PDA

View Full Version : Search engine re-direct



JR545
2010-02-28, 19:44
Before I begin, I'd like to thank those who help with these issues.
My wife used this forum some time ago to remedy an infection on her laptop and the folks here were top notch.

I have contract some sort of virus/malware that re-directs to unrelated pages when I click on the search results. I alos get pop ups from time to time which I've never really experienced before. I've ran malwarebytes and spybot as well as several machine scans with avg and avast. Nothing comes up besides the usual cookies.

I read the tutorial before posting and have made the asked for back ups.

HJT report:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:42:40 AM, on 2/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.powdervalleyinc.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.oscr.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://office.hjcpafirm.com/NGVPNTunnel.cab
O20 - AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6874 bytes

km2357
2010-03-02, 21:13
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

JR545
2010-03-03, 02:56
I understand it's busy, I appreciate your help.
Fresh HJT:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:54:10 PM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.powdervalleyinc.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.oscr.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://office.hjcpafirm.com/NGVPNTunnel.cab
O20 - AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6823 bytes

km2357
2010-03-03, 07:11
Step # 1: Remove Hijackthis Entries


Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.


Step # 2 Download and run DDS

Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Step # 3: Download and Run Gmer

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In yout next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

JR545
2010-03-04, 02:34
DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/18/2007 4:09:06 PM
System Uptime: 3/2/2010 5:01:55 PM (11 hours ago)

Motherboard: Dell Computer Corporation | | 0T1957
Processor: Intel(R) Pentium(R) M processor 1.70GHz | Microprocessor | 594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 23.538 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP517: 1/21/2010 5:33:54 AM - Software Distribution Service 3.0
RP518: 1/22/2010 4:15:18 AM - Software Distribution Service 3.0
RP519: 1/24/2010 4:26:49 AM - Software Distribution Service 3.0
RP520: 1/25/2010 3:00:42 AM - Software Distribution Service 3.0
RP521: 1/26/2010 5:48:51 AM - Software Distribution Service 3.0
RP522: 1/27/2010 5:06:56 AM - Software Distribution Service 3.0
RP523: 1/28/2010 5:28:34 AM - Software Distribution Service 3.0
RP524: 1/29/2010 6:03:24 AM - Software Distribution Service 3.0
RP525: 1/30/2010 4:14:26 AM - Software Distribution Service 3.0
RP526: 1/31/2010 6:27:42 AM - Software Distribution Service 3.0
RP527: 2/1/2010 4:11:53 AM - Software Distribution Service 3.0
RP528: 2/2/2010 5:12:58 AM - Software Distribution Service 3.0
RP529: 2/2/2010 6:59:21 PM - Avg8 Update
RP530: 2/3/2010 4:57:10 AM - Software Distribution Service 3.0
RP531: 2/4/2010 5:16:03 AM - Software Distribution Service 3.0
RP532: 2/5/2010 5:07:26 AM - Software Distribution Service 3.0
RP533: 2/6/2010 5:30:16 AM - Software Distribution Service 3.0
RP534: 2/7/2010 6:17:29 AM - Software Distribution Service 3.0
RP535: 2/7/2010 11:53:22 AM - Software Distribution Service 3.0
RP536: 2/8/2010 5:40:22 AM - Software Distribution Service 3.0
RP537: 2/9/2010 5:21:01 AM - Software Distribution Service 3.0
RP538: 2/22/2010 5:23:40 AM - Software Distribution Service 3.0
RP539: 2/22/2010 5:38:58 PM - Installed AVG Free 9.0
RP540: 2/23/2010 5:06:04 AM - Software Distribution Service 3.0
RP541: 2/23/2010 5:59:35 PM - Avg8 Update
RP542: 2/24/2010 5:22:56 AM - Software Distribution Service 3.0
RP543: 2/24/2010 7:28:35 PM - Installed Java(TM) 6 Update 18
RP544: 2/24/2010 8:02:12 PM - Removed Windows Live Favorites for Windows Live Toolbar
RP545: 2/24/2010 8:03:16 PM - Removed Windows Live Toolbar
RP546: 2/24/2010 8:04:46 PM - Removed Picture Package Music Transfer
RP547: 2/24/2010 8:06:39 PM - Removed Microsoft SQL Server 2005 Express Edition
RP548: 2/24/2010 8:08:53 PM - Removed Microsoft SQL Server Setup Support Files (English)
RP549: 2/25/2010 4:51:01 AM - Software Distribution Service 3.0
RP550: 2/25/2010 5:43:35 AM - Installed Windows XP KB978207.
RP551: 2/25/2010 6:34:52 AM - Installed SUPERAntiSpyware Free Edition
RP552: 2/27/2010 5:49:54 AM - Installed HiJackThis
RP553: 2/27/2010 8:27:43 AM - Removed Olympus Digital Wave Player
RP554: 2/27/2010 9:30:32 AM - avast! Free Antivirus Setup
RP555: 2/27/2010 9:35:53 AM - Removed AVG Free 9.0
RP556: 2/27/2010 9:38:13 AM - Installed AVG Free 9.0
RP557: 2/28/2010 9:57:15 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.1
avast! Free Antivirus
Broadcom Gigabit Integrated Controller
C-Major Audio
CardBus
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
ERUNT 1.1j
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Messenger
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server Native Client
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Drivers
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
msxml4 sp2
NeatReceipts Professional 3.0 Core Files
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PCI 7510 CardBus Controller with SmartCard and Software
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sony USB Driver
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

