Solved infection or internet explorer problem, cant type in search box

mva5493 · 2010/01/11

[Resolved] infection or internet explorer problem, cant type in search box

The system I am using is a dell latitude c610 laptop, 1.0 ghz pentium III processor, 128 mg ram (not enough memory I know), windows xp service pack 3.
This system was brought to me because about 2 months ago, my friend was using the internet no anti virus, no firewall, and the computer started giving her problems. She said it got really slow, and was giving her virtual memory to low errors. Also, when on the internet she could type in the bar no problem. But couldn't type in search boxes, or any place that asked for user names, passwords etc.

I thought maybe it was a problem with ie, so I installed zone alarm, avg, and firefox. I have not had any problems using firefox, I also installed ie 8.0 and the problem with typing in boxes is no longer there, but the virtual memory error is still coming up (I thought this is because the 128 mg of ram but wanted to make sure). Here are the reports from dds. Thanks in advance for any help and assistance you can give.

mbam log
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2010 8:26:46 PM
mbam-log-2010-01-07 (20-26-31).txt

Scan type: Quick Scan
Objects scanned: 100308
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV (Rogue.AlphaAV) -> No action taken.
C:\Program Files\AlphaAV (Rogue.AlphaAV) -> No action taken.
C:\Program Files\Common Files\AlphaAVUninstall (Rogue.AlphaAntivirus) -> No action taken.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Alpha Antivirus.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Computer Scan.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Help.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Registration.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Security Center.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Settings.lnk (Rogue.AlphaAV) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AlphaAV\Update.lnk (Rogue.AlphaAV) -> No action taken.
C:\Program Files\Common Files\AlphaAVUninstall\Uninstall.lnk (Rogue.AlphaAntivirus) -> No action taken.
C:\Documents and Settings\customer\Application Data\Microsoft\Internet Explorer\Quick Launch\AlphaAV.lnk (Rogue.AlphaAntivirus) -> No action taken.

dds logfile:
DDS (Ver_09-12-01.01) - NTFSx86
Run by customer at 12:08:32.88 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.127.14 [GMT -5:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {5F5D345D-ACD7-4209-8D1D-F5A1D9C587C6}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: StopSign Firewall FREE TRIAL version *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearch Page =
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\cdas2.exe" /minimize
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup "
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\customer\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\customer\applic~1\mozilla\firefox\profiles\4a2nudb2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-7 110360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-8 108552]
R1 KLIF;Klif;c:\windows\system32\drivers\klif.sys [2010-1-7 119576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-7 394984]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-3-22 67424]
S3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]

=============== Created Last 30 ================

2010-01-09 05:58:53 0 dc-h--w- c:\windows\ie8
2010-01-09 01:41:55 0 d--h--w- C:\$AVG8.VAULT$
2010-01-08 19:50:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-08 19:50:47 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-08 19:50:46 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-08 19:50:01 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-08 19:48:47 0 d-----w- c:\program files\AVG
2010-01-08 19:48:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-01-08 05:18:16 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-08 03:49:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-08 03:12:28 0 d-----w- c:\program files\Panda Security
2010-01-08 01:05:41 0 d-----w- c:\docume~1\customer\applic~1\Malwarebytes
2010-01-08 01:04:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 01:04:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 23:05:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Preventon
2010-01-07 21:54:51 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2010-01-07 21:54:51 15312 ----a-r- c:\windows\system32\RaCoInst.dat
2010-01-07 21:46:27 0 d-----w- c:\windows\{87148734-424B-4DD9-89B9-1413C2840D29}
2010-01-07 20:28:04 0 d-----w- c:\program files\Defender
2010-01-07 20:28:04 0 d-----w- c:\program files\common files\Kaspersky Lab
2010-01-07 19:34:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-07 19:27:45 10940 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-07 19:27:29 841760 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-07 19:22:07 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-01-07 19:21:45 75248 ----a-w- c:\windows\zllsputility.exe
2010-01-07 19:21:44 11264 ----a-w- c:\windows\system32\SpOrder.dll
2010-01-07 19:21:34 75932 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-07 19:21:34 74396 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-07 19:20:04 0 d-----w- c:\program files\Zone Labs
2010-01-07 19:17:59 0 d-----w- c:\windows\Internet Logs
2009-12-13 06:50:06 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-13 06:16:44 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-11-24 08:16:47 352768 ----a-w- c:\windows\system32\AdvancedIEupdate.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 19:15:37 737280 ----a-w- c:\windows\iun6002.exe
2009-03-28 06:44:37 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032820090329\index.dat
2009-04-03 00:58:45 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040220090403\index.dat

