# BHO:WormRadar.com Infection



## tbird390 (Feb 3, 2007)

I have been having mozilla firefox and google chrome acting weird, redirection, opening multiple tabs and also all links and buttons go dead unless i minimize and the browser then restore it. 
I ran hijack this and found a wormradar file and a few others i feel are suspect.
i dont want to do anything untill i get expert advice 
Thank you in advance for your help Bob

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:16:57 PM, on 7/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Epson Stylus NX510(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE /FU "C:\WINDOWS\TEMP\E_SA3.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1259347143904
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7143 bytes


----------



## tbird390 (Feb 3, 2007)

bump


----------



## dvk01 (Dec 14, 2002)

worm radar is part of AVG so legitimate

There is nothing obvious in teh log so

follow advice *here* and post the logs those programs make


----------



## tbird390 (Feb 3, 2007)

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Robert at 18:45:29.09 on Fri 07/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.548 [GMT -4:00]

AV: Protector Plus Anti-virus Software *On-access scanning enabled* (Updated) {2BA05D34-0674-49A3-8DDA-DC7C8007484B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\devldr32.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\msmoney.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Documents and Settings\Robert\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\robert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_SA3.tmp" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Protector Plus Taskbar Control] c:\protec~1\PPTbc.EXE
mRun: [Protector Plus InstaUpdate] c:\protec~1\PPInupdt.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQ"&"inst=NwA3AC0AMQA4ADQAOAA5ADc"&"prod=90"&"ver=9.0.839
StartupFolder: c:\docume~1\robert\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\robert\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259347143904
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\aorxy5k1.default\
FF - plugin: c:\documents and settings\robert\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox2\plugins\npnul32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-27 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;c:\protector plus\PPAVMON.EXE [2010-7-22 105704]
R2 ProtectorPlusService;Protector Plus Service (UnRegistered);c:\protector plus\PPSERV.EXE [2010-7-22 94896]
R3 PPDrv;Protector Plus Driver (UnRegistered);c:\protector plus\PPDRV.SYS [2010-7-22 703920]
R3 PPEMSCAN;Protector Plus Email Scan Driver;c:\protector plus\PPEMSCAN.SYS [2010-7-22 19272]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2010-07-23 01:30:47	12536	------w-	c:\windows\system32\avgrsstx.dll.install_backup
2010-07-23 01:30:31	0	d-----w-	c:\windows\SxsCaPendDel
2010-07-23 01:24:22	45056	----a-w-	c:\windows\system32\_PPCXM_.DLL
2010-07-23 01:24:15	29360	----a-w-	c:\windows\_SETUPD_.EXE
2010-07-22 16:19:06	0	d-----w-	c:\windows\system32\wbem\Repository
2010-07-22 16:18:38	0	d-----w-	c:\program files\Yahoo!(2)
2010-07-22 00:05:38	0	d-----w-	c:\docume~1\robert\applic~1\Uniblue
2010-07-21 21:35:13	0	d-----w-	c:\docume~1\alluse~1\applic~1\PCPitstop
2010-07-21 21:34:24	0	d-----w-	c:\program files\PCPitstop
2010-07-21 20:26:33	0	d-----w-	C:\Protector Plus
2010-07-21 03:15:40	0	d-----w-	c:\program files\Trend Micro
2010-07-20 21:44:50	0	dc----w-	c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-06-25 14:58:46	5632	----a-w-	c:\windows\system32\ptpusb.dll
2010-06-25 14:58:46	15104	-c--a-w-	c:\windows\system32\dllcache\usbscan.sys
2010-06-25 14:58:46	15104	----a-w-	c:\windows\system32\drivers\usbscan.sys
2010-06-25 14:58:45	159232	----a-w-	c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-06-04 20:47:42	64288	----a-w-	c:\windows\system32\drivers\Lbd.sys

============= FINISH: 18:45:52.70 ===============


----------



## tbird390 (Feb 3, 2007)

I uninstalled AVG but it seems some files were not deleted


----------



## dvk01 (Dec 14, 2002)

Download MBR Check to your desktop


Right click *MBRcheck.exe* and select* Run as Administrator* (Vista) or Double click *MBRcheck.exe* to run it (XP)
It will show a Black screen with some data on it 
it will create a log called MBRcheck_time and date.txt on desktop 
Post that resultant log here please
Do NOT fix anything or run any suggested fix before we see the report


----------



## tbird390 (Feb 3, 2007)

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...