2/28/2010 7:34:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/28/2010 7:34:40 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000E35B32924. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/27/2010 8:36:21 AM, error: Service Control Manager [7000] - The F-Secure BlackLight Engine Driver service failed to start due to the following error: A device attached to the system is not functioning.
2/27/2010 7:08:32 AM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
2/27/2010 7:08:32 AM, error: Service Control Manager [7022] - The SQL Server VSS Writer service hung on starting.
2/24/2010 5:31:30 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft SQL Server 2005 Express Edition Service Pack 3 (KB955706).

==== End Of File ===========================
_________________________________________________________________


DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/18/2007 4:09:06 PM
System Uptime: 3/2/2010 5:01:55 PM (11 hours ago)

Motherboard: Dell Computer Corporation | | 0T1957
Processor: Intel(R) Pentium(R) M processor 1.70GHz | Microprocessor | 594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 23.538 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP517: 1/21/2010 5:33:54 AM - Software Distribution Service 3.0
RP518: 1/22/2010 4:15:18 AM - Software Distribution Service 3.0
RP519: 1/24/2010 4:26:49 AM - Software Distribution Service 3.0
RP520: 1/25/2010 3:00:42 AM - Software Distribution Service 3.0
RP521: 1/26/2010 5:48:51 AM - Software Distribution Service 3.0
RP522: 1/27/2010 5:06:56 AM - Software Distribution Service 3.0
RP523: 1/28/2010 5:28:34 AM - Software Distribution Service 3.0
RP524: 1/29/2010 6:03:24 AM - Software Distribution Service 3.0
RP525: 1/30/2010 4:14:26 AM - Software Distribution Service 3.0
RP526: 1/31/2010 6:27:42 AM - Software Distribution Service 3.0
RP527: 2/1/2010 4:11:53 AM - Software Distribution Service 3.0
RP528: 2/2/2010 5:12:58 AM - Software Distribution Service 3.0
RP529: 2/2/2010 6:59:21 PM - Avg8 Update
RP530: 2/3/2010 4:57:10 AM - Software Distribution Service 3.0
RP531: 2/4/2010 5:16:03 AM - Software Distribution Service 3.0
RP532: 2/5/2010 5:07:26 AM - Software Distribution Service 3.0
RP533: 2/6/2010 5:30:16 AM - Software Distribution Service 3.0
RP534: 2/7/2010 6:17:29 AM - Software Distribution Service 3.0
RP535: 2/7/2010 11:53:22 AM - Software Distribution Service 3.0
RP536: 2/8/2010 5:40:22 AM - Software Distribution Service 3.0
RP537: 2/9/2010 5:21:01 AM - Software Distribution Service 3.0
RP538: 2/22/2010 5:23:40 AM - Software Distribution Service 3.0
RP539: 2/22/2010 5:38:58 PM - Installed AVG Free 9.0
RP540: 2/23/2010 5:06:04 AM - Software Distribution Service 3.0
RP541: 2/23/2010 5:59:35 PM - Avg8 Update
RP542: 2/24/2010 5:22:56 AM - Software Distribution Service 3.0
RP543: 2/24/2010 7:28:35 PM - Installed Java(TM) 6 Update 18
RP544: 2/24/2010 8:02:12 PM - Removed Windows Live Favorites for Windows Live Toolbar
RP545: 2/24/2010 8:03:16 PM - Removed Windows Live Toolbar
RP546: 2/24/2010 8:04:46 PM - Removed Picture Package Music Transfer
RP547: 2/24/2010 8:06:39 PM - Removed Microsoft SQL Server 2005 Express Edition
RP548: 2/24/2010 8:08:53 PM - Removed Microsoft SQL Server Setup Support Files (English)
RP549: 2/25/2010 4:51:01 AM - Software Distribution Service 3.0
RP550: 2/25/2010 5:43:35 AM - Installed Windows XP KB978207.
RP551: 2/25/2010 6:34:52 AM - Installed SUPERAntiSpyware Free Edition
RP552: 2/27/2010 5:49:54 AM - Installed HiJackThis
RP553: 2/27/2010 8:27:43 AM - Removed Olympus Digital Wave Player
RP554: 2/27/2010 9:30:32 AM - avast! Free Antivirus Setup
RP555: 2/27/2010 9:35:53 AM - Removed AVG Free 9.0
RP556: 2/27/2010 9:38:13 AM - Installed AVG Free 9.0
RP557: 2/28/2010 9:57:15 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.1
avast! Free Antivirus
Broadcom Gigabit Integrated Controller
C-Major Audio
CardBus
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
ERUNT 1.1j
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Messenger
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server Native Client
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Drivers
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
msxml4 sp2
NeatReceipts Professional 3.0 Core Files
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PCI 7510 CardBus Controller with SmartCard and Software
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sony USB Driver
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

