# Virus blocks internet access, redirects



## 123qwe123 (Dec 26, 2008)

Think I picked up a virus a few days ago. Using Win XP, IE, ESET Anti-virus, Windows Firewall. Unknown screen popped-up while surfing, asking if I wanted a virus scan. while trying to close got a message that Win Firewall was disabled, lots of screens popping up. Had to power down quickly.

Since then I do not have full access to internet. Cannot get to any "tech" sites, I'm either blocked (in IE "internet explorer cannot display this page" in Firefox "connection interrupted - server reset while page was loading") or redirected to random obscure search engines. Cannot access web to download any anti-virus updates or scans, all blocked.

Ran ESET scan, nothing found. Cleaned files and registry with CCleaner. Sys Restore is off. Ran DR WEB in safe mode, 2 virus found (Trojan Click 1487 and prunnet), deleted, no effect on system. Hijack This log attached. Please advise.


----------



## eddie5659 (Mar 19, 2001)

Hiya and welcome to Tech Support Guy 

Are you still having this problem? If so, do the following:

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply._

Click *Close* to exit the program.

Please include the *MBAM log, SAS log and a fresh HijackThis log *in your next reply

Regards

eddie


----------



## 123qwe123 (Dec 26, 2008)

Thanks for the help Eddie. I currently run ESET and AVG along with CCleaner, Dr Web, Spyware blaster and Spybot Search and Destroy. Before infection it was just ESET. As you can image the computer is pretty bogged down. Any recommendations for the future as to what I should run for protection without killing the response time of the computer?

MBAM - nothing found today. I had run this a week ago after posting to your site, it cleaned some items. Last 2 scans were clean. Here's the log from Dec 29 when it found a problem:

Malwarebytes' Anti-Malware 1.31
Database version: 1567
Windows 5.1.2600 Service Pack 3
12/29/2008 9:25:38 AM
mbam-log-2008-12-29 (09-25-38).txt
Scan type: Full Scan (C:\|)
Objects scanned: 114858
Time elapsed: 53 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\utu4odc1 (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\utu4odc1 (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\utu4odc1.sys (Worm.Bagel) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSrhyp.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/03/2009 at 10:02 AM
Application Version : 4.24.1004
Core Rules Database Version : 3694
Trace Rules Database Version: 1670
Scan type : Complete Scan
Total Scan Time : 01:07:24
Memory items scanned : 704
Memory threats detected : 0
Registry items scanned : 7144
Registry threats detected : 8
File items scanned : 23467
File threats detected : 32
Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com#*
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com#*
HKU\S-1-5-21-226849807-1721993001-1925347969-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com
HKU\S-1-5-21-226849807-1721993001-1925347969-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com#*
HKU\S-1-5-21-226849807-1721993001-1925347969-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com
HKU\S-1-5-21-226849807-1721993001-1925347969-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com#*
Adware.Tracking Cookie
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][3].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt
C:\Documents and Settings\Tom\Cookies\[email protected][1].txt
Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE
Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMHLT.DAT

HiJackThis:

 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:37 AM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FLIR Systems\ThermaCAM QuickReport\bin\T3Srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\FLIR Systems\ThermaCAM QuickReport\bin\T3Mon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Tom\Start Menu\Programs\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=JcZU3n5OaBCIXHlUpCc8fI8e3-w
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enumn /alertsn /notificationsn /fln /frn /appDatan
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [FS Camera Monitor] C:\Program Files\FLIR Systems\ThermaCAM QuickReport\bin\T3Mon.exe
O4 - HKLM\..\Run: [T3Mon] "C:\Program Files\FLIR Systems\QuickView\T3Mon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196180108183
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: FLIR Systems Camera Monitor (T3Srv) - FLIR Systems - C:\Program Files\FLIR Systems\ThermaCAM QuickReport\bin\T3Srv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 15906 bytes

Thanks again. Let me know what you think. Good news is that I now have internet access.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Well, having two antivirus programs running can cause conflicts, so as you have the paid version of ESET NOD32 Antivirus, I would say keep that one, and uninstall the AVG.

