jtaylor23

9 Posts

September 5th, 2010 12:00

HiJack This Log. Please Help!

I seem to have malware. I am getting one of those faux security scanners popping up and locking my computer. It seems to solve it to do a system restore, but then after a day it pops right back up. I can't find the root of whatever is causing this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:32 PM, on 9/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} (Snapfish Activia3) - http://www1.snapfish.com/SnapfishActivia3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222795635203
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74EA5138-38F7-41D2-B158-68D506C4DAF9}: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7087 bytes

Responses(17)

Bugbatter

20.5K Posts

September 5th, 2010 13:00

Welcome to Dell Community :emotion-1:

Please remove the obsolete version of Hijackthis and download the latest version so that you can post a fresh log. Thanks.

Please Read This Before Posting On the Malware Removal Forum

jtaylor23

9 Posts

September 5th, 2010 18:00

I apologize.

Here is the new log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:30:10 PM, on 9/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} (Snapfish Activia3) - http://www1.snapfish.com/SnapfishActivia3.cab
O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222795635203
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74EA5138-38F7-41D2-B158-68D506C4DAF9}: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.185,93.188.166.185
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7555 bytes

Bugbatter

20.5K Posts

September 5th, 2010 18:00

Thank you for your reply.

We need to see some additional information about what is happening in your machine.

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs

1. DDS.txt
2. Attach.txt

Save both reports to your desktop.
Copy/paste both logs to your reply on the forum. Do not attach them.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

jtaylor23

9 Posts

September 6th, 2010 06:00

Thank you. My computer seems to be unable to connect to Trend Micro to get updates now as well.

Here are the requested logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Taylor at 7:10:27.66 on Mon 09/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.76 [GMT -5:00]

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Taylor\Local Settings\Temporary Internet Files\Content.IE5\05WNNA0J\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www1.snapfish.com/SnapfishActivia3.cab
DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} - hxxp://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222795635203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: NameServer = 93.188.163.185,93.188.166.185
TCP: {74EA5138-38F7-41D2-B158-68D506C4DAF9} = 93.188.163.185,93.188.166.185

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-4-2 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-4-2 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-4-2 689416]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

=============== Created Last 30 ================

2010-09-05 17:41:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-05 17:39:12 0 d-----w- c:\program files\Smart-Shopper
2010-09-05 17:38:43 0 d-----w- c:\program files\Ulead Systems
2010-09-04 02:10:32 0 d-----w- c:\windows\system32\Service
2010-09-04 00:36:14 0 d-----w- c:\windows\system32\NtmsData
2010-08-30 21:55:02 0 d-----w- c:\windows\SHELLNEW
2010-08-30 21:40:16 0 d-----w- c:\temp\en_office_professional_plus_2007_win32_x16-18875
2010-08-30 21:30:12 0 d-----w- C:\Temp
2010-08-24 00:20:38 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-08-23 23:02:54 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-08-23 17:57:13 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-23 17:57:13 215920 ----a-w- c:\windows\system32\muweb.dll
2010-08-23 17:57:13 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-08-13 22:43:07 47616 ---ha-w- c:\windows\system32\HdASghts.dll

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-08-11 23:51:38 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 7:12:30.59 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/30/2008 11:28:36 AM
System Uptime: 9/6/2010 7:02:32 AM (0 hours ago)