----------



## dvk01 (Dec 14, 2002)

that looks clean so if you are still getting problems & diverts etc then

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or *Here*to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## tbird390 (Feb 3, 2007)

ComboFix 10-07-23.02 - Robert 07/24/2010 7:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.585 [GMT -4:00]
Running from: c:\documents and settings\Robert\My Documents\Downloads\ComboFix.exe
AV: Protector Plus Anti-virus Software *On-access scanning disabled* (Updated) {2BA05D34-0674-49A3-8DDA-DC7C8007484B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPDRV
-------\Service_PPDrv

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-23 02:10 . 2010-07-23 02:10	--------	d-----w-	c:\documents and settings\Bobby 2\Application Data\Epson
2010-07-23 02:09 . 2010-07-23 02:09	70360	----a-w-	c:\documents and settings\Bobby 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 01:30 . 2010-07-23 01:30	242896	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-23 01:30 . 2010-07-23 01:30	216200	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-23 01:30 . 2010-07-23 02:17	--------	d-----w-	c:\windows\SxsCaPendDel
2010-07-23 01:28 . 2010-07-23 01:28	813336	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-23 01:28 . 2010-07-23 01:28	624920	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-23 01:28 . 2010-07-23 01:28	1690464	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-23 01:28 . 2010-07-23 01:28	1038688	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-23 01:24 . 2010-07-23 01:24	45056	----a-w-	c:\windows\system32\_PPCXM_.DLL
2010-07-23 01:24 . 2010-07-23 01:24	29360	----a-w-	c:\windows\_SETUPD_.EXE
2010-07-23 01:18 . 2010-07-23 01:18	--------	d-----w-	c:\documents and settings\Bobby 2\Local Settings\Application Data\Mozilla
2010-07-23 01:18 . 2010-07-23 01:18	--------	d-sh--w-	c:\documents and settings\Bobby 2\IETldCache
2010-07-23 01:15 . 2010-07-23 01:15	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2010-07-22 16:19 . 2010-07-22 16:19	--------	d-----w-	c:\windows\system32\wbem\Repository
2010-07-22 16:18 . 2010-07-22 16:18	--------	d-----w-	c:\program files\Yahoo!(2)
2010-07-22 00:05 . 2010-07-22 00:05	--------	d-----w-	c:\documents and settings\Robert\Application Data\Uniblue
2010-07-21 21:35 . 2010-07-21 21:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\PCPitstop
2010-07-21 21:34 . 2010-07-22 16:16	--------	d-----w-	c:\program files\PCPitstop
2010-07-21 20:26 . 2010-07-24 06:20	--------	d-----w-	C:\Protector Plus
2010-07-21 03:15 . 2010-07-21 03:15	--------	d-----w-	c:\program files\Trend Micro
2010-07-20 21:44 . 2010-07-22 16:18	--------	dc----w-	c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-06-25 14:58 . 2008-04-13 17:45	15104	-c--a-w-	c:\windows\system32\dllcache\usbscan.sys
2010-06-25 14:58 . 2008-04-13 17:45	15104	----a-w-	c:\windows\system32\drivers\usbscan.sys
2010-06-25 14:58 . 2001-08-18 02:36	5632	----a-w-	c:\windows\system32\ptpusb.dll
2010-06-25 14:58 . 2008-04-13 23:12	159232	----a-w-	c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 03:57 . 2009-11-27 22:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-07-22 16:18 . 2009-11-27 20:46	--------	d-----w-	c:\documents and settings\Robert\Application Data\U3
2010-07-01 15:31 . 2009-11-27 22:04	117760	----a-w-	c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-05 21:25 . 2010-06-05 21:24	--------	d-----w-	c:\program files\Microsoft IntelliType Pro
2010-06-04 20:47 . 2009-11-27 21:40	64288	----a-w-	c:\windows\system32\drivers\Lbd.sys
2010-05-31 15:55 . 2010-05-31 15:55	--------	d-----w-	c:\documents and settings\Robert\Application Data\Southwest Airlines
2010-05-31 15:55 . 2010-05-31 15:55	8192	----a-r-	c:\documents and settings\Robert\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
2010-05-31 15:55 . 2010-05-31 15:55	--------	d-----w-	c:\program files\Southwest Airlines
2010-05-31 15:55 . 2009-11-27 22:03	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-05-27 16:59 . 2010-05-27 16:59	61440	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2985d7a4-n\decora-sse.dll
2010-05-27 16:59 . 2010-05-27 16:59	503808	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\msvcp71.dll
2010-05-27 16:59 . 2010-05-27 16:59	499712	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\jmc.dll
2010-05-27 16:59 . 2010-05-27 16:59	12800	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2985d7a4-n\decora-d3d.dll
2010-05-27 16:59 . 2010-05-27 16:59	348160	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\msvcr71.dll
2010-04-30 16:50 . 2010-03-09 04:10	1	----a-w-	c:\documents and settings\Robert\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-27 135664]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"NVIEW"="nview.dll" [2003-07-28 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Protector Plus Taskbar Control"="c:\protec~1\PPTbc.EXE" [2010-07-23 1303216]
"Protector Plus InstaUpdate"="c:\protec~1\PPInupdt.exe" [2010-07-23 1172144]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/27/2009 5:40 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;c:\protector plus\PPAVMON.EXE [7/22/2010 9:24 PM 105704]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 ProtectorPlusService;Protector Plus Service (UnRegistered);c:\protector plus\PPSERV.EXE [7/22/2010 9:24 PM 94896]
S3 PPEMSCAN;Protector Plus Email Scan Driver;c:\protector plus\PPEMSCAN.SYS [7/22/2010 9:24 PM 19272]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [1/26/2004 9:42 PM 728083]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1123561945-725345543-1004Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 20:50]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1123561945-725345543-1004UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\aorxy5k1.default\
FF - plugin: c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 07:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\protector plus\POPSCAN.EXE
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-07-24 07:14:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 11:14