I'll fully go thru what else needs to be installed/removed when its nice and clean, including speeding up your startup list 


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. 
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

You're looking for *Windows Defender, ESET NOD32 ANTIVIRUS and Spybot Teatimer* in the list.

When that's done, do this:

Download ComboFix from one of these locations:

*Link 1*
*Link 2*
*Link 3*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt and a fresh HijackThis log* in your next reply.

eddie


----------



## 123qwe123 (Dec 26, 2008)

Thanks Eddie. Logs attached, too long to post....

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Re-open HiJackThis and choose *do a system scan only*. Check the boxes of all the entries listed below.

*R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=JcZU3n5OaBCIXHlUpCc8fI8e3-w
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)*

Now *close all windows other than HiJackThis*, then click Fix Checked. Reboot and post a fresh HijackThis log.

Also, do this:

Please download *Rootkit Revealer* (It should be part of the Top 10 Downloads list)
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click *rootkitrevealer.exe*
Close *ALL* windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File > Save*. Choose to save it to your desktop.
Open *rootkitrevealer.txt* on your desktop and copy the entire contents and paste them here

eddie


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

Here's the logs. ESET and Win Firewall disabled before scanning.
Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> File::
> 
> Folder::
> 
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Also, post a fresh HijackThis log.


----------



## 123qwe123 (Dec 26, 2008)

Thanks Eddie...


----------



## eddie5659 (Mar 19, 2001)

Hmmm, it hasn't appeared to attempt to delete it  Did you copy this exact:



> File::
> 
> Folder::
> 
> ...


If you select all within the above quote into Notepad, it should work.

If not, we'll try something else 

eddie


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,
I disabled ESET and Win Firewall. I copied the text again and ran Combofix and HiJack This again. Logs below. FYI - both times Combofix said there was a new version available, did I want to download. First time I did. This time I skipped.
Best,
Tom