Motherboard: First International Computer, Inc. | | KTBC51G
Processor: AMD Athlon(tm) 64 Processor 3700+ | Socket 939 | 2210/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 152.512 GiB free.
D: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP501: 6/8/2010 11:31:14 AM - System Checkpoint
RP502: 6/9/2010 12:31:16 PM - System Checkpoint
RP503: 6/10/2010 1:31:15 PM - System Checkpoint
RP504: 6/11/2010 3:00:28 AM - Software Distribution Service 3.0
RP505: 6/12/2010 3:42:56 AM - System Checkpoint
RP506: 6/13/2010 3:47:27 AM - System Checkpoint
RP507: 6/14/2010 3:48:57 AM - System Checkpoint
RP508: 6/15/2010 4:48:56 AM - System Checkpoint
RP509: 6/16/2010 5:28:25 AM - System Checkpoint
RP510: 6/17/2010 6:28:27 AM - System Checkpoint
RP511: 6/18/2010 7:27:40 AM - System Checkpoint
RP512: 6/19/2010 7:28:29 AM - System Checkpoint
RP513: 6/20/2010 8:29:37 AM - System Checkpoint
RP514: 6/21/2010 9:28:29 AM - System Checkpoint
RP515: 6/22/2010 10:42:29 AM - System Checkpoint
RP516: 6/23/2010 11:28:31 AM - System Checkpoint
RP517: 6/24/2010 3:00:20 AM - Software Distribution Service 3.0
RP518: 6/25/2010 3:26:14 AM - System Checkpoint
RP519: 6/26/2010 4:26:16 AM - System Checkpoint
RP520: 6/27/2010 5:26:18 AM - System Checkpoint
RP521: 6/28/2010 5:27:18 AM - System Checkpoint
RP522: 6/29/2010 6:27:21 AM - System Checkpoint
RP523: 6/30/2010 8:10:06 AM - System Checkpoint
RP524: 7/1/2010 8:11:02 AM - System Checkpoint
RP525: 7/2/2010 9:10:35 AM - System Checkpoint
RP526: 7/3/2010 9:52:28 AM - System Checkpoint
RP527: 7/4/2010 10:24:02 AM - System Checkpoint
RP528: 7/5/2010 12:07:16 PM - System Checkpoint
RP529: 7/6/2010 12:30:59 PM - System Checkpoint
RP530: 7/7/2010 12:43:49 PM - System Checkpoint
RP531: 7/8/2010 1:43:51 PM - System Checkpoint
RP532: 7/9/2010 2:41:30 PM - System Checkpoint
RP533: 7/10/2010 2:43:56 PM - System Checkpoint
RP534: 7/11/2010 5:26:03 PM - System Checkpoint
RP535: 7/12/2010 6:37:22 PM - System Checkpoint
RP536: 7/13/2010 7:05:27 PM - System Checkpoint
RP537: 7/14/2010 3:00:55 AM - Software Distribution Service 3.0
RP538: 7/15/2010 3:05:29 AM - System Checkpoint
RP539: 7/16/2010 4:05:30 AM - System Checkpoint
RP540: 7/17/2010 5:05:31 AM - System Checkpoint
RP541: 7/18/2010 6:05:34 AM - System Checkpoint
RP542: 7/19/2010 7:16:32 AM - System Checkpoint
RP543: 7/20/2010 7:41:11 AM - System Checkpoint
RP544: 7/21/2010 7:55:39 AM - System Checkpoint
RP545: 7/22/2010 8:41:11 AM - System Checkpoint
RP546: 7/23/2010 9:42:16 AM - System Checkpoint
RP547: 7/24/2010 9:58:08 AM - System Checkpoint
RP548: 7/25/2010 10:40:04 AM - System Checkpoint
RP549: 7/26/2010 10:54:15 AM - System Checkpoint
RP550: 7/27/2010 11:23:58 AM - System Checkpoint
RP551: 7/28/2010 12:23:58 PM - System Checkpoint
RP552: 7/29/2010 1:24:00 PM - System Checkpoint
RP553: 7/30/2010 2:24:01 PM - System Checkpoint
RP554: 7/31/2010 2:36:05 PM - System Checkpoint
RP555: 8/1/2010 6:40:14 PM - System Checkpoint
RP556: 8/2/2010 6:46:39 PM - System Checkpoint
RP557: 8/3/2010 8:25:55 PM - System Checkpoint
RP558: 8/4/2010 3:00:16 AM - Software Distribution Service 3.0
RP559: 8/5/2010 3:21:37 AM - System Checkpoint
RP560: 8/6/2010 4:21:38 AM - System Checkpoint
RP561: 8/7/2010 5:21:40 AM - System Checkpoint
RP562: 8/8/2010 11:58:35 AM - System Checkpoint
RP563: 8/9/2010 12:48:59 PM - System Checkpoint
RP564: 8/10/2010 1:49:02 PM - System Checkpoint
RP565: 8/11/2010 3:00:22 AM - Software Distribution Service 3.0
RP566: 8/12/2010 3:02:19 AM - System Checkpoint
RP567: 8/13/2010 3:06:49 AM - System Checkpoint
RP568: 8/14/2010 3:27:19 AM - System Checkpoint
RP569: 8/15/2010 4:27:19 AM - System Checkpoint
RP570: 8/16/2010 5:06:39 AM - System Checkpoint
RP571: 8/17/2010 5:41:00 AM - System Checkpoint
RP572: 8/18/2010 7:04:14 AM - System Checkpoint
RP573: 8/19/2010 7:09:08 AM - System Checkpoint
RP574: 8/20/2010 7:42:04 AM - System Checkpoint
RP575: 8/21/2010 10:47:14 AM - System Checkpoint
RP576: 8/22/2010 11:16:21 AM - System Checkpoint
RP577: 8/23/2010 12:16:25 PM - System Checkpoint
RP578: 8/23/2010 5:56:41 PM - Software Distribution Service 3.0
RP579: 8/23/2010 6:36:58 PM - Installed Microsoft Office Professional Plus 2007
RP580: 8/23/2010 6:39:16 PM - Installed Microsoft Office Professional Plus 2007
RP581: 8/23/2010 7:04:44 PM - Installed Microsoft Office Professional Plus 2007
RP582: 8/23/2010 7:31:59 PM - Installed Microsoft Office Professional Plus 2007
RP583: 8/23/2010 7:31:44 PM - Removed Microsoft Office Professional Edition 2003
RP584: 8/23/2010 8:15:20 PM - Installed Microsoft Office Professional Plus 2007
RP585: 8/24/2010 6:19:07 PM - Installed Microsoft Office Professional Edition 2003
RP586: 8/25/2010 3:00:29 AM - Software Distribution Service 3.0
RP587: 8/25/2010 4:29:38 PM - Removed Microsoft Office Professional Edition 2003
RP588: 8/25/2010 8:03:24 PM - Installed Microsoft Office Professional 2007
RP589: 8/26/2010 3:00:35 AM - Software Distribution Service 3.0
RP590: 8/27/2010 3:00:49 AM - Software Distribution Service 3.0
RP591: 8/27/2010 4:00:08 PM - Removed Microsoft Office Professional 2007
RP592: 8/27/2010 5:54:47 PM - Installed Microsoft Office Professional 2007
RP593: 8/28/2010 3:00:25 AM - Software Distribution Service 3.0
RP594: 8/29/2010 3:00:35 AM - Software Distribution Service 3.0
RP595: 8/30/2010 3:56:40 PM - Software Distribution Service 3.0
RP596: 8/30/2010 4:08:45 PM - Removed Microsoft Office Professional 2007
RP597: 8/30/2010 4:51:31 PM - Installed Microsoft Office Professional Plus 2007
RP598: 8/31/2010 3:00:19 AM - Software Distribution Service 3.0
RP599: 9/1/2010 3:00:32 AM - Software Distribution Service 3.0
RP600: 9/2/2010 3:02:49 AM - System Checkpoint
RP601: 9/3/2010 4:02:53 AM - System Checkpoint
RP602: 9/3/2010 7:39:40 PM - Restore Operation
RP603: 9/4/2010 9:46:25 PM - System Checkpoint
RP604: 9/5/2010 12:38:11 PM - Restore Operation
RP605: 9/5/2010 7:28:28 PM - Installed HiJackThis