============= FINISH: 12:09:58.09 ===============

PeteC · 2010/01/11

And the contents of the Attach.txt please.

mva5493 · 2010/01/11

Forgot to mention, someone else worked on this computer before it was brought to me, at that time several antivirus programs were installed, that I can see even though there are references to the others, avg is the only one I see running. But I have noticed that the resident shield and email scanner is not active, and I can't set it that way. Not sure if infection or conflict with other software???

mva5493 · 2010/01/11

"PeteC said: ↑

And the contents of the Attach.txt please.
Click to expand...

sorry will post in just a minute.

mva5493 · 2010/01/11

attach file:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/15/2009 11:58:13 PM
System Uptime: 1/11/2010 11:14:22 AM (1 hours ago)

Motherboard: Dell Computer Corporation | | Latitude C610
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 532/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 19 GiB total, 12.548 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_02\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_02\3&61AAA01&0&FE
Service:

==== System Restore Points ===================

RP66: 10/13/2009 3:32:40 PM - Software Distribution Service 3.0
RP67: 10/15/2009 10:55:27 PM - Software Distribution Service 3.0
RP68: 10/19/2009 1:26:57 PM - Software Distribution Service 3.0
RP69: 10/21/2009 12:46:00 AM - System Checkpoint
RP70: 10/21/2009 3:02:32 AM - Software Distribution Service 3.0
RP71: 10/24/2009 6:06:34 PM - System Checkpoint
RP72: 10/26/2009 9:46:07 PM - System Checkpoint
RP73: 10/29/2009 1:35:38 PM - Installed Adobe Reader 9.2.
RP74: 10/30/2009 1:46:44 AM - Removed Acrobat.com
RP75: 10/30/2009 1:31:38 PM - Software Distribution Service 3.0
RP76: 11/2/2009 12:54:44 AM - System Checkpoint
RP77: 11/3/2009 2:47:41 PM - Software Distribution Service 3.0
RP78: 11/3/2009 9:42:34 PM - Installed VIRUSfighter
RP79: 11/3/2009 10:11:11 PM - Installed SPYWAREfighter
RP80: 11/5/2009 2:15:28 AM - Software Distribution Service 3.0
RP81: 11/12/2009 10:41:47 PM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
RP82: 11/12/2009 10:46:34 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP83: 11/12/2009 10:50:05 PM - Removed Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
RP84: 11/12/2009 10:50:46 PM - Removed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP85: 11/14/2009 12:31:48 PM - Software Distribution Service 3.0
RP86: 11/24/2009 2:10:29 AM - Software Distribution Service 3.0
RP87: 11/24/2009 2:23:39 AM - Software Distribution Service 3.0
RP88: 11/24/2009 9:11:43 PM - November 20,2009
RP89: 11/24/2009 10:38:19 PM - Restore Operation
RP90: 12/13/2009 1:12:07 AM - Installed Windows Media Player 11
RP91: 12/13/2009 1:12:58 AM - Installed Windows XP Wudf01000.
RP92: 12/13/2009 1:17:39 AM - Installed Windows XP MSCompPackV1.
RP93: 12/13/2009 1:25:18 AM - Installed Windows Media Player 11
RP94: 12/13/2009 1:29:27 AM - Installed Windows XP MSCompPackV1.
RP95: 12/13/2009 1:50:34 AM - Software Distribution Service 3.0
RP96: 12/13/2009 2:07:05 AM - Software Distribution Service 3.0
RP97: 1/7/2010 3:27:34 PM - Installed Defender Pro Anti-Virus
RP98: 1/7/2010 4:50:40 PM - Installed Belkin F6D4050 Enhanced Wireless USB Adapter
RP99: 1/7/2010 5:52:25 PM - Configured Belkin F6D4050 Enhanced Wireless USB Adapter
RP100: 1/7/2010 5:55:24 PM - Configured Defender Pro Anti-Virus
RP101: 1/8/2010 12:43:40 PM - Installed AVG 7.5
RP102: 1/8/2010 2:47:24 PM - Installed AVG Free 8.5
RP103: 1/8/2010 11:20:37 PM - Software Distribution Service 3.0
RP104: 1/9/2010 12:56:39 AM - Installed MSN Toolbar
RP105: 1/9/2010 1:02:55 AM - Installed Windows Internet Explorer 8.
RP106: 1/9/2010 1:11:36 AM - Software Distribution Service 3.0
RP107: 1/9/2010 2:03:19 AM - Avg8 Update
RP108: 1/9/2010 2:11:21 AM - Avg8 Update
RP109: 1/9/2010 1:27:43 PM - Restore Operation
RP110: 1/9/2010 4:58:16 PM - Software Distribution Service 3.0