ComboFix 09-01-05.03 - Tom 2009-01-06 14:54:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.504 [GMT -5:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.
2009-01-03 08:51 . 2009-01-03 08:51 d-------- c:\program files\SUPERAntiSpyware
2009-01-03 08:51 . 2009-01-03 08:51 d-------- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com
2009-01-03 08:51 . 2009-01-03 08:51 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-03 08:50 . 2009-01-03 08:50 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 14:55 . 2008-12-29 14:58 d-------- c:\program files\SpywareBlaster
2008-12-29 14:55 . 2008-12-29 18:41 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 08:29 . 2008-12-29 08:29 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 08:29 . 2008-12-29 08:29 d-------- c:\documents and settings\Tom\Application Data\Malwarebytes
2008-12-29 08:29 . 2008-12-29 08:29 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-29 08:29 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 08:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 08:25 . 2008-12-29 08:26 d-------- c:\program files\RogueRemover FREE
2008-12-28 20:09 . 2008-12-28 20:09 d--h----- C:\$AVG8.VAULT$
2008-12-28 16:48 . 2009-01-06 08:22 d-------- c:\windows\system32\drivers\Avg
2008-12-28 16:48 . 2008-12-29 08:25 d-------- c:\documents and settings\Tom\Application Data\AVGTOOLBAR
2008-12-28 16:48 . 2008-12-28 16:48 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-28 16:48 . 2008-12-28 16:48 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-28 16:47 . 2008-12-28 16:47 d-------- c:\program files\AVG
2008-12-28 16:47 . 2008-12-28 16:53 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 15:41 . 2008-12-26 15:41 d-------- c:\documents and settings\Tom\DoctorWeb
2008-12-26 11:54 . 2008-12-26 12:50 9,728 --a------ c:\windows\system32\drivers\uju4odc1.sys
2008-12-24 14:00 . 2008-12-24 14:00 d-------- c:\program files\Yahoo!
2008-12-24 14:00 . 2008-12-24 14:00 d-------- c:\program files\CCleaner
2008-12-24 14:00 . 2008-12-24 14:00 d-------- c:\documents and settings\Tom\Application Data\Yahoo!
2008-12-24 14:00 . 2008-12-24 14:00 d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-24 01:46 . 2008-12-24 01:46 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 21:17 . 2008-12-10 21:17 d-------- c:\program files\Sitemap Generator
2008-12-10 21:17 . 2008-12-10 21:17 d-------- c:\documents and settings\Tom\Application Data\DevIntelligence.com
2008-12-10 13:59 . 2008-12-10 13:59 d-------- c:\program files\Citrix
2008-12-10 13:59 . 2008-12-10 13:59 60,744 --a------ c:\documents and settings\Tom\g2mdlhlpx.exe
2008-12-09 23:11 . 2008-12-09 23:11 d-------- c:\documents and settings\Tom\Application Data\Canon
2008-12-09 23:09 . 2008-12-12 20:31 d-------- c:\documents and settings\Tom\Application Data\ZoomBrowser EX
2008-12-09 22:24 . 2008-12-12 20:21 d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-09 22:20 . 2008-12-09 22:20 d-------- c:\program files\Common Files\Canon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-06 14:22 --------- d-----w c:\program files\Java
2008-12-29 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 20:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-26 16:56 --------- d-----w c:\program files\Bonjour
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-10 03:26 --------- d-----w c:\program files\Canon
2008-12-05 17:43 --------- d-----w c:\documents and settings\Tom\Application Data\IBP
2008-11-24 23:49 --------- d-----w c:\documents and settings\Tom\Application Data\Apple Computer
2008-11-24 17:18 --------- d-----w c:\program files\iTunes
2008-11-24 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 17:17 --------- d-----w c:\program files\iPod
2008-11-24 17:14 --------- d-----w c:\program files\QuickTime
2008-11-24 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 03:37 --------- d-----w c:\program files\Link Verify
2008-11-20 21:49 --------- d-----w c:\program files\IBP 10
2008-11-16 19:26 --------- d-----w c:\program files\Datel
2008-11-13 02:46 --------- d-----w c:\program files\Modem Helper
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-07 00:43 --------- d-----w c:\program files\Google
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-09-17 00:20 104 --sh--r c:\windows\system32\6C874D6526.sys
2008-09-17 00:20 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-25 14:22 608 --sha-w c:\windows\system32\winzvprt5.sys
2008-09-05 20:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.
((((((((((((((((((((((((((((( [email protected]3_14.50.03.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-25 16:47:07 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-10 10:43:37 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-25 16:47:08 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-10 10:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-25 16:47:08 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-10 10:43:39 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-06 14:22:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_bc0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 05:47 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-27 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-21 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2007-10-03 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"FS Camera Monitor"="c:\program files\FLIR Systems\ThermaCAM QuickReport\bin\T3Mon.exe" [2007-06-04 276048]
"T3Mon"="c:\program files\FLIR Systems\QuickView\T3Mon.exe" [2004-04-26 266240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-02-21 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\hp laserjet m1522\\Fax Config utility1.exe"=
"c:\\Program Files\\HP\\hp laserjet m1522\\hppfaxnc1.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hppscan6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 97928]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 231704]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R4 T3Srv;FLIR Systems Camera Monitor;c:\program files\FLIR Systems\ThermaCAM QuickReport\bin\T3Srv.exe [2007-06-04 140880]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 uju4odc1;AVZ-SG Kernel Driver;c:\windows\system32\drivers\uju4odc1.sys [2008-12-26 9728]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4d78f91-73de-11dd-b8fa-001422eee0c8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/news?ned=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\04i385e6.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 14:58:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\avgrsstx.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-06 14:59:25
ComboFix-quarantined-files.txt 2009-01-06 19:59:16
ComboFix2.txt 2009-01-05 23:51:24
ComboFix3.txt 2009-01-03 19:51:03
Pre-Run: 13,668,085,760 bytes free
Post-Run: 13,633,032,192 bytes free
241 --- E O F --- 2009-01-06 02:07:18


----------



## eddie5659 (Mar 19, 2001)

Okay, lets do a quick scan on it:


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*c:\windows\system32\drivers\uju4odc1.sys*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.

