Solved WinPCDefender and Windows Security Center

[Resolved] WinPCDefender and Windows Security Center

I seem to have been bitten by the following two pieces of pesky software - WinPCDefender and Windows Security Center - and am at a loss as to how to get rid of these pests. Spybot S&D found two trojans but their removal seems to have had no effect. Adware found nothing as was also the case with Zone Alarm, and AVG. I have no clue as to where these guys are hiding and a Google search seems to have several fixes but I fear they may be part of the problem.

What can you folks tell me about how to remove these two software items?

Thanks.

 

Hi and welcome


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment.
No need for that though ..... just post it as you would any other log.


In your next reply post:
ComboFix.txt
DDS log



You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks Juliet but I remembered I had HiJackThis on my PC and when I ran that there was a line of code ending with winpcdef. I deleted that line and the problem dissapeared.

I posted this last night but apparently it did not go thru.

 

I'm confused which problem disappeared....

Can you continue with the instructions I gave?

 

The problem I described in my original post dissapeared.

I will, however, follow the instructions you gave to the best of my ability.

 

You'll find their actually easy tools to use and if it gives you peace of mind then it was well worth it.

 

Combofix Log

ComboFix 09-03-23.01 - Richard Doenges 2009-03-24 12:27:24.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.202 [GMT -5:00]
Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFixup.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\CrucialSoft Ltd
c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\x.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\Quarantine
c:\windows\ieocx.dll
c:\windows\system32\encapi32.dll
c:\windows\system32\FM20(2).DLL
c:\windows\system32\FM20ENU(2).DLL
c:\windows\system32\MSRECR40(2).DLL
c:\windows\system32\MSSTDFMT(2).DLL
c:\windows\system32\UACbuyfqmgr.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACswwoqxov.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-23 14:28 . 2009-03-23 14:28 1,021,440 --a------ c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\pcdefender.exe
2009-03-20 11:15 . 2009-03-20 11:15 <DIR> d--hs---- C:\FOUND.000
2009-03-12 17:01 . 2009-03-12 17:01 <DIR> d-------- C:\e1d677a1eb5b6d9b465d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 20:45 4,980,736 ------w c:\windows\Internet Logs\xDB256.tmp
2009-03-23 20:45 3,080,192 ------w c:\windows\Internet Logs\xDB257.tmp
2009-03-15 03:45 3,080,192 ------w c:\windows\Internet Logs\xDB255.tmp
2009-03-15 03:45 2,957,312 ------w c:\windows\Internet Logs\xDB254.tmp
2009-03-13 01:59 3,080,192 ------w c:\windows\Internet Logs\xDB253.tmp
2009-03-11 22:03 3,080,192 ------w c:\windows\Internet Logs\xDB252.tmp
2009-03-11 22:03 1,252,352 ------w c:\windows\Internet Logs\xDB251.tmp
2009-03-11 04:16 4,033,024 ------w c:\windows\Internet Logs\xDB24F.tmp
2009-03-11 04:16 3,080,192 ------w c:\windows\Internet Logs\xDB250.tmp
2009-03-07 04:28 3,080,192 ------w c:\windows\Internet Logs\xDB24E.tmp
2009-03-05 21:09 3,080,192 ------w c:\windows\Internet Logs\xDB24D.tmp
2009-03-04 15:41 3,080,192 ------w c:\windows\Internet Logs\xDB24C.tmp
2009-03-03 04:19 4,646,400 ------w c:\windows\Internet Logs\xDB24B.tmp
2009-03-01 05:02 3,080,192 ------w c:\windows\Internet Logs\xDB24A.tmp
2009-02-27 16:18 3,080,192 ------w c:\windows\Internet Logs\xDB249.tmp
2009-02-23 20:23 10,661,376 ------w c:\windows\Internet Logs\xDB248.tmp
2009-02-21 04:14 3,080,192 ------w c:\windows\Internet Logs\xDB247.tmp
2009-02-16 04:10 1,221,512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-15 05:36 3,080,192 ------w c:\windows\Internet Logs\xDB246.tmp
2009-02-14 04:54 3,080,192 ------w c:\windows\Internet Logs\xDB245.tmp
2009-02-13 04:40 3,080,192 ------w c:\windows\Internet Logs\xDB244.tmp
2009-02-12 04:03 3,080,192 ------w c:\windows\Internet Logs\xDB243.tmp
2009-02-11 04:47 3,080,192 ------w c:\windows\Internet Logs\xDB242.tmp
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-05 04:28 3,080,192 ------w c:\windows\Internet Logs\xDB241.tmp
2009-02-04 04:13 3,080,192 ------w c:\windows\Internet Logs\xDB240.tmp
2009-01-24 05:04 3,080,192 ------w c:\windows\Internet Logs\xDB23F.tmp
2009-01-23 20:54 5,064,704 ------w c:\windows\Internet Logs\xDB23D.tmp
2009-01-23 20:54 3,080,192 ------w c:\windows\Internet Logs\xDB23E.tmp
2009-01-22 04:17 3,080,192 ------w c:\windows\Internet Logs\xDB23C.tmp
2009-01-21 04:47 3,080,192 ------w c:\windows\Internet Logs\xDB23B.tmp
2009-01-19 01:38 3,080,192 ------w c:\windows\Internet Logs\xDB23A.tmp
2009-01-18 04:37 3,080,192 ------w c:\windows\Internet Logs\xDB239.tmp
2009-01-17 05:11 3,080,192 ------w c:\windows\Internet Logs\xDB238.tmp
2009-01-14 15:56 21,287,680 ------w c:\windows\Internet Logs\tvDebug.zip
2009-01-14 04:42 2,326,528 ------w c:\windows\Internet Logs\xDB237.tmp
2009-01-13 18:14 2,879,488 ------w c:\windows\Internet Logs\xDB236.tmp
2009-01-13 04:27 3,080,192 ------w c:\windows\Internet Logs\xDB235.tmp
2009-01-11 04:36 3,080,192 ------w c:\windows\Internet Logs\xDB234.tmp
2009-01-10 05:34 2,720,256 ------w c:\windows\Internet Logs\xDB233.tmp
2009-01-08 17:07 2,648,064 ------w c:\windows\Internet Logs\xDB232.tmp
2009-01-07 16:26 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-06 04:30 6,062,080 ------w c:\windows\Internet Logs\xDB22F.tmp
2009-01-06 04:30 3,080,192 ------w c:\windows\Internet Logs\xDB231.tmp
2009-01-05 04:48 3,080,192 ------w c:\windows\Internet Logs\xDB22E.tmp
2009-01-04 04:29 3,080,192 ------w c:\windows\Internet Logs\xDB22D.tmp
2008-12-31 04:46 2,028,032 ------w c:\windows\Internet Logs\xDB22C.tmp
2008-12-26 05:16 2,022,400 ------w c:\windows\Internet Logs\xDB22B.tmp
2008-12-25 05:01 2,019,840 ------w c:\windows\Internet Logs\xDB22A.tmp
2008-12-24 04:41 2,008,576 ------w c:\windows\Internet Logs\xDB229.tmp
2006-08-21 19:26 186 ---h--w c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\hpothb07.dat
2006-08-21 19:26 172 ---h--w c:\documents and settings\All Users.WINDOWS\hpothb07.dat
2006-07-20 20:07 18,801 ------w c:\program files\IE70BlockerHelp.htm
2006-05-17 04:01 0 ---h--w c:\documents and settings\Default User\hpothb07.dat
2006-05-17 04:00 164 ---h--w c:\documents and settings\All Users\hpothb07.dat
2006-05-08 22:07 28,142 ------w c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 3,730 ------w c:\program files\IE70Blocker.adm
2006-05-08 21:13 1,809 ------w c:\program files\IE70Blocker.cmd
2005-05-26 19:35 1,422 ------w c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Google Update "= "c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookie Pal "= "c:\program files\CPal\CPBrWtch.exe" [2002-07-24 20523]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator "= "Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-01-06 5183488]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-07 11:26 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--------- 2002-06-26 17:36 90112 c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-04-16 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-04-16 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-04-16 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-07 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-07 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-527237240-725345543-1003.job
- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-10 23:00]