2/28/2010 7:34:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/28/2010 7:34:40 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000E35B32924. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/27/2010 8:36:21 AM, error: Service Control Manager [7000] - The F-Secure BlackLight Engine Driver service failed to start due to the following error: A device attached to the system is not functioning.
2/27/2010 7:08:32 AM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
2/27/2010 7:08:32 AM, error: Service Control Manager [7022] - The SQL Server VSS Writer service hung on starting.
2/24/2010 5:31:30 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft SQL Server 2005 Express Edition Service Pack 3 (KB955706).

==== End Of File ===========================
_________________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 06:20:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF48E1C5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF48E1B16]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF48E20CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF48E1FF4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF48E16EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF48E1BF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF48E162C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF48E1690]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF48E1D10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF48E2198]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF48E1CD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF48E1E50]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF49F3320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF48EE4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF48EE322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF48EE45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP F48EB972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 3 Bytes JMP F48EE326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection + 4 805652B7 3 Bytes [74, CC, CC] {JZ 0xffffffffffffffce; INT 3 }
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP F48EE502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F85E 5 Bytes JMP F48EA4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B01 7 Bytes JMP F48EE460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF7490780]
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xF7A35D00]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6E7C360, 0x1DF4AD, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\gticard.sys entry point in "init" section [0xF6E40B20]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xF78534C0]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7483B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F7483B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F7483B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7483B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat B596AD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

km2357
2010-03-04, 05:31
You posted DDS' Attach.txt twice. I need to see the main DDS Log (DDS.txt)

Thanks. :)

JR545
2010-03-04, 12:10
Sorry about that, my attentions were divided(kids).

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 4:43:31.73 on Wed 03/03/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ksl.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: powdervalleyinc.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://kaseya.oscr.net/inc/kaxRemote.dll
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://office.hjcpafirm.com/NGVPNTunnel.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-11-7 17792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-27 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-02-27 16:30:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-27 12:49:58 0 d-----w- c:\program files\TrendMicro
2010-02-25 13:37:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-25 13:34:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-25 13:34:54 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-02-25 13:33:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-25 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-02-25 02:29:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-25 02:29:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-08 23:00:25 0 d-----w- c:\docume~1\admini~1\applic~1\Office Genuine Advantage

==================== Find3M ====================

2010-03-03 00:51:01 105669 ----a-w- c:\windows\system32\nvModes.dat
2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-02-18 00:30:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021720090218\index.dat

============= FINISH: 4:44:29.54 ===============

km2357
2010-03-04, 21:06
Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings.