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Adobe Shockwave Player 11.5
ArcSoft PhotoStudio 5.5
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
EA Download Manager
Easy-WebPrint
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java(TM) 6 Update 17
LeapFrog Connect
LeapFrog My Pals Plugin
LimeWire 4.18.8
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySpaceIM
neroxml
NVIDIA Drivers
OmniPage SE 2.0
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Soft Data Fax Modem with SmartCP
The Movies(TM)
The Sims™ 2 Best of Business Collection
The Sims™ 2 Double Deluxe
The Sims™ 2 Mansion and Garden Stuff
The Sims™ 2 Seasons
The Sims™ 2 Store Edition
The Sims™ 2 University Life Collection
Trend Micro AntiVirus
Ulead Photo Explorer 8.0 Trial
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Word 2007 (KB974631)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

9/5/2010 12:47:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Software Updater service to connect.
9/5/2010 12:47:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
9/5/2010 12:02:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/5/2010 11:51:21 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/5/2010 11:18:15 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
9/4/2010 7:03:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASKUTIL Tcpip tmtdi
9/4/2010 7:03:06 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/4/2010 7:03:06 AM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
9/4/2010 7:03:06 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/4/2010 7:03:06 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/4/2010 7:03:06 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/4/2010 7:03:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/4/2010 7:02:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/3/2010 7:44:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASKUTIL
9/3/2010 7:43:06 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/3/2010 7:43:06 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/3/2010 7:17:45 PM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Bugbatter

20.5K Posts

September 6th, 2010 07:00

I am reviewing your logs. In the meantime, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

Please let me know after you have removed Limewire and any other P2P programs. Thanks.

