbye · Jan 18, 2011

PC was running fine - right before watching about 10 mins of YouTube - I bumped the 'on/off' button on the PC case - ZAlone prompt came up & wanted to shut down or cancel ... I chose cancel, same as with the Firefox prompt when it popped-up ... maybe this could've caused the crash ?

Oh my goodness! Sounds like the "bump" may have caused a start of the shutdown. But that was interrupted. So the system is half up and half down and it won't work like that. (But you already found that out!

There is also a possibility that the system got some kind of malware from the youtube video.

Please bring me up to date on the status:
Can you press the on/off button and Start up in either Safe Mode by toggling the F8 button or boot into Normal Mode? Or more simply said: can you get into the system at all, to a work place, not just a screen flash?

Buzz · Jan 18, 2011

on/off button just stays on - only way I can shut down is to un-plug ... soon as I plug-in the power cord again - the computer is 'on' - I get a quick flash of the Acer logo and then nothing it doesn't even seem to want to boot at all (even if constantly tapping F8) ... I'm worried ...

It's my work PC (I work from Home) and as I mentioned, I haven't done a data back-up for a long long while - had been advised of a great piece of free back-up software and even bought some flash memory 8GB sticks to do it as soon as I got this little bit of malware out of the way (yeah, I know...) - was going to do a clean-up and ditch a lot of un-used programs - refrag etc...

I'm stuck mate, as I don't want to do anything without yr advice now !

If it's look like we have to format the c drive, then I hope I can save all my data on the d drive (partioned)....

hope you can get back to me soon as possible,
cheers & thanks,
Buzz

Bobbye · Jan 19, 2011

Buzz, I don't have any miracles in my pocket today! You have a computer that won't shut down or start up. Possible electrical problem with power button or cable and you can't get into the system!

If you're going to do anything at all, you need a machine that works. I would have a tech check out the power button and cable. If that's faulty, it would explain a lot. Once that's done-if it restores the ability to get into the machine and work, we'll go on.

'Course, there's the matter of the "I'll back up later syndrome!"

If it's look like we have to format the c drive, then I hope I can save all my data on the d drive (partioned)....

If you get into the machine, have a look at the following for both Windows XP Repair or Reinstall.
You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

Buzz · Jan 19, 2011

No probs, Bobbye I understand the situation ...

'As it just happened' - my little puppy unfortunately 're-broke' her leg yesterday - had to take her back to the pet hospital, which just happens to be near the 'stall' in the mall, where I found the Thai tech-head who installed Windows XP over Linux when I bought the machine. (most Thai tech heads have never done any sort of course or apprenticeship, and finding a good one on an island is like finding needles in haystacks. One that speaks good english, almost impossible !

They were not there anymore (as is the case quite often in Thailand).
But asked around, and found where they moved to ... they remembered me, said no probs, they reckon they can re-format my 'c' drive and save data on my 'd' drive - just bring it back !!!

So, with fingers crossed, I'll hand over a big part of my 'source of income' to them, and hope like hell they'll get Windows XP running again for me without any lost data (heaps of lost, good free software is inevitable though, I know).

But, don't worry, as soon as they do ~ I'll probably be in contact with you again !

cheers & thanks for your time taken,
Buzz

PS: What should I do as soon as XP is happening again ?
Would i have the option to run Windows 7 (with all my data on the 'd' drive on XP) - I don't think so....

Bobbye · Jan 20, 2011

I am very sorry to hear about the puppy. That will come before the computer, of course.

Although I can find malware and remove entries that are bad, I can't check the cables or on/off switch- and I think that is a big part of the problem, so make the tech earn what you have to pay him and have him check it.

As for you 2 questions:

What should I do as soon as XP is happening again ?

I am not sure I know what you mean here. I don't know what files will remain, if any, so if you have any signs of malware, start a new thread, to my attention with this URL for reference, http://www.techspot.com/vb/topic159399.html, and run the scans again.

Would i have the option to run Windows 7 (with all my data on the 'd' drive on XP) - I don't think so...

Linix to Windows XP then XP reinstall to Windows 7? I wouldn't recommend it.You would need to check your system specs to see what you'd need for a dual-boot.

I'm going to close this thread now. When you're up again, if you have malware problems, you know where to find us.

My best to the puppy.

TechSpot

[Solved] TR/DROP.TDss.way detected by Avira

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Buzz Newcomer, in training

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Buzz Newcomer, in training

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Bobbye Helper on the Fringe

Buzz Newcomer, in training

Bobbye Helper on the Fringe