Not sure why ComboFix is asking about an update, if it asks again, just leave it for now.

eddie


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,
I copied 
[bc:\windows\system32\drivers\uju4odc1.sys[/b]
to the box in Virscan, hit upload, nothing happens. Tried it after logging on to page a number of times, does not scan.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Ah, that's because I edited it when I saw the error, I assume you looked at your email reply 

This is the file path:

c:\windows\system32\drivers\uju4odc1.sys


----------



## eddie5659 (Mar 19, 2001)

Okay, replying here instead of editing the above post, but don't worry about the scan, but do this for the ComboFix instead:



> File::
> c:\windows\system32\drivers\uju4odc1.sys
> 
> Folder::
> ...


Then post the Combofix.txt it produces


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

VirSCAN turned up nothing. Combofix log attached.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

At last, its gone 

Lets just check for any files that are left to sort now:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
*Upgrading Java*:

Download the latest version of *Java Runtime Environment (JRE) 6 Update 7*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the *jre-6u7-windows-i586-p.exe* and select "Run as an Administrator.")


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

Old Java removed. New Java installed. Log attached.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Please download *Runscanner* to your desktop and run it.

When the first page comes up select *Beginner Mode*
On the next page select *Save a binary .Run file (Recommended)* then click *Start full scan* at the top.
At this time Runscanner.exe may request *access to the Internet* through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the *.run file* and the *log file*
Call the .run file *"RunScanner"* and save it to your desktop. You will see the *RunScanner.run file* on your desktop. Rightclick and rename to a *RunScanner.txt* file and upload that file here. Click on the *Go Advanced* button for the uploading options.

eddie


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

I'm having a problem following your instructions - cannot rename the run file, it remains a .txt file when trying to upload to TSG. RunScanner log file attached.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Hmm, didn't work 

When you tried to rename the Runscanner.run file, was the actual program still running? You're looking at the *Run* file, not the *Log* file. Locate the *RunScanner.run* file, rightclick and select Rename, and it should let you call it Runscanner.txt. It will say that changing it will alter the file, just say Yes.


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

When I rename the run file it becomes runscanner.txt.run. TSG will not accept it. I see no way to change the file type....

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

That's strange, others are okay with it 

Ah, I know, lets see if this helps:

Open up Wiindows Explorer, and click on Tools | Folder Options. Select the View tab.

Scroll down, and untick the Hide Extensions For Known File Types, apply and ok. Now, see if that works.

If not, can you zip the run file up, and upload it that way?

eddie


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

File attached.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Download the attachment at the end of this post (this will be your runscanner file fixed by me)


Delete the *previous runscanner.txt* on your Desktop before downloading the attached file.
Save it to your desktop, then right-click on it and select Rename. Rename to runscanner.run. Then double click the *runscanner icon* this will run the program.
This time select the *Expert Mode*
click the *Item Fixer* tab
Click the button at the top called *Fix selected items*
Accept the warning(s) and repeat until they are all gone.
Reboot your PC
Post a fresh HijackThis log


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,
Log attached.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

That looks a lot better, hows the computer running now? If its okay, I'll trim the startup list for you, and then cleanup the programs we've used


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

Thanks again for all the help. Everything seems fine, no problems on this end. Let me know how to clean it up and we'll call this a success.