I look forward to your reply so we can begin cleaning.

No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

jtaylor23

9 Posts

September 6th, 2010 07:00

I have not posted this to any other forums.

I have not disabled system restore (I'm not sure how to do that :emotion-1: )

I am not using any craked software. This is my personal computer.

I have removed Limewire from the computer. That was my only P2P program as far as I know.

Thank you for your help!

Bugbatter

20.5K Posts

September 6th, 2010 11:00

Let's run a scan with MBAM. * If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned below to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "lookinhere.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the files to the infected computer. Install the "lookinhere.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates,

manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top.

It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully.

Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report into your next reply and exit MBAM. Let me know how things are running at that point.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.

**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE

jtaylor23

9 Posts

September 6th, 2010 17:00

Is the Malwarebytes a program that I will have to buy? I do not see a way to download it. I don't understand how to get this program.

Bugbatter

20.5K Posts

September 6th, 2010 18:00

Click on the first link and download the FREE version.

Or click on the blue button for the Free Version here: http://www.malwarebytes.org/

jtaylor23

9 Posts

September 7th, 2010 15:00

I'm sorry, I don't think it is going to work. I got it on my computer, but it won't open. It is installed. And I clicked for it to automatically open up, but nothing happens. I double-clicked the program to try and open it, but nothing happens.

Sorry for the trouble. I will try something else.

Bugbatter

20.5K Posts

September 7th, 2010 16:00

Please do not run any other scans unless requested. Please uninstall the MBAM that you installed.

Let's try it this way: Please run RKill first followed by a special version of MBAM:

1. Please download Rkill by Grinler from here Rkill and save it to your desktop. If that does not work try this alternate Link

Double-click on the Rkill desktop icon to run the tool in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs.
If using Vista, right-click on it and Run As Administrator.

Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, please ignore it, and run rkill.com again. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it.
Therefore, please run rkill quite a few times until the malware is no longer running. You will then be able to proceed with the rest of the instructions below.

*NOTE: A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
Do not reboot your computer after running rkill as the malware programs will start again.

2. Now you should download Malwarebytes' Anti-Malware, or MBAM, from one of the following locations and save it to your desktop:

Malwarebytes Anti-Malware
alternate download link 1
alternate download link 2

3. Once downloaded, close all programs and Windows on your computer, including this one.

4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.

5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.

6. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:
Malwarebytes Anti-Malware

When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.

7. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. MBAM will now start and you will be at the main program screen.

8. Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.

9. Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Security Tool related files.

10. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear.

11. You should click on the OK button to close the message box and continue with the malware removal removal process.

12. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

13. A screen displaying all the malware that the program found will be shown.

14. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

15. Please post that log in your next reply here.

16. You can now exit the MBAM program.

* Due to the fact that this infection deletes certain MalwareBytes' files, and we had to work around this, if you wish to continue using MalwareBytes' Anti-Malware, which we suggest you do, then you should uninstall and then install it again so that the files are created properly.

jtaylor23

9 Posts

September 8th, 2010 16:00

MBAM still won't open.

Bugbatter

20.5K Posts

September 8th, 2010 17:00

Make sure all anti-spyware and anti-virus programs are disabled before you do this. <--Important!

Download Combofix from any of the links below. Before saving it, rename it to taylor.exe. You MUST rename it before saving it. Save it to your desktop.

Link 1
Link 2

Double click on your taylor.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

jtaylor23

9 Posts

September 9th, 2010 17:00

Yay! Something happened! It looks like my Trend Micro is actually updating now, which it wouldn't do before.