==== Installed Programs ======================

PeteC · 2010/01/11

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

mva5493 · 2010/01/11

"PeteC said: ↑

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.
Click to expand...

No problem, not my first time here, I know how it works.

broni · 2010/01/11

Well, let's state up front, with 128MB of RAM, you'll keep getting issues and there is no other way around, but getting more RAM.

Said that, you should avoid installing/running any resource heavy programs.
AVG would be one of them.
I suggest, you uninstall AVG, using AVG Remover: http://www.avg.com/us-en/download-tools and you go with one of these:
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

ZoneAlarm would be another heavy program. I suggest, you uninstall it and you simply turn Windows firewall on.

Next, check, if StopSign Firewall and CyberDefender Internet Security are listed in Add\Remove. If so, uninstall them. If not, let me know.

Lastly, there is some infection there, but we'll get there in a moment.
I'd also point to you, that Malwarebytes log says "No action taken" after each line, which means, you posted a log from before fixes, or you didn't apply fixes.

Please, sort all of the above out and when you're done, post fresh DDS logs.

mva5493 · 2010/01/11

I have uninstalled avg and zone alarm, as well as installed avira and turned on windows firewall. I also ran mbam again and this time have no infections. There is nothing on cyberdefender or stopsign in the add/remove program list.

Here are the dds logfiles:
DDS (Ver_09-12-01.01) - NTFSx86
Run by customer at 21:39:38.25 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.127.45 [GMT -5:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {5F5D345D-ACD7-4209-8D1D-F5A1D9C587C6}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: StopSign Firewall FREE TRIAL version *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearch Page =
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\cdas2.exe" /minimize
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup "
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\customer\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\customer\applic~1\mozilla\firefox\profiles\4a2nudb2.default\

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-11 55656]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-3-22 67424]
S3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]

=============== Created Last 30 ================

2010-01-12 01:07:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 01:07:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 00:44:49 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 00:44:08 0 d-----w- c:\program files\Avira
2010-01-12 00:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-09 05:58:53 0 dc-h--w- c:\windows\ie8
2010-01-09 01:41:55 0 d--h--w- C:\$AVG8.VAULT$
2010-01-08 05:18:16 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-08 03:49:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-08 03:12:28 0 d-----w- c:\program files\Panda Security
2010-01-08 01:05:41 0 d-----w- c:\docume~1\customer\applic~1\Malwarebytes
2010-01-08 01:04:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 01:04:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 23:05:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Preventon
2010-01-07 21:54:51 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2010-01-07 21:54:51 15312 ----a-r- c:\windows\system32\RaCoInst.dat
2010-01-07 21:46:27 0 d-----w- c:\windows\{87148734-424B-4DD9-89B9-1413C2840D29}
2010-01-07 20:28:04 0 d-----w- c:\program files\common files\Kaspersky Lab
2010-01-07 19:34:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-07 19:22:07 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-01-07 19:21:44 11264 ----a-w- c:\windows\system32\SpOrder.dll
2010-01-07 19:17:59 0 d-----w- c:\windows\Internet Logs
2009-12-13 06:50:06 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-13 06:16:44 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-11-24 08:16:47 352768 ----a-w- c:\windows\system32\AdvancedIEupdate.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 19:15:37 737280 ----a-w- c:\windows\iun6002.exe
2009-03-28 06:44:37 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032820090329\index.dat
2009-04-03 00:58:45 32768 -csha-w- c:\windows\system32\config\systemprofile\local isettings\history\history.ie5\mshist012009040220090403\index.dat

============= FINISH: 21:40:47.13 ===============

also the attach file:
DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/15/2009 11:58:13 PM
System Uptime: 1/11/2010 9:00:23 PM (0 hours ago)

Motherboard: Dell Computer Corporation | | Latitude C610
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 727/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 19 GiB total, 12.763 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_02\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_02\3&61AAA01&0&FE
Service:

==== System Restore Points ===================

RP66: 10/13/2009 3:32:40 PM - Software Distribution Service 3.0
RP67: 10/15/2009 10:55:27 PM - Software Distribution Service 3.0
RP68: 10/19/2009 1:26:57 PM - Software Distribution Service 3.0
RP69: 10/21/2009 12:46:00 AM - System Checkpoint
RP70: 10/21/2009 3:02:32 AM - Software Distribution Service 3.0
RP71: 10/24/2009 6:06:34 PM - System Checkpoint
RP72: 10/26/2009 9:46:07 PM - System Checkpoint
RP73: 10/29/2009 1:35:38 PM - Installed Adobe Reader 9.2.
RP74: 10/30/2009 1:46:44 AM - Removed Acrobat.com
RP75: 10/30/2009 1:31:38 PM - Software Distribution Service 3.0
RP76: 11/2/2009 12:54:44 AM - System Checkpoint
RP77: 11/3/2009 2:47:41 PM - Software Distribution Service 3.0
RP78: 11/3/2009 9:42:34 PM - Installed VIRUSfighter
RP79: 11/3/2009 10:11:11 PM - Installed SPYWAREfighter
RP80: 11/5/2009 2:15:28 AM - Software Distribution Service 3.0
RP81: 11/12/2009 10:41:47 PM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
RP82: 11/12/2009 10:46:34 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP83: 11/12/2009 10:50:05 PM - Removed Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
RP84: 11/12/2009 10:50:46 PM - Removed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP85: 11/14/2009 12:31:48 PM - Software Distribution Service 3.0
RP86: 11/24/2009 2:10:29 AM - Software Distribution Service 3.0
RP87: 11/24/2009 2:23:39 AM - Software Distribution Service 3.0
RP88: 11/24/2009 9:11:43 PM - November 20,2009
RP89: 11/24/2009 10:38:19 PM - Restore Operation
RP90: 12/13/2009 1:12:07 AM - Installed Windows Media Player 11
RP91: 12/13/2009 1:12:58 AM - Installed Windows XP Wudf01000.
RP92: 12/13/2009 1:17:39 AM - Installed Windows XP MSCompPackV1.
RP93: 12/13/2009 1:25:18 AM - Installed Windows Media Player 11
RP94: 12/13/2009 1:29:27 AM - Installed Windows XP MSCompPackV1.
RP95: 12/13/2009 1:50:34 AM - Software Distribution Service 3.0
RP96: 12/13/2009 2:07:05 AM - Software Distribution Service 3.0
RP97: 1/7/2010 3:27:34 PM - Installed Defender Pro Anti-Virus
RP98: 1/7/2010 4:50:40 PM - Installed Belkin F6D4050 Enhanced Wireless USB Adapter
RP99: 1/7/2010 5:52:25 PM - Configured Belkin F6D4050 Enhanced Wireless USB Adapter
RP100: 1/7/2010 5:55:24 PM - Configured Defender Pro Anti-Virus
RP101: 1/8/2010 12:43:40 PM - Installed AVG 7.5
RP102: 1/8/2010 2:47:24 PM - Installed AVG Free 8.5
RP103: 1/8/2010 11:20:37 PM - Software Distribution Service 3.0
RP104: 1/9/2010 12:56:39 AM - Installed MSN Toolbar
RP105: 1/9/2010 1:02:55 AM - Installed Windows Internet Explorer 8.
RP106: 1/9/2010 1:11:36 AM - Software Distribution Service 3.0
RP107: 1/9/2010 2:03:19 AM - Avg8 Update
RP108: 1/9/2010 2:11:21 AM - Avg8 Update
RP109: 1/9/2010 1:27:43 PM - Restore Operation
RP110: 1/9/2010 4:58:16 PM - Software Distribution Service 3.0
RP111: 1/11/2010 3:05:22 PM - System Checkpoint
RP112: 1/11/2010 7:40:52 PM - Avira AntiVir Personal - 1/11/2010 19:40

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Avira AntiVir Personal - Free Antivirus
Critical Update for Windows Media Player 11 (KB959772)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Mozilla Firefox (2.0.0.1)
MSN Toolbar
PX Engine
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
VC 9.0 Runtime
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