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

JR545
2010-03-06, 04:46
ComboFix 10-03-05.01 - Administrator 03/05/2010 19:01:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.544 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-02-27 16:31 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-27 16:31 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-27 16:31 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-27 16:31 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-27 16:31 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-27 16:31 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-27 16:31 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-27 16:30 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-27 16:30 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-27 16:30 . 2010-02-27 16:30 -------- d-----w- c:\program files\Alwil Software
2010-02-27 16:30 . 2010-02-27 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-27 14:38 . 2010-02-27 14:38 -------- d-----w- c:\program files\ERUNT
2010-02-27 12:50 . 2010-02-27 12:50 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-27 12:49 . 2010-02-27 12:49 -------- d-----w- c:\program files\TrendMicro
2010-02-25 13:37 . 2010-02-25 13:37 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-25 13:37 . 2010-03-05 09:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-25 13:37 . 2010-02-25 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-25 13:34 . 2010-02-25 13:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-25 13:34 . 2010-02-25 13:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-25 13:33 . 2010-02-25 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-25 02:39 . 2010-02-25 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-25 02:30 . 2010-02-25 02:30 -------- d-----w- c:\windows\Sun
2010-02-25 02:29 . 2010-02-25 02:29 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e6c859f-n\msvcp71.dll
2010-02-25 02:29 . 2010-02-25 02:29 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e6c859f-n\msvcr71.dll
2010-02-25 02:29 . 2010-02-25 02:29 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e6c859f-n\jmc.dll
2010-02-25 02:29 . 2010-02-25 02:29 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c9959bf-n\decora-sse.dll
2010-02-25 02:29 . 2010-02-25 02:29 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c9959bf-n\decora-d3d.dll
2010-02-25 02:29 . 2010-02-25 02:29 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 02:29 . 2010-02-25 02:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 02:28 . 2010-02-25 02:28 -------- d-----w- c:\program files\Java
2010-02-19 01:08 . 2010-02-19 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-08 23:00 . 2010-02-08 23:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 02:32 . 2007-07-18 23:36 105669 ----a-w- c:\windows\system32\nvModes.dat
2010-02-27 15:28 . 2008-04-06 15:43 -------- d-----w- c:\program files\Olympus
2010-02-27 15:28 . 2007-07-18 23:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 03:12 . 2008-02-17 20:20 -------- d-----w- c:\program files\NeatReceipts Professional
2010-02-25 03:12 . 2008-02-17 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NeatReceipts Professional
2010-02-25 03:11 . 2008-02-17 20:24 -------- d-----w- c:\program files\Common Files\NeatReceipts
2010-02-25 03:07 . 2007-08-02 15:10 -------- d-----w- c:\program files\Microsoft.NET
2010-02-25 03:04 . 2008-02-06 00:10 -------- d-----w- c:\program files\Sony
2010-02-25 03:04 . 2009-01-29 02:00 -------- d-----w- c:\program files\Windows Live Toolbar
2010-02-23 00:39 . 2008-08-02 00:44 -------- d-----w- c:\program files\AVG
2010-02-22 01:37 . 2009-07-21 11:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 03:01 . 2007-08-02 15:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-07 23:07 . 2009-07-21 11:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-07-21 11:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2007-07-18 22:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 7118848]
"nwiz"="nwiz.exe" [2005-07-07 1519616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [11/7/2007 12:00 PM 17792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/27/2010 9:31 AM 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/27/2010 9:31 AM 19024]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [10/23/2003 4:04 PM 76160]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [5/10/2007 1:54 PM 17632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PWTDQPOG
*Deregistered* - pwtdqpog
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ksl.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: powdervalleyinc.com\www
DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://office.hjcpafirm.com/NGVPNTunnel.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 19:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x86F028C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7593f28
\Driver\ACPI -> ACPI.sys @ 0xf74e6cb8
\Driver\atapi -> atapi.sys @ 0xf7483b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf738cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7399a21
SendHandler -> NDIS.sys @ 0xf737787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-03-05 19:16:03
ComboFix-quarantined-files.txt 2010-03-06 02:15

Pre-Run: 25,163,649,024 bytes free
Post-Run: 25,227,874,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E64DE850117CAB2E4302E4F353F1559A

km2357
2010-03-06, 19:54
Please run the following:

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.