Best,
Tom


----------



## eddie5659 (Mar 19, 2001)

The following is a list of all that you have running at startup. For those interested, its the 04 entries. The more you have, the slower your bootup to Windows will be, and you may have problems online, like slowness etc. I've put some explanation on what they are, in case you're curious.

Don't worry, you're not uninstalling these, just preventing them loading at startup

==============

ehTray - Enables the user to access Windows Messenger from within Windows Media Center Edition. Up to you

Apoint - Touchpad software for laptop PC's. For instance it is found on the Panasonic machines and allows part of the touchpad to be used for document or Web-page scrolling. Required for proper functioning of the pointing software but not required for the laptop to work. Up to you

ATIPTA - Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimised their settings. Up to you

Dell QuickSet - Dell taskbar icon allowing you to quickly change settings. Not needed

Dell Wireless Manager UI - Related to Dell Wireless WLAN Card. Provides additional configuration options for these devices. Up to you

DVDLauncher - A process belonging to the Cyberlink PowerCinema video viewing software which allows you to play DVDs upon insertion. Non-essential process - and is installed for ease of use. Up to you

RealTray - System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences. Not needed

dla - Drive letter access to HP's and Veritas' version of DirectCD. Does the same thing as DirectCD. From HP - "This is a needed file as it controles the readability of the Combo drives. Without this file loading the end user will be able to burn CD's but wont be able to read them. The drive itself will be able to read store bought master Cd's without the file but not burnt ones" - Keep

ISUSPM Startup - InstallShield Update Service related; Automatically searches for and performs any updates to the software. Not Needed

ISUSScheduler - InstallShield Update Service Scheduler; automatically searches for and performs any updates to the software so youre always working with the most current version. Not Needed.

MimBoot - Starts Musicmatch_Jukebox at bootup - can be started manually. Not needed

dscactivate - Dell Support Agent offers additional support and update features for your Dell computer or laptop. Up to you

egui - ESET_Smart_Security. Keep

DellSupportCenter - Related to the Dell_Support_Center. Keep

ToolBoxFX - Related to HP_LaserJet_3055 from HP. Up to you

HP Software Update - HP software updates. If a shortcut doesn't exist, create your own and run it manually. Not needed

AppleSyncNotifier - Related to Apple_Sync_Notifier Apple Mobile Device Service. You really didnt need it unless you had an iPhone or an iTouch iPod but that didnt stop Apple from including it as an Service for all iTunes users.. Not needed

FS Camera Monitor - Not sure, leave

T3Mon - Not sure, leave

QuickTime Task - System Tray access to Apple's "Quick Time" viewer from version 5 onwards. Not needed

iTunesHelper - Related to Apple's iTunes for Windows. Installed with Apple's iTunes for Windows. Note: Uses ~3-4MB of memory and if disabled in MSCONFIG or deleted from the registry it will re-instate itself after running iTunes a few times. Keep

SunJavaUpdateSched - Checks with Sun's Java updates site to see if newer Java versions are available. Visit http://java.sun.com or just run the Java Plug-In Control Panel. Not needed

MSMSGS - Related to Windows Messenger utility. If you don't use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts". Up to you

ctfmon.exe - CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon

http://support.microsoft.com/kb/282599/en-us

Up to you

DellSupport - Dell Support Agent offers additional support and update features for your Dell computer or laptop.. Up to you

DellSupportCenter - Related to the Dell_Support_Center. Keep

swg - Related to Google's Toolbar Notifier. Up to you

DWQueuedReporting - Related to System_Event_Notification_Services from Microsoft. Required for Efficient Mobile Network Computing. Keep

RunNarrator - Related to Narrator_accessibility feature on Windows XP. It is used to convert text to speech. Should not be disabled, required for essential applications to work properly. Up to you

Adobe Reader Speed Launch - Speeds up the time it takes to load the Adobe_Reader application. Your choice, but not required for Adobe Reader to function properly. Not needed