Pre-Run: 126,303,518,720 bytes free
Post-Run: 126,237,442,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - F7EC299626AF89C3AFC2A5EFCAB60AEB


----------



## tbird390 (Feb 3, 2007)

another symptom i noticed is that i can not move any desktop icons, when you try to move them they snap back to original position


----------



## dvk01 (Dec 14, 2002)

you need to fully uninstall AVG

use avg remover 32 bit version from http://www.avg.com/us-en/download-tools

to sort out the icons on desktop

right click desktop, select properties or "Arrange Icons By and uncheck auto-arrange & align to grid . that way they stay where you put them ( it might be under the view menu when you right click desktop)

are you still getting diverts ort other starnge behaviour


----------



## tbird390 (Feb 3, 2007)

I ran the AVG remover it only took afew seconds then the box dissapeared.
the webrowsers still acting funny. browser will freeze and can only be released by minimizing and restoring the browser window from the task bar.you cannot minimize it from the rt corner of the browser that will be frozen as will all the links and buttons on the page , after it is minimized and restored by the task bar everything is released and works.after you click on something on the page it will freeze again including the scroll on the side

auto arrange and allign to grid are not checked and you can not drag icons away from their position


----------



## tbird390 (Feb 3, 2007)

also on reboot when the log in screen appears i can move the mouse over the profile but it will not click and log in. I have to use the arrow keys to move between the profiles then use enter key to have it start log in. 
same type of freezeing issue


----------



## dvk01 (Dec 14, 2002)

that sounds like an antivirus or something checking pages

run combofix again & post its new log


----------



## dvk01 (Dec 14, 2002)

tbird390 said:


> also on reboot when the log in screen appears i can move the mouse over the profile but it will not click and log in. I have to use the arrow keys to move between the profiles then use enter key to have it start log in.
> same type of freezeing issue


try a different mouse as that sounds like a mouse problem

what mouse do you have. I have sen that on USB wireless mice before when wireless doesn't get turned on untill logged in

have yopu got as PS2 mouse you can use to try it


----------



## tbird390 (Feb 3, 2007)

should i remove superantispyware ?