Extract TDSSKiller.exe to your Desktop.

Run TDSSKiller.exe. You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

If TDSSKiller does not reboot your computer, please reboot it.



Once your computer has booted back up, do the following:

Step # 1: Run Batchfile

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.


@echo off
mbr.exe -t
start mbr.log
del %0

Double click mbrlog.bat. A window will open and close. This is normal.


In your next post/reply, I need to see the following:

1. TDSSKiller Log
2. The results/log from mbrlog.bat

JR545
2010-03-07, 01:50
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys tsk1B.tmp hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


------------------------------------------------------------------------

16:34:16:930 2828 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
16:34:16:930 2828 ================================================================================
16:34:16:930 2828 SystemInfo:

16:34:16:930 2828 OS Version: 5.1.2600 ServicePack: 3.0
16:34:16:930 2828 Product type: Workstation
16:34:16:940 2828 ComputerName: BRENDA
16:34:16:940 2828 UserName: Administrator
16:34:16:940 2828 Windows directory: C:\WINDOWS
16:34:16:940 2828 Processor architecture: Intel x86
16:34:16:940 2828 Number of processors: 1
16:34:16:940 2828 Page size: 0x1000
16:34:16:940 2828 Boot type: Normal boot
16:34:16:940 2828 ================================================================================
16:34:16:971 2828 UnloadDriverW: NtUnloadDriver error 2
16:34:16:971 2828 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:34:17:121 2828 Initialize success
16:34:17:121 2828
16:34:17:121 2828 Scanning Services ...
16:34:17:131 2828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:34:17:131 2828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:34:17:131 2828 wfopen_ex: Trying to KLMD file open
16:34:17:131 2828 wfopen_ex: File opened ok (Flags 2)
16:34:17:131 2828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:34:17:131 2828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:34:17:131 2828 wfopen_ex: Trying to KLMD file open
16:34:17:131 2828 wfopen_ex: File opened ok (Flags 2)
16:34:17:672 2828 GetAdvancedServicesInfo: Raw services enum returned 341 services
16:34:17:682 2828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:34:17:682 2828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:34:17:682 2828
16:34:17:692 2828 Scanning Kernel memory ...
16:34:17:692 2828 Devices to scan: 3
16:34:17:692 2828
16:34:17:692 2828 Driver Name: Disk
16:34:17:692 2828 IRP_MJ_CREATE : F7595BB0
16:34:17:692 2828 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
16:34:17:692 2828 IRP_MJ_CLOSE : F7595BB0
16:34:17:692 2828 IRP_MJ_READ : F758FD1F
16:34:17:692 2828 IRP_MJ_WRITE : F758FD1F
16:34:17:692 2828 IRP_MJ_QUERY_INFORMATION : 804FA87E
16:34:17:692 2828 IRP_MJ_SET_INFORMATION : 804FA87E
16:34:17:692 2828 IRP_MJ_QUERY_EA : 804FA87E
16:34:17:692 2828 IRP_MJ_SET_EA : 804FA87E
16:34:17:692 2828 IRP_MJ_FLUSH_BUFFERS : F75902E2
16:34:17:692 2828 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
16:34:17:692 2828 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
16:34:17:692 2828 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
16:34:17:692 2828 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
16:34:17:692 2828 IRP_MJ_DEVICE_CONTROL : F75903BB
16:34:17:692 2828 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7593F28
16:34:17:692 2828 IRP_MJ_SHUTDOWN : F75902E2
16:34:17:692 2828 IRP_MJ_LOCK_CONTROL : 804FA87E
16:34:17:692 2828 IRP_MJ_CLEANUP : 804FA87E
16:34:17:692 2828 IRP_MJ_CREATE_MAILSLOT : 804FA87E
16:34:17:692 2828 IRP_MJ_QUERY_SECURITY : 804FA87E
16:34:17:692 2828 IRP_MJ_SET_SECURITY : 804FA87E
16:34:17:692 2828 IRP_MJ_POWER : F7591C82
16:34:17:692 2828 IRP_MJ_SYSTEM_CONTROL : F759699E
16:34:17:692 2828 IRP_MJ_DEVICE_CHANGE : 804FA87E
16:34:17:692 2828 IRP_MJ_QUERY_QUOTA : 804FA87E
16:34:17:692 2828 IRP_MJ_SET_QUOTA : 804FA87E
16:34:17:722 2828 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:34:17:722 2828 sion
16:34:17:742 2828 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:34:17:742 2828
16:34:17:742 2828 Driver Name: Disk
16:34:17:742 2828 IRP_MJ_CREATE : F7595BB0
16:34:17:742 2828 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