Digital Line Detect - Detects whether your are plugged into a digital telephone line and displays the information graphically. Installed by Dell (and maybe others) and is included with all Connexant V.92 and Broadcom modems. Not needed

Microsoft Office - Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.. Not needed

QuickBooks Update Agent - Associated with Intuit's Quickbooks but not required. Possibly to do with the payroll update service but you're prompted to check for updates when appropriate whether this is running or not. Not needed

============

Okay, for the one's that say Not Needed, do this:

Go to Start | Run and type MSCONFIG, and click OK. Startup tab. Untick the ones that are Not Needed, Apply and Restart. When Windows loads back up, you will have a popup box saying that the startup has been changed. Tick the little box to not appear again, and OK.

For the Up To You ones, that's exactly that. Its your choice if you need them. One way to do this, is after you've done the above with the Not Needed, is to go back to MSCONFIG, and untick one of them. Reboot, and see if all your 'normal' programs work okay. If, for instance your Google's Toolbar has a problem after unticking swg, then just go back in, retick it, and restart.

==================

*Follow these steps to uninstall Combofix and tools used in the removal of malware*


Click *START* then *RUN*
Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there










Also, you will see the *Runscanner* program on your Desktop. This, along with the *Runscanner.run* file can be deleted.

You can delete the *Rootkit revealer* program off your Desktop.

================

We have a couple of last steps to perform and then you're all set.

Please download *ATF Cleaner* by Atribune.

*Caution: This program is for Windows 2000, XP and Vista only*


Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

Secondly, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click *Start*.
* Open *My Computer*.
* Select the *Tools menu* and click *Folder Options*.
* Select the *View* tab.
* Under the *Hidden files and folders* heading *UNSELECT Show hidden files and folders*.
* *CHECK* the *Hide protected operating system files (recommended)* option.
* Click *Yes* to confirm.
* Click *OK*.
Next, let's clean your restore points and set a new one:

*Reset and Re-enable your System Restore* to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
*1. Turn off System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.
*2. Restart your computer.*

*3. Turn ON System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
UN-Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.

*System Restore will now be active again.*

Now, go to Control Panel and open the *Internet Options*. Click on the *Advanced tab* and do the follwing:

 Untick Enable Install on Demand (may be two of them) under Browsing.
 Tick Empty Temporary Internet Files When Browser is Closed under Security. Apply and OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: 
*SpywareBlaster* to help prevent spyware from installing in the first place.
*SpywareGuard* to catch and block spyware before it can execute.
*ZonedOut* to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 2 free ones available for personal use:
*Kerio Personal Firewall*
*ZoneAlarm*
and a good antivirus (these are also free for personal use):
*AVG Anti-Virus*
*Avast Home Edition*
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit 
*Microsoft Windows Update*
monthly. And to keep your system clean run these free malware scanners 

*Malwarebytes' Anti-Malware*

*Spybot Search & Destroy*
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this about Security online: *General Security Information, How to tighten Security Settings and Warnings *

Have a safe and happy computing day!


----------



## 123qwe123 (Dec 26, 2008)

Hi Eddie,

Computer is zipping along, I am much obliged for all your help. I appreciate the 3 weeks worth of time and effort - you are awesome.

Here is what is hopefully my last question: you recommeded AVG, which I like. I assume using that will cause a conflict if I continue to use ESET. Do you recommend I ditch ESET? Not exactly thrilled with it at this point because A) the virus got thru it in the first place and B) customer support is no-existent. What do you think?

Wishing you good karma and all the best,
Tom


----------



## eddie5659 (Mar 19, 2001)

Glad to hear its all okay now, and its a coincidence, as I can finally give back this old desktop my mate wanted repairing at last 

Yep, its best to just have the one antivirus program running, as they can conflict with each other. At the moment, I have Kaspersky, but its a paid version.

AVG is a good program, and easy to use. Was ESET free? If so, I would have a go with AVG and see if you like it or not 

eddie


----------