1/9/2010 4:16:24 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/9/2010 2:16:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.
1/9/2010 2:16:37 AM, error: Service Control Manager [7000] - The AVG Free8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/9/2010 2:14:37 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
1/8/2010 5:06:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86
1/8/2010 2:10:35 PM, error: Service Control Manager [7034] - The AVG E-mail Scanner service terminated unexpectedly. It has done this 2 time(s).
1/8/2010 12:59:09 PM, error: Service Control Manager [7034] - The AVG E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
1/8/2010 10:58:30 AM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
1/8/2010 10:52:47 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
1/8/2010 10:52:47 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/8/2010 10:51:24 AM, error: Service Control Manager [7023] - The avast! Mail Scanner service terminated with the following error: Cannot create a file when that file already exists.
1/8/2010 10:50:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service to connect.
1/8/2010 10:50:25 AM, error: Service Control Manager [7000] - The avast! Mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/8/2010 1:05:20 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00022D5C2AE6. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
1/7/2010 9:26:26 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/7/2010 5:59:46 PM, error: Service Control Manager [7003] - The StopSign Firewall Security Center Provider service depends on the following nonexistent service: eac_productsvc
1/7/2010 5:59:45 PM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
1/7/2010 5:40:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
1/7/2010 5:40:11 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the vsmon service.
1/7/2010 3:56:10 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/7/2010 2:44:58 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00022D5C2AE6. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
1/7/2010 2:26:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/7/2010 1:53:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
1/11/2010 9:06:03 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/11/2010 9:06:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

==== End Of File ===========================

broni · 2010/01/11

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

mva5493 · 2010/01/11

I am having trouble disabling cyberdefender. I don't see an icon for it in the system tray, or the programs list but windows security center says it is active. Any idea where to go to disable it?

broni · 2010/01/11

Leave it alone and run Combofix anyway.

mva5493 · 2010/01/11

ok, it is running now

broni · 2010/01/11

Ok....