16:34:17:742 2828 IRP_MJ_CLOSE : F7595BB0
16:34:17:742 2828 IRP_MJ_READ : F758FD1F
16:34:17:742 2828 IRP_MJ_WRITE : F758FD1F
16:34:17:742 2828 IRP_MJ_QUERY_INFORMATION : 804FA87E
16:34:17:742 2828 IRP_MJ_SET_INFORMATION : 804FA87E
16:34:17:742 2828 IRP_MJ_QUERY_EA : 804FA87E
16:34:17:742 2828 IRP_MJ_SET_EA : 804FA87E
16:34:17:742 2828 IRP_MJ_FLUSH_BUFFERS : F75902E2
16:34:17:742 2828 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
16:34:17:742 2828 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
16:34:17:742 2828 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
16:34:17:742 2828 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
16:34:17:742 2828 IRP_MJ_DEVICE_CONTROL : F75903BB
16:34:17:742 2828 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7593F28
16:34:17:742 2828 IRP_MJ_SHUTDOWN : F75902E2
16:34:17:742 2828 IRP_MJ_LOCK_CONTROL : 804FA87E
16:34:17:742 2828 IRP_MJ_CLEANUP : 804FA87E
16:34:17:742 2828 IRP_MJ_CREATE_MAILSLOT : 804FA87E
16:34:17:742 2828 IRP_MJ_QUERY_SECURITY : 804FA87E
16:34:17:742 2828 IRP_MJ_SET_SECURITY : 804FA87E
16:34:17:742 2828 IRP_MJ_POWER : F7591C82
16:34:17:742 2828 IRP_MJ_SYSTEM_CONTROL : F759699E
16:34:17:742 2828 IRP_MJ_DEVICE_CHANGE : 804FA87E
16:34:17:742 2828 IRP_MJ_QUERY_QUOTA : 804FA87E
16:34:17:742 2828 IRP_MJ_SET_QUOTA : 804FA87E
16:34:17:752 2828 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:34:17:752 2828 sion
16:34:17:752 2828 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:34:17:752 2828
16:34:17:752 2828 Driver Name: atapi
16:34:17:752 2828 IRP_MJ_CREATE : F7483B3A
16:34:17:752 2828 IRP_MJ_CREATE_NAMED_PIPE : F7483B3A
16:34:17:752 2828 IRP_MJ_CLOSE : F7483B3A
16:34:17:752 2828 IRP_MJ_READ : F7483B3A
16:34:17:752 2828 IRP_MJ_WRITE : F7483B3A
16:34:17:752 2828 IRP_MJ_QUERY_INFORMATION : F7483B3A
16:34:17:752 2828 IRP_MJ_SET_INFORMATION : F7483B3A
16:34:17:752 2828 IRP_MJ_QUERY_EA : F7483B3A
16:34:17:752 2828 IRP_MJ_SET_EA : F7483B3A
16:34:17:752 2828 IRP_MJ_FLUSH_BUFFERS : F7483B3A
16:34:17:752 2828 IRP_MJ_QUERY_VOLUME_INFORMATION : F7483B3A
16:34:17:752 2828 IRP_MJ_SET_VOLUME_INFORMATION : F7483B3A
16:34:17:752 2828 IRP_MJ_DIRECTORY_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_FILE_SYSTEM_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_DEVICE_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_SHUTDOWN : F7483B3A
16:34:17:752 2828 IRP_MJ_LOCK_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_CLEANUP : F7483B3A
16:34:17:752 2828 IRP_MJ_CREATE_MAILSLOT : F7483B3A
16:34:17:752 2828 IRP_MJ_QUERY_SECURITY : F7483B3A
16:34:17:752 2828 IRP_MJ_SET_SECURITY : F7483B3A
16:34:17:752 2828 IRP_MJ_POWER : F7483B3A
16:34:17:752 2828 IRP_MJ_SYSTEM_CONTROL : F7483B3A
16:34:17:752 2828 IRP_MJ_DEVICE_CHANGE : F7483B3A
16:34:17:752 2828 IRP_MJ_QUERY_QUOTA : F7483B3A
16:34:17:752 2828 IRP_MJ_SET_QUOTA : F7483B3A
16:34:17:782 2828 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
16:34:17:782 2828 TDL3_IrpHookDetect: New IrpHandler addr: 86F848C8
16:34:17:782 2828 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
16:34:17:782 2828 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:34:17:782 2828 cured
16:34:17:782 2828 siohd: 0
16:34:17:782 2828 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
16:34:17:782 2828 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:34:17:782 2828 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:34:17:782 2828 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:34:18:082 2828 vfvi6
16:34:18:262 2828 !dsvbh1
16:34:20:606 2828 dsvbh2
16:34:20:606 2828 fdfb2
16:34:20:606 2828 Backup copy found, using it..
16:34:20:656 2828 will be cured on next reboot
16:34:20:656 2828 Reboot required for cure complete..
16:34:20:666 2828 Cure on reboot scheduled successfully
16:34:20:666 2828
16:34:20:666 2828 Completed
16:34:20:666 2828
16:34:20:666 2828 Results:
16:34:20:666 2828 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
16:34:20:666 2828 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:34:20:666 2828 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:34:20:666 2828
16:34:20:666 2828 UnloadDriverW: NtUnloadDriver error 1
16:34:20:666 2828 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:34:20:666 2828 KLMD(ARK) unloaded successfully

km2357
2010-03-07, 05:11
Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 2 Run Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh DDS Log

JR545
2010-03-07, 15:57
Malwarebytes' Anti-Malware 1.44
Database version: 3831
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/7/2010 6:53:04 AM
mbam-log-2010-03-07 (06-53-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160358
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/18/2007 4:09:06 PM
System Uptime: 3/7/2010 1:22:28 AM (4 hours ago)

Motherboard: Dell Computer Corporation | | 0T1957
Processor: Intel(R) Pentium(R) M processor 1.70GHz | Microprocessor | 594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 23.472 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP517: 1/21/2010 5:33:54 AM - Software Distribution Service 3.0
RP518: 1/22/2010 4:15:18 AM - Software Distribution Service 3.0
RP519: 1/24/2010 4:26:49 AM - Software Distribution Service 3.0
RP520: 1/25/2010 3:00:42 AM - Software Distribution Service 3.0
RP521: 1/26/2010 5:48:51 AM - Software Distribution Service 3.0
RP522: 1/27/2010 5:06:56 AM - Software Distribution Service 3.0
RP523: 1/28/2010 5:28:34 AM - Software Distribution Service 3.0
RP524: 1/29/2010 6:03:24 AM - Software Distribution Service 3.0
RP525: 1/30/2010 4:14:26 AM - Software Distribution Service 3.0
RP526: 1/31/2010 6:27:42 AM - Software Distribution Service 3.0
RP527: 2/1/2010 4:11:53 AM - Software Distribution Service 3.0
RP528: 2/2/2010 5:12:58 AM - Software Distribution Service 3.0
RP529: 2/2/2010 6:59:21 PM - Avg8 Update
RP530: 2/3/2010 4:57:10 AM - Software Distribution Service 3.0
RP531: 2/4/2010 5:16:03 AM - Software Distribution Service 3.0
RP532: 2/5/2010 5:07:26 AM - Software Distribution Service 3.0
RP533: 2/6/2010 5:30:16 AM - Software Distribution Service 3.0
RP534: 2/7/2010 6:17:29 AM - Software Distribution Service 3.0
RP535: 2/7/2010 11:53:22 AM - Software Distribution Service 3.0
RP536: 2/8/2010 5:40:22 AM - Software Distribution Service 3.0
RP537: 2/9/2010 5:21:01 AM - Software Distribution Service 3.0
RP538: 2/22/2010 5:23:40 AM - Software Distribution Service 3.0
RP539: 2/22/2010 5:38:58 PM - Installed AVG Free 9.0
RP540: 2/23/2010 5:06:04 AM - Software Distribution Service 3.0
RP541: 2/23/2010 5:59:35 PM - Avg8 Update
RP542: 2/24/2010 5:22:56 AM - Software Distribution Service 3.0
RP543: 2/24/2010 7:28:35 PM - Installed Java(TM) 6 Update 18
RP544: 2/24/2010 8:02:12 PM - Removed Windows Live Favorites for Windows Live Toolbar
RP545: 2/24/2010 8:03:16 PM - Removed Windows Live Toolbar
RP546: 2/24/2010 8:04:46 PM - Removed Picture Package Music Transfer
RP547: 2/24/2010 8:06:39 PM - Removed Microsoft SQL Server 2005 Express Edition
RP548: 2/24/2010 8:08:53 PM - Removed Microsoft SQL Server Setup Support Files (English)
RP549: 2/25/2010 4:51:01 AM - Software Distribution Service 3.0
RP550: 2/25/2010 5:43:35 AM - Installed Windows XP KB978207.
RP551: 2/25/2010 6:34:52 AM - Installed SUPERAntiSpyware Free Edition
RP552: 2/27/2010 5:49:54 AM - Installed HiJackThis
RP553: 2/27/2010 8:27:43 AM - Removed Olympus Digital Wave Player
RP554: 2/27/2010 9:30:32 AM - avast! Free Antivirus Setup
RP555: 2/27/2010 9:35:53 AM - Removed AVG Free 9.0
RP556: 2/27/2010 9:38:13 AM - Installed AVG Free 9.0
RP557: 2/28/2010 9:57:15 AM - System Checkpoint
RP558: 3/3/2010 6:11:19 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.1
avast! Free Antivirus
Broadcom Gigabit Integrated Controller
C-Major Audio
CardBus
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
ERUNT 1.1j
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Messenger
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server Native Client
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Drivers
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
msxml4 sp2
NeatReceipts Professional 3.0 Core Files
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PCI 7510 CardBus Controller with SmartCard and Software
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sony USB Driver
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/6/2010 4:36:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde ppa
3/6/2010 4:36:20 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/28/2010 7:34:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/28/2010 2:29:36 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
2/28/2010 2:29:36 PM, error: Service Control Manager [7022] - The SQL Server VSS Writer service hung on starting.
2/28/2010 1:51:50 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000E35B32924. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================
--------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 5:59:02.27 on Sun 03/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.570 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ksl.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: powdervalleyinc.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://kaseya.oscr.net/inc/kaxRemote.dll
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://office.hjcpafirm.com/NGVPNTunnel.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-27 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-11-7 17792]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-27 40384]

=============== Created Last 30 ================

2010-03-06 01:59:17 0 d-sha-r- C:\cmdcons
2010-03-06 01:57:16 98816 ----a-w- c:\windows\sed.exe
2010-03-06 01:57:16 77312 ----a-w- c:\windows\MBR.exe
2010-03-06 01:57:16 261632 ----a-w- c:\windows\PEV.exe
2010-03-06 01:57:16 161792 ----a-w- c:\windows\SWREG.exe
2010-02-27 16:30:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-27 12:49:58 0 d-----w- c:\program files\TrendMicro
2010-02-25 13:37:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-25 13:34:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-25 13:34:54 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-02-25 13:33:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-25 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-02-25 02:29:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-25 02:29:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-08 23:00:25 0 d-----w- c:\docume~1\admini~1\applic~1\Office Genuine Advantage

==================== Find3M ====================

2010-03-07 02:45:04 105669 ----a-w- c:\windows\system32\nvModes.dat
2010-03-06 23:35:50 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-02-18 00:30:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021720090218\index.dat

============= FINISH: 5:59:21.31 ===============

km2357
2010-03-07, 19:46
Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)


First, go to Add/Remove Programs and uninstall Adobe Reader 8.2.1.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.3.1 is a large program and if you prefer a smaller program you can get Foxit 3.1.4 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.1.4 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay


Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?

JR545
2010-03-09, 05:57
The Kaspersky log didn't have anything in it, no infected/suspicious objects.
Computer seems to be running fine and searches are working properly.

km2357
2010-03-09, 07:36
Since there are no more problems, you are good to go. :)

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
TDSSKiller.exe
The TDSSKiller Log
mbrlog.bat
mbrlog.bat log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK

Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.