Strange clicking and seizing up of programs

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs

• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.

• Instead of attaching, please copy/past both logs into your next reply.

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please COPY/PASTE your fresh MBAM log and BOTH DDS logs back to this thread.
Thankyou,
K27.

This topic is Inactive.....


The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS and then start a New Topic at the top of the Malware Removal Forum by clicking the button.

Sorry for the delay in responding to yours of 13/4, which is appreciated: I have been away from home. I have done what you suggested, and here are the three logs as requested.  Peter Beale (peter@pjbeale.net)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4073

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06/05/2010 20:01:33
mbam-log-2010-05-06 (20-01-33).txt

Scan type: Quick scan
Objects scanned: 144280
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{103l3c30-c3b3-4130-9363-e59e1375perm} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Advance Service Process (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 20/11/2008 01:34:02
System Uptime: 05/06/2010 20:03:03 (-720 hours ago)

Motherboard: Dell Inc.           |  | 0WJ771
Processor:                 Intel(R) Celeron(R) CPU 3.06GHz | Microprocessor | 3058/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 49.272 GiB free.
D: is FIXED (FAT32) - 149 GiB total, 41.497 GiB free.
E: is Removable
G: is Removable
H: is Removable
J: is CDROM ()
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP500: 05/02/2010 18:30:53 - System Checkpoint
RP501: 06/02/2010 19:26:50 - System Checkpoint
RP502: 07/02/2010 20:20:17 - System Checkpoint
RP503: 08/02/2010 20:24:41 - System Checkpoint
RP504: 09/02/2010 20:49:49 - System Checkpoint
RP505: 11/02/2010 13:59:28 - System Checkpoint
RP506: 12/02/2010 03:00:30 - Software Distribution Service 3.0
RP507: 13/02/2010 08:43:25 - System Checkpoint
RP508: 14/02/2010 09:27:55 - System Checkpoint
RP509: 15/02/2010 09:54:01 - System Checkpoint
RP510: 20/02/2010 13:10:45 - System Checkpoint
RP511: 21/02/2010 14:10:15 - System Checkpoint
RP512: 22/02/2010 15:09:58 - System Checkpoint
RP513: 23/02/2010 15:25:34 - System Checkpoint
RP514: 24/02/2010 03:00:20 - Software Distribution Service 3.0
RP515: 25/02/2010 07:53:04 - System Checkpoint
RP516: 26/02/2010 08:17:13 - System Checkpoint
RP517: 01/03/2010 21:24:06 - System Checkpoint
RP518: 02/03/2010 21:30:16 - System Checkpoint
RP519: 03/03/2010 22:19:11 - System Checkpoint
RP520: 04/03/2010 22:32:14 - System Checkpoint
RP521: 05/03/2010 23:25:04 - System Checkpoint
RP522: 06/03/2010 23:45:52 - System Checkpoint
RP523: 07/03/2010 23:57:53 - System Checkpoint
RP524: 09/03/2010 08:14:29 - System Checkpoint
RP525: 09/03/2010 19:38:11 - Software Distribution Service 3.0
RP526: 10/03/2010 20:26:43 - System Checkpoint
RP527: 11/03/2010 03:00:25 - Software Distribution Service 3.0
RP528: 12/03/2010 07:51:43 - System Checkpoint
RP529: 13/03/2010 19:34:42 - Avg8 Update
RP530: 13/03/2010 19:36:17 - Avg Update
RP531: 14/03/2010 20:43:50 - System Checkpoint
RP532: 17/03/2010 17:25:11 - Avg Update
RP533: 18/03/2010 17:53:50 - System Checkpoint
RP534: 19/03/2010 19:34:04 - System Checkpoint
RP535: 20/03/2010 21:09:26 - System Checkpoint
RP536: 21/03/2010 23:14:20 - System Checkpoint
RP537: 22/03/2010 23:30:50 - System Checkpoint
RP538: 24/03/2010 08:34:25 - System Checkpoint
RP539: 25/03/2010 08:57:22 - System Checkpoint
RP540: 26/03/2010 09:50:10 - System Checkpoint
RP541: 27/03/2010 19:45:50 - System Checkpoint
RP542: 28/03/2010 21:28:41 - System Checkpoint
RP543: 29/03/2010 23:34:57 - System Checkpoint
RP544: 31/03/2010 01:39:10 - System Checkpoint
RP545: 01/04/2010 07:40:54 - System Checkpoint
RP546: 02/04/2010 08:15:17 - Avg Update
RP547: 02/04/2010 08:19:01 - Avg Update
RP548: 03/04/2010 10:45:41 - System Checkpoint
RP549: 04/04/2010 12:50:07 - System Checkpoint
RP550: 04/04/2010 21:43:07 - Unsigned driver install
RP551: 06/04/2010 22:04:35 - System Checkpoint
RP552: 08/04/2010 00:57:41 - System Checkpoint
RP553: 08/04/2010 09:08:06 - Avg Update
RP554: 09/04/2010 10:33:01 - System Checkpoint
RP555: 10/04/2010 11:29:56 - System Checkpoint
RP556: 11/04/2010 11:46:09 - System Checkpoint
RP557: 12/04/2010 13:48:13 - System Checkpoint
RP558: 13/04/2010 19:11:05 - System Checkpoint
RP559: 14/04/2010 19:33:45 - System Checkpoint
RP560: 14/04/2010 21:53:41 - Software Distribution Service 3.0
RP561: 15/04/2010 22:35:32 - System Checkpoint
RP562: 17/04/2010 23:02:19 - System Checkpoint
RP563: 30/04/2010 21:01:12 - Avg Update
RP564: 30/04/2010 21:17:53 - Avg Update
RP565: 30/04/2010 23:28:35 - Removed Java(TM) 6 Update 17
RP566: 30/04/2010 23:29:33 - Installed Java(TM) 6 Update 20
RP567: 01/05/2010 03:01:14 - Software Distribution Service 3.0
RP568: 02/05/2010 07:55:27 - System Checkpoint
RP569: 03/05/2010 08:47:37 - System Checkpoint
RP570: 04/05/2010 10:27:40 - System Checkpoint
RP571: 05/05/2010 10:33:42 - System Checkpoint
RP572: 06/05/2010 09:34:18 - Avg Update

==== Installed Programs ======================

32 bit Windows Card Reader Driver
ABBYY FineReader 4.0 Sprint
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AI RoboForm (All Users)
Amazon MP3 Downloader 1.0.4
AnswerWorks Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
BBC iPlayer Desktop
Bonjour
Compatibility Pack for the 2007 Office system
Corel Applications
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Download Manager
EPSON Printer Software
GoodSync
Google Earth
Google Update Helper
Handy Backup 2.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Image Zone 4.7
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Micrografx Picture Publisher 7
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework Client Profile - PREVIEW
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000 SR-1
Microsoft XML Parser
Mixer
Monopoly Deluxe
Motion Director
Mozilla (1.7.13)
Mozilla Firefox (3.6.3)
Mozilla Thunderbird (2.0.0.24)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Rescue
Online Bible 9.31
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Pdf995
Philips SPC315NC Webcam
Photosmart 320,370,7400,8100,8400,8700 Series
Picasa 3
PS370
PSPrinters06
QFolder
QuickTime
RealPlayer
RealUpgrade 1.0
Samsung ML-2240 Series
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Serif PagePlus X2
Serif PagePlus X2 Resources
SigmaTel Audio
Skype™ 4.0
SmartBoard 32Bit
SmartStamp
Sound Blaster Audigy ADVANCED MB Demo
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware Free Edition
TalkTalk Broadband
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
TrayApp
Trust 240TH Direct Webscan Gold v4.0
Ulead DVD MovieFactory 5
Uniblue SpeedUpMyPC 3
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VideoLAN VLC media player 0.8.5
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Lightning
WordPerfect Lightning - EN
WordPerfect Lightning - IPM
WordPerfect Lightning - Messages
WordPerfect Lightning - MSOM
WordPerfect Office X4
WordPerfect Office X4 - Common
WordPerfect Office X4 - Content
WordPerfect Office X4 - EN
WordPerfect Office X4 - Filters
WordPerfect Office X4 - Graphics
WordPerfect Office X4 - ICA
WordPerfect Office X4 - IPM
WordPerfect Office X4 - IPM HSE EN
WordPerfect Office X4 - Migration Manager
WordPerfect Office X4 - PerfectExperts
WordPerfect Office X4 - PR
WordPerfect Office X4 - QP
WordPerfect Office X4 - Skins
WordPerfect Office X4 - System
WordPerfect Office X4 - WP
WordPerfect OfficeReady

==== Event Viewer Messages From Past Week ========

30/04/2010 23:22:29, error: Service Control Manager [7000]  - The SASDIFSV service failed to start due to the following error:  Cannot create a file when that file already exists.
03/05/2010 10:24:13, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.
01/05/2010 11:34:59, error: Service Control Manager [7000]  - The SSPORT service failed to start due to the following error:  The system cannot find the file specified.
01/05/2010 11:34:59, error: Service Control Manager [7000]  - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
01/05/2010 11:34:59, error: Service Control Manager [7000]  - The DgiVecp service failed to start due to the following error:  The system cannot find the file specified.

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Peter & Lucy at 20:09:18.35 on 06/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.384 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Novosoft\Handy Backup 2.1\nhbwp.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Oakley\SmartBoard32\Smtbrd32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Peter & Lucy\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Uniblue SpeedUpMyPC]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Handy Backup] "c:\program files\novosoft\handy backup 2.1\nhbwp.exe" /s
uRun: [Handy Backup 2.1] "c:\program files\novosoft\handy backup 2.1\nhbwp.exe" /s
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [OLP-Tray] c:\progra~1\royalm~1\smarts~1\binary\STRAY.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe
mRun: [HPHUPD06] c:\program files\hp\{ba2d9411-dbb4-43e4-9421-780413650a67}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [ ]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\peter&~1\startm~1\programs\startup\corelc~1.lnk - c:\program files\corel\wordperfect office 2000\programs\alarm.exe
StartupFolder: c:\docume~1\peter&~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\oakley\smartboard32\Smtbrd32.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Copy to &Lightning Note - c:\program files\corel\wordperfect lightning\programs\WPLightningCopyToNote.hta
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227135666985
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\peter&~1\applic~1\mozilla\firefox\profiles\nok3xfmh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.talktalk.co.uk/news/?lpos=topbar-nav&lid=News
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-20 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-20 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-20 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 61440]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-6 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 12872]

=============== Created Last 30 ================


==================== Find3M  ====================

2010-05-04 08:26:06    1682    --sha-w-    c:\docume~1\alluse~1.win\applic~1\KGyGaAvL.sys
2010-04-30 20:15:52    242896    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2010-04-05 17:38:02    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2010-04-05 17:38:02    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2010-03-13 19:36:05    12464    ----a-w-    c:\windows\system32\avgrsstx.dll
2010-03-13 19:35:55    216200    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2010-03-09 11:09:18    430080    ----a-w-    c:\windows\system32\vbscript.dll
2010-02-19 23:47:50    3604480    ----a-w-    c:\windows\system32\GPhotos.scr
2010-02-17 08:10:28    2189952    ----a-w-    c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04    2066816    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11    100864    ----a-w-    c:\windows\system32\6to4svc.dll

============= FINISH: 20:10:25.26 ===============

Sorry for the delay, I didn't receive an E-mail to say you had replied,

Your logs are showing a very nasty infection called a "Backdoor.bot", this basically means that someone has total access to your machine, so much access infact that they would of been able to see what you was doing on it as if they were sitting in front of it themselfs,
If they had wanted, they had enough control to have even programed your disc drive to pop out every time you pushed it in for say 3 hours, thats how bad it is.

In situations like this it is considered by most if not all security experts including me that the best form of cleanup now is a reformat and reinstall, as this machine can never really be trusted again.

If you would like to go ahead with a clean up then that is fine, but the full extent of the damage can never really be found, and I nor no-one else can ever guarantee that this machine can ever be trusted again.

You need to DISCONNECT THE INFECTED MACHINE FROM THE INTERNET and by this I mean pull the ethernet cable out or if you are wireless then KILL THE WIRELESS CONNECTION and DO NOT USE THIS MACHINE FOR ANYTHING TO DO WITH CHANGINE YOUR PASSWORDS OR VIA THE INTERNET.

The first thing I advise you to do is to call ALL finacial instatutions whos sites you have used on this machine and get a watch put on EVERY bank card, credit card, and any other card whather they be yours, friends or family,

It they were used on this machine then phone the relevent bank and tell them that you may be the victim of identiy fraud

Then you need to get to a machine that is 100% clean and change every password you have,
I would start with changing you email password as If the hacker has your email details then every password you change he will then have access to,
After that you must change every other password you have and this includes:

• Banks
• Paypal
• Social networking sites,(facebook, twitter, ect...
• ebay
• Forums

And every thing else that you have ever entered a password for.

Please read THIS very good artical on how to play safe passwords,
But I cant stress enough that this MUST be done from a clean computer.

After that please read these links:

What Is A Backdoor Trojan?

Danger: Remote Access Trojans

Consumers � Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

Microsoft Says Recovery from Malware Becoming Impossible

However, if you do not have the resources to reformat your computer and reinstall your operating system and programs and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

K27

Many thanks for the bad news? Do you have any idea how this virus would have gained access - I have AVG  and SuperAntispyware constantly running and updated.

I will do what you advise, reformat and reinstall, then send you a further log to check if all is well. I have disconnected the machine from the internet, changed access to my bank account, and am sending this on another machine (running Windows ME!).

Many thanks again for your help.

Peter Beale

There are many way's for an infection to gain access to a system, the most common are through Peer2Peer file Sharing, there are no signs of it in your logs so unless it was removed before you posted I think you can rule that out, other very common ways for infections to spread are through malicious sites on the internet where you will download a legit looking file that will be bundled with an infection , infections can gain access through attachments in E-mails as well as attachments and add-on's in Instant messanger programs like MSN, AIM and others, Social networking sites are also full of links to malicious sites that are ready to infect you at the click of a button.

In fact, the whole Internet is full of places that are just waiting for someone to come along so they can infect them, 99% of the time an infection can be found and removed from a system without having to reinstall everything, but I'm sorry to say that you were one of the unlucky ones who's system has been compromised in such a way that if can never fully be trusted again until it has been wiped clean and started afresh.

There is a very good tutorial HERE for reformatting and reinstalling your system,

If you have any problems feel free to post back.

Thanks

K27

This topic is Resolved.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please send me a personal message to reopen this thread.

All other user's, please read THIS and then start a New Topic at the top of the Malware Removal Forum by clicking the button.

Regards
K27