mva5493 · 2010/01/11

combofix.txt:
ComboFix 10-01-11.03 - customer 01/12/2010 0:06.1.1 - x86
Running from: c:\documents and settings\customer\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {5F5D345D-ACD7-4209-8D1D-F5A1D9C587C6}
FW: StopSign Firewall FREE TRIAL version *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\windows\EventSystem.log
c:\windows\system32\AdvancedIEupdate.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-12 01:07 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 01:07 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 00:44 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-12 00:44 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 00:44 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-12 00:44 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-12 00:44 . 2010-01-12 00:44 -------- d-----w- c:\program files\Avira
2010-01-12 00:44 . 2010-01-12 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-09 05:58 . 2010-01-09 18:22 -------- dc-h--w- c:\windows\ie8
2010-01-09 05:54 . 2010-01-09 22:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-09 01:41 . 2010-01-09 01:42 -------- d-----w- C:\$AVG8.VAULT$
2010-01-08 05:18 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-08 05:17 . 2010-01-08 05:17 -------- d-----w- c:\program files\Alwil Software
2010-01-08 03:49 . 2010-01-08 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-08 03:12 . 2010-01-08 03:12 -------- d-----w- c:\program files\Panda Security
2010-01-08 01:05 . 2010-01-08 01:05 -------- d-----w- c:\documents and settings\customer\Application Data\Malwarebytes
2010-01-08 01:04 . 2010-01-08 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 01:04 . 2010-01-12 01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 23:05 . 2010-01-07 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Preventon
2010-01-07 21:54 . 2008-10-29 06:28 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2010-01-07 21:54 . 2008-10-29 06:28 15312 ----a-r- c:\windows\system32\RaCoInst.dat
2010-01-07 21:46 . 2010-01-07 21:46 -------- d-----w- c:\windows\{87148734-424B-4DD9-89B9-1413C2840D29}
2010-01-07 20:28 . 2010-01-07 22:55 -------- d-----w- c:\program files\Common Files\Kaspersky Lab
2010-01-07 19:34 . 2010-01-07 19:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-07 19:22 . 2010-01-07 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2010-01-07 19:22 . 2010-01-07 19:26 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-01-07 19:21 . 2004-04-27 09:40 11264 ----a-w- c:\windows\system32\SpOrder.dll
2010-01-07 19:17 . 2010-01-12 00:36 -------- d-----w- c:\windows\Internet Logs
2009-12-13 06:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-13 06:16 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 18:10 . 2009-02-20 23:09 16992 -c--a-w- c:\documents and settings\customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 22:54 . 2009-02-20 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-07 20:26 . 2009-02-20 21:27 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-13 06:16 . 2009-03-16 03:14 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-13 05:51 . 2009-11-13 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-03 17:22 . 2009-11-13 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-28 02:48 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\customer\Application Data\Canon
2009-11-27 06:02 . 2009-11-26 00:59 -------- d-----w- c:\program files\Canon
2009-11-26 00:17 . 2009-10-13 02:58 -------- d-----w- c:\program files\ATT-HSI
2009-11-26 00:17 . 2009-10-13 02:57 -------- d-----w- c:\program files\Common Files\Motive
2009-11-25 04:14 . 2009-11-04 02:11 -------- d-----w- c:\program files\Fighters
2009-11-25 03:34 . 2009-11-04 02:11 -------- d-----w- c:\program files\Common Files\Common Toolkit Suite
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 06:17 . 2009-11-13 06:16 -------- d-----w- c:\documents and settings\customer\Application Data\Tific
2009-10-29 17:10 . 2009-10-29 17:10 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-10-29 15:37 . 2009-11-04 02:12 2928772 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter.exe
2009-10-29 15:37 . 2009-11-04 02:10 463496 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D47A49F0\FC42324E\FighterSuiteClient.dll
2009-10-29 15:37 . 2009-11-04 02:10 676488 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\949F7B9F\FC42324E\FighterSuiteService.exe
2009-10-29 15:37 . 2009-11-04 02:10 225928 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D0F8318E\FC42324E\FighterLauncher.exe
2009-10-29 15:37 . 2009-11-04 02:10 750216 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\42D6B627\9971DC59\swpro.dll
2009-10-29 15:37 . 2009-11-04 02:10 2330248 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\A918483A\9971DC59\sfhtml.dll
2009-10-29 15:37 . 2009-11-04 02:10 520840 -c--a-w- c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\D7638211\9971DC59\swproTray.exe
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 19:15 . 2009-10-24 19:17 737280 ----a-w- c:\windows\iun6002.exe
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2006-12-13 03:12 . 2010-01-07 18:35 66648 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2010-01-07 18:35 54352 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2010-01-07 18:35 34928 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2010-01-07 18:35 46696 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2010-01-07 18:35 172120 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [x]
R3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2009-03-22 67424]
R3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\customer\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\customer\Application Data\Mozilla\Firefox\Profiles\4a2nudb2.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-CyberDefender Early Detection Center - c:\program files\CyberDefender\AntiSpyware\cdas2.exe
HKU-Default-Run-Exetender - c:\program files\Free Ride Games\GPlayer.exe
Notify-avgrsstarter - avgrsstx.dll
SafeBoot-OneCareMP
AddRemove-{AA63780B-DDB7-417b-8A13-E5AFBE08E807} - c:\program files\CyberDefender\cdinstx.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 00:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-12 00:21:43
ComboFix-quarantined-files.txt 2010-01-12 05:21

Pre-Run: 13,613,666,304 bytes free
Post-Run: 13,651,480,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3D45CBC01DBC48C6BD94CE678028DEC2

mva5493 · 2010/01/11

hjt logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:17 AM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: StopSign Firewall Security Center Provider (ssfwmonsvc) - Unknown owner - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe (file missing)

--
End of file - 4006 bytes

broni · 2010/01/12

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\zllictbl.dat
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D47A49F0\FC42324E\FighterSuiteClient.dll
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\949F7B9F\FC42324E\FighterSuiteService.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D0F8318E\FC42324E\FighterLauncher.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\42D6B627\9971DC59\swpro.dll
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\A918483A\9971DC59\sfhtml.dll
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\D7638211\9971DC59\swproTray.exe
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe


Folder::
C:\$AVG8.VAULT$
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\program files\Panda Security
c:\program files\Common Files\Kaspersky Lab
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\NortonInstaller


Driver::
ssfwmonsvc


Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

mva5493 · 2010/01/12

here are the requested log files from combofix(cfscript) and hjt

combofix log:
ComboFix 10-01-11.03 - customer 01/12/2010 1:53.2.1 - x86
Running from: c:\documents and settings\customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\customer\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {5F5D345D-ACD7-4209-8D1D-F5A1D9C587C6}
FW: StopSign Firewall FREE TRIAL version *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