----------



## dvk01 (Dec 14, 2002)

tbird390 said:


> should i remove superantispyware ?


that shouldn't casue any conflict, if it is teh free version which is scan only


----------



## tbird390 (Feb 3, 2007)

ComboFix 10-07-23.02 - Robert 07/24/2010 8:08.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.679 [GMT -4:00]
Running from: c:\documents and settings\Robert\My Documents\Downloads\ComboFix.exe
AV: Protector Plus Anti-virus Software *On-access scanning disabled* (Updated) {2BA05D34-0674-49A3-8DDA-DC7C8007484B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPDRV
-------\Service_PPDrv

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-23 02:10 . 2010-07-23 02:10	--------	d-----w-	c:\documents and settings\Bobby 2\Application Data\Epson
2010-07-23 02:09 . 2010-07-23 02:09	70360	----a-w-	c:\documents and settings\Bobby 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 01:30 . 2010-07-23 01:30	242896	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-23 01:30 . 2010-07-23 01:30	216200	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-23 01:30 . 2010-07-23 02:17	--------	d-----w-	c:\windows\SxsCaPendDel
2010-07-23 01:28 . 2010-07-23 01:28	813336	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-23 01:28 . 2010-07-23 01:28	624920	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-23 01:28 . 2010-07-23 01:28	1690464	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-23 01:28 . 2010-07-23 01:28	1038688	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-23 01:24 . 2010-07-24 11:31	29360	----a-w-	c:\windows\_SETUPD_.EXE
2010-07-23 01:18 . 2010-07-23 01:18	--------	d-----w-	c:\documents and settings\Bobby 2\Local Settings\Application Data\Mozilla
2010-07-23 01:18 . 2010-07-23 01:18	--------	d-sh--w-	c:\documents and settings\Bobby 2\IETldCache
2010-07-23 01:15 . 2010-07-23 01:15	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2010-07-22 16:19 . 2010-07-22 16:19	--------	d-----w-	c:\windows\system32\wbem\Repository
2010-07-22 16:18 . 2010-07-22 16:18	--------	d-----w-	c:\program files\Yahoo!(2)
2010-07-22 00:05 . 2010-07-22 00:05	--------	d-----w-	c:\documents and settings\Robert\Application Data\Uniblue
2010-07-21 21:35 . 2010-07-21 21:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\PCPitstop
2010-07-21 21:34 . 2010-07-22 16:16	--------	d-----w-	c:\program files\PCPitstop
2010-07-21 20:26 . 2010-07-24 11:35	--------	d-----w-	C:\Protector Plus
2010-07-21 03:15 . 2010-07-21 03:15	--------	d-----w-	c:\program files\Trend Micro
2010-07-20 21:44 . 2010-07-22 16:18	--------	dc----w-	c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-06-25 14:58 . 2008-04-13 17:45	15104	-c--a-w-	c:\windows\system32\dllcache\usbscan.sys
2010-06-25 14:58 . 2008-04-13 17:45	15104	----a-w-	c:\windows\system32\drivers\usbscan.sys
2010-06-25 14:58 . 2001-08-18 02:36	5632 ----a-w-	c:\windows\system32\ptpusb.dll
2010-06-25 14:58 . 2008-04-13 23:12 159232	----a-w-	c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 11:21 . 2009-11-27 18:56	70360	----a-w-	c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 03:57 . 2009-11-27 22:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-07-22 16:18 . 2009-11-27 20:46	--------	d-----w-	c:\documents and settings\Robert\Application Data\U3
2010-07-01 15:31 . 2009-11-27 22:04	117760	----a-w-	c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-05 21:25 . 2010-06-05 21:24	--------	d-----w-	c:\program files\Microsoft IntelliType Pro
2010-06-04 20:47 . 2009-11-27 21:40	64288	----a-w-	c:\windows\system32\drivers\Lbd.sys
2010-05-31 15:55 . 2010-05-31 15:55	--------	d-----w-	c:\documents and settings\Robert\Application Data\Southwest Airlines
2010-05-31 15:55 . 2010-05-31 15:55	8192	----a-r-	c:\documents and settings\Robert\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
2010-05-31 15:55 . 2010-05-31 15:55	--------	d-----w-	c:\program files\Southwest Airlines
2010-05-31 15:55 . 2009-11-27 22:03	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-05-27 16:59 . 2010-05-27 16:59	61440	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2985d7a4-n\decora-sse.dll
2010-05-27 16:59 . 2010-05-27 16:59	503808	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\msvcp71.dll
2010-05-27 16:59 . 2010-05-27 16:59	499712	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\jmc.dll
2010-05-27 16:59 . 2010-05-27 16:59	12800	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2985d7a4-n\decora-d3d.dll
2010-05-27 16:59 . 2010-05-27 16:59	348160	----a-w-	c:\documents and settings\Robert\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6686450b-n\msvcr71.dll
2010-04-30 16:50 . 2010-03-09 04:10	1	----a-w-	c:\documents and settings\Robert\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
.

((((((((((((((((((((((((((((( [email protected]_11.11.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 12:15 . 2010-07-24 12:15	16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat
+ 2001-08-18 12:00 . 2010-07-24 11:15	52764 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-07-23 02:21	52764 c:\windows\system32\perfc009.dat
+ 2010-07-23 01:24 . 2010-07-24 11:31	29360 c:\windows\_SETUPD_.EXE
- 2010-07-23 01:24 . 2010-07-23 01:24	29360 c:\windows\_SETUPD_.EXE
+ 2001-08-18 12:00 . 2010-07-24 11:15	380350 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2010-07-23 02:21	380350 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-27 135664]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"NVIEW"="nview.dll" [2003-07-28 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Protector Plus Taskbar Control"="c:\protec~1\PPTbc.EXE" [2010-07-24 1303216]
"Protector Plus InstaUpdate"="c:\protec~1\PPInupdt.exe" [2010-07-24 1172144]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/27/2009 5:40 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;c:\protector plus\PPAVMON.EXE [7/24/2010 7:31 AM 105704]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 ProtectorPlusService;Protector Plus Service (UnRegistered);c:\protector plus\PPSERV.EXE [7/24/2010 7:31 AM 94896]
S3 PPEMSCAN;Protector Plus Email Scan Driver;c:\protector plus\PPEMSCAN.SYS [7/24/2010 7:31 AM 19272]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [1/26/2004 9:42 PM 728083]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1123561945-725345543-1004Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 20:50]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1123561945-725345543-1004UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\aorxy5k1.default\
FF - plugin: c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 08:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\devldr32.exe
c:\protector plus\POPSCAN.EXE
.
**************************************************************************
.
Completion time: 2010-07-24 08:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 12:18
ComboFix2.txt 2010-07-24 11:14

Pre-Run: 126,218,051,584 bytes free
Post-Run: 126,217,474,048 bytes free

- - End Of File - - AFFAB7A9C6B2BBBCE05487577296F4FE


----------



## tbird390 (Feb 3, 2007)

it looks like avg still has files there after i ran the uninstall for 32bit


----------



## tbird390 (Feb 3, 2007)

when i go to my computer , program files there is still a folder that says avg, you click on that there is a sub folder that says avg9, you open the folder there is a icon that says avgxpl(2).dll and an icon that says versions


----------



## dvk01 (Dec 14, 2002)

just delete the avg folders, they don't contain any active files 

please run gmer again and get iots new log as I want to check soemthing now AVG appears to be fully gone


----------



## tbird390 (Feb 3, 2007)

here is the log from gmer


----------



## dvk01 (Dec 14, 2002)

I can't see any obvious casue for any problems

can you expolain again exactly what problems youa re havinmg & which browsers it happens in


----------



## tbird390 (Feb 3, 2007)

I was running microsoft 6000v2 wireless mouse and keyboard, I just went to the store and bought a new microsoft ps2 optical mouse and plugged in my old ps2 keyboard and all issues appear to be resolved
I guess the wireless mouse and keyboard went bad even though they were only 18 months old


----------



## dvk01 (Dec 14, 2002)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug any security holes


----------