Here is the log from the Combofix:

ComboFix 10-09-09.03 - Taylor 09/09/2010 17:25:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.157 [GMT -5:00]
Running from: E:\Taylor.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Taylor\Local Settings\Application Data\ihxpfaxwn
c:\documents and settings\Taylor\Local Settings\Application Data\ihxpfaxwn\ooljgsgshdw.exe
c:\program files\Smart-Shopper
c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
c:\windows\system32\HdASghts.dll
c:\windows\system32\service
c:\windows\system32\service\03092010_TIS17_SfFniAU.log
c:\windows\system32\service\04092010_TIS17_SfFniAU.log

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-07 23:10 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 23:10 . 2010-09-07 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 23:10 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 23:10 . 2010-09-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 17:41 . 2010-09-05 17:41 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-05 17:38 . 2010-09-05 17:38 -------- d-----w- c:\program files\Ulead Systems
2010-09-04 00:36 . 2010-09-04 00:37 -------- d-----w- c:\windows\system32\NtmsData
2010-08-30 21:59 . 2010-08-30 21:59 -------- d-----w- c:\program files\Microsoft Works
2010-08-30 21:57 . 2010-08-30 21:57 -------- d-----w- c:\program files\Microsoft.NET
2010-08-30 21:55 . 2010-08-30 21:58 -------- d-----w- c:\windows\SHELLNEW
2010-08-30 21:51 . 2010-08-30 21:51 -------- d-----r- C:\MSOCache
2010-08-30 21:40 . 2010-08-30 21:40 -------- d-----w- c:\temp\en_office_professional_plus_2007_win32_x16-18875
2010-08-30 21:30 . 2010-08-30 21:41 -------- d-----w- C:\Temp
2010-08-26 08:06 . 2010-08-26 08:06 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-08-24 00:20 . 2010-08-24 00:20 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-08-24 00:11 . 2010-08-24 00:11 -------- d-----w- c:\documents and settings\Taylor\Local Settings\Application Data\Microsoft Help
2010-08-24 00:11 . 2010-09-07 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-23 23:02 . 2010-08-23 23:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-08-23 17:57 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-23 17:57 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-08-19 00:47 . 2010-08-19 00:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-08-19 00:46 . 2010-08-19 00:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-16 00:44 . 2010-08-16 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-08-16 00:06 . 2010-08-16 00:09 -------- d-----w- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 00:28 . 2008-10-03 23:41 -------- d-----w- c:\program files\Trend Micro
2010-09-05 15:23 . 2008-10-03 19:37 -------- d-----w- c:\documents and settings\Taylor\Application Data\LimeWire
2010-08-31 00:59 . 2008-10-10 14:43 71984 ----a-w- c:\documents and settings\Taylor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-30 21:59 . 2009-08-20 22:06 -------- d-----w- c:\program files\MSBuild
2010-08-23 22:45 . 2009-04-08 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-16 21:37 . 2009-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-29 21:40 . 2008-10-03 20:03 -------- d-----w- c:\program files\Google
2010-06-30 12:31 . 2006-03-15 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-03-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2006-03-15 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-03-15 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2006-03-15 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-09-30 16:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2006-03-15 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/2/2010 2:56 PM 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/2/2010 3:09 PM 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/2/2010 3:10 PM 689416]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 9:25 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:24]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www1.snapfish.com/SnapfishActivia3.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2010-09-09 18:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-09 23:24

Pre-Run: 163,936,256,000 bytes free
Post-Run: 163,784,413,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 98BCACC4B2F2BD1FE921C9B64248675D

And from Hijack This:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:27:08 PM, on 9/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} (Snapfish Activia3) - http://www1.snapfish.com/SnapfishActivia3.cab
O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222795635203
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6859 bytes

Bugbatter

20.5K Posts

September 9th, 2010 19:00

Did you set restrictions in the Control Panel? If not, please run HijackThis and place a checkmark next to these:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other windows and click "Fix Checked". Close HijackThis.

Run Disk Cleanup in each user's profile: Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure only the following are checked:

-- Downloaded Program Files

-- Temporary Internet Files

-- Recycle Bin

-- Temporary Files

Click "OK" and Disk Cleanup will delete those files for you.

REBOOT.

Please follow these steps to remove older version Java components and update.

Download the latest version of Java SE Runtime Environment (JRE) 6 Update 21 to your Desktop.
You will find it here: http://majorgeeks.com/download.php?det=4648
Click the "Download" button. Make sure you do not by accident download any of the other programs advertised on that page.
Do not install it yet.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version. NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.

To disable the JQS service if you don't want to use it:

* Go to Start-->Control Panel-->Java-->Advanced-->Miscellaneous and uncheck the box for Java Quick Starter.

* Click Ok and reboot your computer.

Let me know how things are running after that. If everything is back to normal, we'll remove our tools and reset System Restore.

View All

No Events found!

Virus & Spyware

HiJack This Log. Please Help!