2007-01-21 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} - hxxp://images.fotki.com/activex/FotkiUploader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 12:29:29
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-03-24 12:31:43
ComboFix-quarantined-files.txt 2009-03-24 17:31:40

Pre-Run: 15,135,047,680 bytes free
Post-Run: 15,399,354,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
C:\= "Microsoft Windows "
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
191 --- E O F --- 2009-03-23 16:31:20


HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:23 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cookie Pal] "C:\Program Files\CPal\CPBrWtch.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137359645578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144791536968
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8408 bytes


DDS Log file

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/24/2007 3:04:08 PM
System Uptime: 3/24/2009 12:48:37 PM (1 hours ago)

Motherboard: Intel Corporation | | D845GERG2
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2800/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 38 GiB total, 14.367 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP639: 3/3/2009 2:30:08 PM - System Checkpoint
RP640: 3/4/2009 6:50:25 PM - System Checkpoint
RP641: 3/5/2009 3:23:06 PM - Software Distribution Service 3.0
RP642: 3/6/2009 7:10:26 PM - System Checkpoint
RP643: 3/7/2009 10:43:44 PM - System Checkpoint
RP644: 3/9/2009 9:46:04 AM - Software Distribution Service 3.0
RP645: 3/10/2009 10:35:14 AM - Software Distribution Service 3.0
RP646: 3/11/2009 2:39:28 PM - System Checkpoint
RP647: 3/11/2009 4:00:25 PM - Software Distribution Service 3.0
RP648: 3/12/2009 4:01:51 PM - Software Distribution Service 3.0
RP649: 3/13/2009 10:56:06 AM - Software Distribution Service 3.0
RP650: 3/13/2009 4:00:20 PM - Software Distribution Service 3.0
RP651: 3/14/2009 5:22:15 PM - System Checkpoint
RP652: 3/16/2009 9:24:28 AM - Software Distribution Service 3.0
RP653: 3/17/2009 4:52:52 PM - Avg8 Update
RP654: 3/18/2009 9:38:24 PM - System Checkpoint
RP655: 3/19/2009 2:22:09 PM - Software Distribution Service 3.0
RP656: 3/20/2009 4:59:49 PM - System Checkpoint
RP657: 3/21/2009 6:31:31 PM - System Checkpoint
RP658: 3/22/2009 6:36:14 PM - System Checkpoint
RP659: 3/23/2009 11:16:25 AM - Software Distribution Service 3.0
RP660: 3/24/2009 12:24:58 PM - ComboFix created restore point