FILE ::
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter.exe "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\42D6B627\9971DC59\swpro.dll "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\A918483A\9971DC59\sfhtml.dll "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\D7638211\9971DC59\swproTray.exe "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\949F7B9F\FC42324E\FighterSuiteService.exe "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D0F8318E\FC42324E\FighterLauncher.exe "
"c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D47A49F0\FC42324E\FighterSuiteClient.dll "
"c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe "
"c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe "
"c:\windows\system32\zllictbl.dat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$AVG8.VAULT$
c:\$avg8.vault$\V_00000001.fil
c:\$avg8.vault$\V_00000002.fil
c:\$avg8.vault$\V_00000003.fil
c:\$avg8.vault$\V_00000004.fil
c:\$avg8.vault$\vvfolder.idx
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\42D6B627\9971DC59\swpro.dll
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\A918483A\9971DC59\sfhtml.dll
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\SPYWAREfighter\D7638211\9971DC59\swproTray.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\949F7B9F\FC42324E\FighterSuiteService.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D0F8318E\FC42324E\FighterLauncher.exe
c:\documents and settings\All Users\Application Data\{04813D1D-66B5-41C3-8108-DFE8939C582A}\Toolkit\D47A49F0\FC42324E\FighterSuiteClient.dll
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\doc\kav2010_en.pdf
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\kav.en.msi
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\release_notes_kav9.0cf2_en.html
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.reg
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
c:\documents and settings\All Users\Application Data\Norton\00000082\00000107\000003c7\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\00000107\000003c7\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\00000107\cltupgrade.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\00000107\key.txt
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-12-23h04m38s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-12-23h13m44s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-12-23h14m18s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-13-00h02m18s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-13-00h16m03s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-13-00h19m20s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-13-00h20m05s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-11-13-00h20m22s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h21m30s\Install.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h21m30s\Install.2.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h21m30s\Log.Lue
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h21m30s\NortonInstall-2009-12-03-12h21m30s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h26m23s\NortonInstall-2009-12-03-12h26m23s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h26m51s\SymNRT 12-3-2009 12h26m28s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h32m56s\NortonInstall-2009-12-03-12h32m56s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h34m44s\NortonInstall-2009-12-03-12h34m44s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h34m59s\Install.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h34m59s\Install.2.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h34m59s\NortonInstall-2009-12-03-12h34m59s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h36m52s\BHCA-0x0698.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h36m52s\Install.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h36m52s\Install.2.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h36m52s\NortonInstall-2009-12-03-12h36m52s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h36m52s\SymIMexe-0x0690.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-03-12h37m28s\SymNRT 12-3-2009 12h36m59s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-13-00h32m12s\BHCA-0x0C2C.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-13-00h32m12s\Install.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-13-00h32m12s\NortonInstall-2009-12-13-00h32m12s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-13-00h32m12s\SymIMexe-0x0BC8.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2009-12-13-00h48m03s\NortonInstall-2009-12-13-00h48m03s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\Url.txt
c:\documents and settings\All Users\Application Data\NortonInstaller\SymTemp\patch.js
c:\program files\Common Files\Kaspersky Lab
c:\program files\Panda Security
c:\program files\Panda Security\ActiveScan 2.0\as2stubie.dll
c:\program files\Panda Security\ActiveScan 2.0\libcomm.dll
c:\program files\Panda Security\ActiveScan 2.0\npwrapper.dll
c:\windows\system32\zllictbl.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSFWMONSVC
-------\Service_ssfwmonsvc

((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-12 05:33 . 2010-01-12 05:33 -------- d-----w- c:\program files\Trend Micro
2010-01-12 01:07 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 01:07 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 00:44 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

mva5493 · 2010/01/12

hjt log after cfscript:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:01 AM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

--
End of file - 3714 bytes

time to call it quits for tonight will be back later this am to continue, thanks Broni for all your help so far.

broni · 2010/01/12

Combofix log is incomplete, but since there were no malicious items there to remove, just all those security programs leftover, I'm able to see all I need.

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Restart computer.

===============================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

Log in or Sign up

Solved infection or internet explorer problem, cant type in search box

mva5493 Well-Known Member Thread Starter

PeteC SuperGeek Staff

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

PeteC SuperGeek Staff

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved infection or internet explorer problem, cant type in search box

mva5493 Well-Known Member Thread Starter

PeteC SuperGeek Staff

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

PeteC SuperGeek Staff

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches