I hope I have it right this time, there was a suspicious entry in a previous scan I did. I am curious as to why it didn't show up here.

log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:02 PM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\spider.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danger Keep Out
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://security.norton.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207535090996
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207536344859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8453 bytes

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------


If you still require help please post a fresh HJT log




Installed Programs

Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Acrobat.com
Acrobat.com
Active@ KillDisk FREE Suite
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
a-squared Free 3.5
a-squared HiJackFree 3.0
avast! Antivirus
Belarc Advisor 7.2
Bonjour
CA Yahoo! Anti-Spy (remove only)
CallingID Link Advisor
CCleaner (remove only)
CleanUp!
COMODO Firewall Pro
Defraggler (remove only)
Gecko Runtime Environment (1.8.1.13_2008031312)
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
hp deskjet 640c series
HP Driver Diagnostics
HP Photosmart Essential
ICQ6
ieSpell
Java(TM) 6 Update 7
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
MSXML 6.0 Parser (KB933579)
MWSnap 3
MySpaceIM
OpenOffice.org Installer 1.0
QuickTime
Recuva (remove only)
RegAlyzer
Revo Uninstaller 1.71
SeaMonkey (1.1.11)
Secunia PSI (RC3)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Spelling Dictionaries Support For Adobe Reader 9
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
Update for Windows XP (KB951978)
USB Driver
Windows Defender
Windows Imaging Component
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Please post a fresh HJT log along with the MBAM log in your reply

Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 3

1:21:43 PM 7/23/2008
mbam-log-7-23-2008 (13-21-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93662
Time elapsed: 38 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nothing showing there, what problems are you having now ?

I was lead to believing I had problems when I couldn't use Spybot Search and Destroy for over a month. Despite the fact I was walked through every procedure.

The link to the location is found here (http://forums.spybot.info/showthread.php?t=29261).

When I ran a previous hijackthis, a line showed below

"O23 - Service: KXBXSWDLFL - Unknown owner - C:\DOCUME~1\Traveler\LOCALS~1\Temp\KXBXSWDLFL.exe (file missing)".

While subsequent logs did not show that entry, I still find the strange looking service when I open Services.msc, and there is no description of what the service is being used for.

Also in Internet Explorer, I Check "internet options" than press the security tab, when I press the "restricted zone" it is set at a custom setting and I repeatedly have to set it to default.

Also in the Control Panel when I press User Account, I see a users name as "ASP.NET Machine A"

I am also wondering if it is normal that I cannot turn the Remote Procedure Call service off.

Hmmmm.....

Let's have a deeper look then :)



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

I was wondering if Rootkit Revealer is giving accurate results, last time I downloaded it was this week. version is 1.71.0.0. It shows 2 discrepancies, I took no action. When I attempted to save a log, I could not find the log.

I will post the Active Scan either later tonight or tommorrow.

ComboFix text posted below

ComboFix 08-07-26.1 - Traveler 2008-07-26 21:29:25.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.114 [GMT -5:00]
Running from: C:\Documents and Settings\Traveler\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-24 23:40 . 2008-07-24 23:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-07-23 19:21 . 2008-07-23 19:21 <DIR> d-------- C:\Documents and Settings\Administrator.CD107036803-1\Application Data\CallingID
2008-07-23 18:55 . 2008-07-23 18:55 <DIR> d-------- C:\Documents and Settings\Administrator.CD107036803-1\Application Data\Malwarebytes
2008-07-23 12:35 . 2008-07-23 12:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 12:35 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-23 12:35 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-22 21:04 . 2002-04-11 20:21 13,335 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbcm.sys
2008-07-16 13:22 . 2008-07-16 13:22 118,784 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-14 17:34 . 2008-07-14 17:34 <DIR> d-------- C:\Documents and Settings\Pickle\Application Data\Yahoo!
2008-07-14 17:31 . 2008-07-14 17:31 <DIR> d-------- C:\Documents and Settings\Pickle\Application Data\Comodo
2008-07-14 13:06 . 2008-07-14 13:06 <DIR> d-------- C:\Documents and Settings\Traveler\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-07-11 20:45 . 2008-07-11 20:45 <DIR> d-------- C:\Documents and Settings\Janitor\Application Data\Comodo
2008-07-11 20:14 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-11 20:04 . 2008-07-11 20:04 <DIR> d-------- C:\Program Files\Recuva
2008-07-11 17:06 . 2008-07-11 17:06 <DIR> d-------- C:\Program Files\COMODO
2008-07-11 17:06 . 2008-07-11 17:06 <DIR> d-------- C:\Documents and Settings\Traveler\Application Data\Comodo
2008-07-11 17:06 . 2008-07-11 17:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-07-11 17:06 . 2008-07-11 17:06 143,104 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-07-11 17:06 . 2008-07-11 17:06 87,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-07-11 17:06 . 2008-07-11 17:06 24,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-07-11 14:43 . 2008-07-11 14:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\SiteAdvisor
2008-06-27 13:34 . 2008-06-27 13:34 <DIR> d-------- C:\Program Files\Safer Networking
2008-06-27 10:46 . 2008-06-27 10:46 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 18:21 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-06-27 00:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-06-20 22:15 --------- d-----w C:\Program Files\Defraggler
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-19 02:39 --------- d-----w C:\Program Files\Secunia
2008-06-16 08:31 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-13 00:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-29 20:10 --------- d-----w C:\Program Files\CA Yahoo! Anti-Spy
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-29 21:07 25,068 ----a-w C:\MGlogs.zip
2000-06-16 17:26 271 --sh--w C:\Program Files\desktop.ini
2000-06-16 17:26 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 14:03 36640]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 09:38 78008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-11 17:06 1655552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll" [2007-12-14 20:07 562616]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-11 17:06]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-11 17:06]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-06-16 03:31]
S4 KXBXSWDLFL;KXBXSWDLFL;C:\DOCUME~1\Traveler\LOCALS~1\Temp\KXBXSWDLFL.exe []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-27 C:\WINDOWS\Tasks\MP Scheduled Scan.job - s@!/C:\Program Files\Windows Defender\MpCmdRun.exeScan -RestrictPrivilegesSYSTEMScheduled Scan0 []
2008-06-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!3:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM03 []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 -: Check &Spelling - C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 -: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 -: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O16 -: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
C:\WINDOWS\Downloaded Program Files\hcImpl.inf


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 21:36:23
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-07-26 21:39:40
ComboFix2.txt 2008-03-13 02:21:28
ComboFix-quarantined-files.txt 2008-07-27 02:39:28

Pre-Run: 31,578,390,528 bytes free
Post-Run: 31,568,822,272 bytes free

156 --- E O F --- 2008-07-25 03:35:03

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-27 01:14:00
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.3704.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00099295 Application/KillApp.C HackTools No 0 Yes No C:\HP\bin\KillWind.exe
00099297 HackTool/ProcLog.A HackTools No 0 Yes No C:\HP\bin\ProcessLogger.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location *X
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description *X
;===================================================================================================================================================================================
;===================================================================================================================================================================================

There is nothing showing there that would cause problems :sad:


PLEASE NOTE:
These tools may produce Very Big logs, if they are too long to post then please do the following
create a folder on your desktop and put all the logs into it.
Right-Click the folder and select Send to >> Compressed folder please attach the compressed (.zip) folder to your reply

Please Download GMER to your desktop

Please create a folder in the Program Files folder called GMER.

Download GMER (http://www.majorgeeks.com/GMER_d5198.html) and extract it to the C:\program files\GMER folder you have just made.

Run the Gmer.exe program by double-clicking the executable file gmer.exe.
You may be prompted to scan immediately if GMER detects rootkit activity.

If you are prompted to scan your system click "yes" to begin the scan.
If you are not prompted, Click the "Rootkit" tab, then click "Scan".


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Save the log as Gmer.txt on your desktop


GetSystemInfo

Please download GetSystemInfo from HERE (ftp://ftp.kaspersky.ru/utils/getsysteminfo/GetSystemInfo.exe)
Double click GetSysteminfo.exe
It will ask you where to save the report, please save it to your desktop or somewhere that you can find it easily.
It will display it's progress on your screen, when the box disappears it has finished.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

GMER Log
GetSystemInfo Log

I received a message that said what is posted below when I tried to upload the files.

Safer Networking.zip:
Your file of 290.6 KB bytes exceeds the forum's limit of 97.7 KB for this filetype.

Did you get my PM ?

Yes got PM, will take care of it within an hour. Thank you.

Thanks, I've got them now.

There is nothing showing in the GMER log, but please be patient while I look at the GSI log.

What exactly happens if you try to start Spybot? Do you get any sign of Spybot starting up? Does it appear in the process list of taskmanager? There is a hidden copy of the Spybotsd.exe located in the Spybot program folder (should be a random name with the same size as the spybotsd.exe something like ABCDEFGHI.scr ). Just set Windows to display hidden and system files via the folder options and please try to run this "screensaver".

Error said

Spybot - Search & Destroy has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on has been lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous.



What exactly happens if you try to start Spybot? Do you get any sign of Spybot starting up? Does it appear in the process list of taskmanager? There is a hidden copy of the Spybotsd.exe located in the Spybot program folder (should be a random name with the same size as the spybotsd.exe something like ABCDEFGHI.scr ). Just set Windows to display hidden and system files via the folder options and please try to run this "screensaver".

I don't recall checking if Spybot appeared in the process list. At this time Spybot SD is uninstalled. To proceed with instructions I would need to install it. Would that be advisable?

To proceed with instructions I would need to install it. Would that be advisable?

There is no malware that would be causing this problem, so the Spybot team will need as much info as they can get to try and find the reason.
The only way to do this would be by reinstalling.

What exactly happens if you try to start Spybot? Do you get any sign of Spybot starting up? Does it appear in the process list of taskmanager? There is a hidden copy of the Spybotsd.exe located in the Spybot program folder (should be a random name with the same size as the spybotsd.exe something like ABCDEFGHI.scr ). Just set Windows to display hidden and system files via the folder options and please try to run this "screensaver".

When opening Spybot, a small object appears momentarily than disappears, also in the process list Spybot appears than disappears. When I run the screensaver I get the same crash message I got when attempting to open Spybot.