==== Installed Programs ======================


Acrobat.com
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.3
Avery® Wizard 2.1 forMicrosoft® Word 2000
AVG 8.0
Belarc Advisor 7.2
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Cookie Pal
Critical Update for Windows Media Player 11 (KB959772)
Diskeeper Home Edition
DivX Codec
DYMO Label Software
File Viewer Utility 1.2
Fotki XP Publishing Wizard
Free YouTube to Mp3 Converter version 2.5
Gadwin PrintScreen
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Image Resizer Powertoy for Windows XP
Intel(R) PRO Ethernet Adapter and Software
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
MailWasher Pro
Malwarebytes' RogueRemover
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft PowerPoint Viewer 97
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000
Microsoft Works 4.5
Microsoft Works Setup Launcher
Move Networks Media Player for Internet Explorer
NTI CD-Maker 2000 Standard
PCPitstop Panda AntiVirus Scan (remove only)
QuickTime
Registry Mechanic 5.2
RemoteCapture 2.7.0
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SoundMAX
Spybot - Search & Destroy
Uniblue RegistryBooster 2
Uninstall 1.0.0.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB CF
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.2
Yahoo! Toolbar
ZoneAlarm Pro

==== End Of File ===========================

 

Welcome back


We do not recommend the use of registry cleaners. No registry cleaner is completely safe since most do not even create a backup the potential is ever present to cause more problems than they claim to fix.
If you do not have knowledge of the registry, then you would probably be better off leaving it alone, and definitely not placing blind trust in a program to do the job for you.
Our colleague miekiemoes has an excellent writeup here
http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html



Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad ".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546
Additional info: http://vil.nai.com/vil/content/v_137262.htm
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player



J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
The above two Java applets are old and outdated, for now please uninstall. I will give instructions to the latest in the fix.



Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.




While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.


# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident ".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm



We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)





Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\pcdefender.exe <--delete this file

Now please reboot your computer to set the registry.



NEXT**
Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.




NEXT**
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



How's your computer now?

 

Right now it is running just great. No unwanted pop-ups.

I'm running Win XP Pro and IE 6. Accordingly certain of the things you suggest wil be unnecessary.

 

I do not find this option on my version of Windows Defender

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

 

Good deal!

OK

Ok, see if you can temporarily disable the version you have.

 

I could not get JavaRa to unzip so manually downloaded Java and Control Panel now shows Java (TM) 6 update 13. Is this OK?

 

Yes, should be.

 

Kapersky Logfile
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 24, 2009 22:09:12
Records in database: 1964224
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
F:\

Scan statistics:
Files scanned: 76328
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:46:49


File name / Threat name / Threats count
C:\System Volume Information\_restore{811750AF-FE49-43C7-B874-5B243D424E77}\RP660\A0160149.dll Infected: Trojan-Downloader.Win32.FraudLoad.dxa 1
C:\Qoobox\Quarantine\C\WINDOWS\ieocx.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.dxa 1

The selected area was scanned.

HiJack This Log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:03 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [Cookie Pal] "C:\Program Files\CPal\CPBrWtch.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137359645578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144791536968
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8801 bytes

 

Good deal things look good.

Follow the command below and this will take care of what Kaspersky found.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below







Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Computer will not recognize ComboFix when using start/run. I deleted it and re-downloaded it and it was saved as ComboFix.exe but still would not work with start/run.

The entry was Combofix /u.

 

Don't worry, we can do it manually.


Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click OK




C:\Qoobox <--delete this folder

c:\Combofix <--If found delete this folder

c:\Combofix\combofix.txt <--delete this file

Then empty your recycle bin, reboot the computer to complete the process.

 

Did not find

C:\Qoobox <--delete this folder

c:\Combofix <--found & deleted this folder = it was txt file

c:\Combofix\combofix.txt <--delete this file

Used search function in looking for the above as well as checking C file

Did do this

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

Where will I be if System Restore, for whatever reason, is needed before tomorrow?

Did empty recycle bin and restart.

 

Well, for right now let's try to be as safe as possible.
In a few days a new restore point will be created.

We needed to flush system restore because an infection had been found in one of your Restore points.
If you had used SR to the one that was infected the machine would be back in an infected state.

 

My most heartfelt thanks, Juliet. You are a genius.