BleepingComputer.com: Trojan.Zlob, Adware.007Guard and Combofix

Hello,

I noticed that my laptop connection to the net slowed down considerably and decided to check for infections. Already had Avast installed and decided to check another antispyware software. Macspyware detector (free version) showed that I had Trojan.Zlob and Adware.007guard infections! Adware Alert and Defender failed to pick these up and I then became concerned, am I perhaps deceived into buying more software..?

Another thing i've noticed is 'find girls in my location' with my town name!! adware???

Highlighted files

Freewire.Ink (now deleted!)
c:\windows\system32\autorun.inf
c:\windows\help\plyr_err.chw

Anyway I have Sky broadband and get free Mcafee protection for a year, uninstalled Avast and everything else and now have Mcafee - a scan only revealed that I had prcviewer.exe and not all the components were removed.

My sister run Combofix and has subsequently quarantined files and created logs.

2007-06-05 23:04:20 A------- 505,318 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\autorun.inf.vir
2009-03-10 12:00:25 A------- 3,806 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp.reg.vir
2009-03-10 12:34:34 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MSVolume.dll.vir
2009-03-12 21:40:27 A------- 54 C:\Qoobox\Quarantine\catchme.log
2009-03-12 21:47:30 A------- 8,184 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

I would greatly appreciate any help offered and to get my laptop clean again!

Regards

Pendu


DDS (Ver_09-02-01.01) - NTFSx86
Run by Aujla at 17:00:23.77 on 13/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.84 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Documents and Settings\shree matai\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.skybroadband.com
uInternet Settings,ProxyOverride = <local>
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154982565248
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shreem~1\applic~1\mozilla\firefox\profiles\43elxhcv.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-9 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-10 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-9 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-9 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-9 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-9 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-9 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-9 40488]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S2 gupdate1c99d014fe1cea0;Google Update Service (gupdate1c99d014fe1cea0);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-9 33832]

=============== Created Last 30 ================

2009-03-12 21:44 <DIR> a-dshr-- C:\cmdcons
2009-03-12 21:40 161,792 a------- c:\windows\SWREG.exe
2009-03-12 21:40 98,816 a------- c:\windows\sed.exe
2009-03-09 18:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-03-09 18:50 61,224 a------- c:\documents and settings\shree matai\GoToAssistDownloadHelper.exe
2009-03-09 18:07 10,261 a------- c:\windows\system32\Config.MPF
2009-03-09 18:03 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-09 18:00 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-09 18:00 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-09 18:00 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-09 18:00 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-09 18:00 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-09 18:00 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-09 17:58 <DIR> --d----- c:\program files\McAfee.com
2009-03-09 17:58 <DIR> --d----- c:\program files\common files\McAfee
2009-03-09 17:57 <DIR> --d----- c:\program files\McAfee
2009-03-09 16:37 <DIR> --d----- c:\docume~1\shreem~1\applic~1\McAfee
2009-03-06 20:11 63 a------- c:\windows\system\SysRegC.dll
2009-03-06 20:11 143,360 a------- c:\windows\system32\GetHardDiskNo.dll
2009-03-05 19:37 <DIR> --d----- c:\windows\system32\scripting
2009-03-05 19:37 <DIR> --d----- c:\windows\l2schemas
2009-03-05 19:37 <DIR> --d----- c:\windows\system32\en
2009-03-05 19:37 <DIR> --d----- c:\windows\system32\bits
2009-03-05 02:33 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-04 23:42 <DIR> --d----- c:\program files\common files\iS3
2009-03-04 23:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-03-04 22:42 <DIR> --d----- c:\docume~1\shreem~1\applic~1\AdwareAlert
2009-02-27 16:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-27 16:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-21 19:25 63 a------- c:\windows\system\SysSD.dll
2009-02-21 18:02 <DIR> --d----- c:\documents and settings\shree matai\.housecall6.6

==================== Find3M ====================

2009-03-05 19:49 89,367 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 17:01:52.97 ===============

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply. Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:

• Reply to this thread; do not start another!
  
• Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  
• Do not run any other tool until instructed to do so!
  
• Let me know if any of the links do not work or if any of the tools do not work.
  
• Tell me about problems or symptoms that occur during the fix.
  
• Do not run any other programs or open any other windows while doing a fix.
  
• Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.

Thanks.

PM from user. Currently away from computer. Keep topic open.

Hi Suebaby41

Please find a a copy of today's Hijackthis report below;

Regards

Pendu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:03, on 31/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154982565248
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c99d014fe1cea0) (gupdate1c99d014fe1cea0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9564 bytes

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

Ensure that you have the latest version of Adobe® Reader®. If you do not have the latest version, you may want to download the latest version, Adobe® Reader® 9.

Step 3

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

• Please download the ATF-Cleaner by Atribune.
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Check the boxes to the left of:
  • Windows Temp
    
  • Current User Temp
    
  • All Users Temp
    
  • Temporary Internet Files
    
  • Prefetch (Windows XP) only
    
  • Java Cache
  
  
• The rest are optional - if you want to remove them all, check Select All.
  
• Click the Empty Selected button.
  
• When you get the Done Cleaning message, click OK.
  
• Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  
• Click Exit on the Main menu to close the program.

Step 4

In Normal Mode, run an online malware check from at least two and preferably three (one may catch something that another one may not) of the following sites
BitDefender
Kaspersky Online Virus Scanner
McAfee FreeScan
Panda's ActiveScan
Trend Micro™ HouseCall
Windows Live Safety Center Free Online Scan
WindowSecurity.com TrojanScan
When you have completed the scans, if you get a report of files that cannot be cleaned / deleted, make a note of the file location of anything that cannot be cleaned / deleted. Please edit the log(s) and remove:

• items listed as "Object is locked skipped"
  
• items reported that are in a quarantine folder

Please post the edited list in your next reply.

Step 5

Please download Spybot-S&D©® and install Spybot-S&D©® .

• Be sure to UNCHECK TeaTimer when presented with the option to install. You can enable it after you are clean.
  
• Run Spybot-S&D©® , go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
  
• Click the button "Search for Updates".
  
• If any updates are found, install them by placing a check mark next to each one and clicking "Download Updates".
  
• If you encounter any error messages while downloading the updates, manually download them from here.
  
• Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
  
• Click the button "Check for Problems".
  
• When Spybot-S&D©® is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
  
• Make certain there is a check mark beside all of the RED entries ONLY.
  
• Choose "Fix Selected Problems" and allow Spybot-S&D©® to fix the RED entries.
  
• REBOOT to complete the scan and clear memory.

Note: After Windows loads, Spybot-S&D©® may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

Step 6

• Please download Ad-Aware Free - Anniversary Edition to your desktop. The Ad-Aware Free - Anniversary Edition installation file will be Ad-AwareAE.exe.
  
• Double-click the file and follow the on-screen instructions in the Installation Wizard to install.
  
• When the Please Enter Your License Information screen appears, click Cancel and Ad-Aware Free - Anniversary Edition will be installed.
  
• When the Ad-Aware Free - Anniversary Edition Has Been Successfully Installed Screen appears, click Finish to complete the installation and to launch Ad-Aware Free - Anniversary Edition.
  
• The Status screen will appear. You will see four sections.
  • System Protection Status section where you will see Real Time Protection with a check in the Off dialog box and Automatic Updates with a check in the On dialog box.
    
  • Update Status section
    
  • System Scan section
    
  • License Status section where you will see that the Type: will be Free Edition and License Expires in: Never.
  
  
• In the list on the left of the screen, click Scan. You will be given a choice of Smart Scan, Full Scan, and Custom Scan. (Scheduler on the right of the screen is only available in Ad-Aware 2008 Plus and Ad-Aware Pro.)
  
• In the list on the left of the screen, click Settings > Scanning tab. Use the default settings unless you see some changes that you want to make.
  
• In the list on the left of the screen, click Status. In the System Scan section, click Scan Now.
  
• When the scan finishes, the Critical Objects tab window appears.
  
• Under Scan Results, you will see the list of Critical Objects that Ad-Aware Free - Anniversary Edition found. You are given three choices, Add to ignore, Quarantine, Remove, and System Restore. You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If Critical Objects are found, select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
  
• Click Remove.
  
• If no Critical Objects are found, click the Privacy Objects tab.
  
• If there are Privacy Objects listed, select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Select Add to ignore or Remove..
  
• Click Remove.
  
• If no Privacy Objects are found, click the Log File tab to see the statistics of the Ad-Aware Free - Anniversary Edition scan.
  
• Click Finish.
  
• The next screen shows you the Scan Summary in the left panel and System Restore in the right panel.
  • You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If you choose to create a System Restore Point, click Set.
    
  • You may want to export the results Click Export and save the log on your computer .
    
  • Click Scan Again to repeat the scan.
  
  
• You will be returned to the Status screen. Click on the X in the upper right corner to exit Ad-Aware Free - Anniversary Edition.

Step 7

I recommend using Spyware Blaster.

• Please download SpywareBlaster and save it to your desktop.
  
• Double click on it to install the program.
  
• Follow the prompts and choose the default locations when installing the program.
  
• When the program is installed, it will place an icon on your desktop.
  
• Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  
• Click on the Next button to proceed to the second page of the tutorial.
  
• If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  
• At the next screen, click Finish.
  
• At the next screen, Protection Status, click Enable All Protection.
  
• Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.

Step 8

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.

• Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  
• Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  
• Double-click on mbam-rules.exe to install.
  
• On the Scanner tab, make sure the Perform Quick Scan option is selected.
  
• Click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully.
  
• At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.
  
• Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 9

• Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  
• Install it and double-click the icon on your desktop to run it.
  
• It will ask if you want to update the program definitions, click Yes.
  
• Under Configuration and Preferences, click the Preferences button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options, make sure the following are checked:
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
    
  • Please leave the others unchecked.
  
  
• Click the Close button to leave the control center screen.
  
• On the main screen, under Scan for Harmful Software, click Scan your computer.
  
• On the left, check C:\Fixed Drive.
  
• On the right, under Complete Scan, choose Perform Complete Scan.
  
• Click Next to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a summary box will appear. Click OK.
  
• Make sure everything in the white box has a check next to it, then click Next.
  
• It will quarantine what it found and if it asks if you want to reboot, click Yes.
  
• To retrieve the removal information, please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
    
  • Click Preferences. Click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • It will open in your default text editor (such as Notepad/Wordpad).
    
  • Please highlight everything in the notepad, then right-click and choose Copy.
    
  • Click Close and Close again to exit the program.
  
  
• Please post that information with a new HijackThis log.

Step 10

Check your computer with anti-rootkit applications. I recommend avast! antirootkit or Trend Micro RootkitBuster.

Step 11

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:

• Detects insecure versions of common/popular programs installed on your computer.
  
• Verifies that all Microsoft patches are applied.
  
• Assists you in updating, patching, and protecting your computer.
  
• Activates additional security features in Sun Java.
  
• Runs through your browser. No installation or download is required.

Step 12

• According to your Internet connection, please disconnect from the Internet. Close ALL browser windows (including this one).We need to disconnect from the Internet. By doing this, it prevents any further Internet activity until the removal of malware is complete. You need to make it impossible for viruses, trojan horses, worms and spyware to call for backup once you start to dismantle them. They will continue to infect your computer with new variants while you are connected to the Internet. We also need to prevent hackers from controlling your system and they will try to prevent you from removing the pests they installed on your computer.
  • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
    
  • Turn your modem off.
    
  • Disconnect your modem cable from your computer.
  
  
• Turn the device off for Hand-held wireless connections.
  
• Exit all processes and items in your System tray.

Step 13

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.

• Right click on the icon in your System Tray.
  
• Click Exit
  
• Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.

Now we will address the HijackThis fixes.

Windows Defender

• Click Start > Programs > Windows Defender or launch from the system tray icon.
  
• Click on Tools
  
• Click on General Settings
  
• Scroll down to Real-time protection options
  
• Uncheck Turn on Real-time protection (recommended)
  
• Click Save
  
• Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defender's page, uncheck under Administrator Options, use Windows Defender and then Save.
  
• Exit the program.

Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

Step 14

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 15

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 16

Please run HijackThis in Normal Mode and post:

• the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  
• the log from MalwareBytes
  
• the log from SUPERAntiSpyware
  
• a new HijackThis log

Please advise me of any problems you still have.

That's quite a mammoth list. I will need some extra time to work through the lists. I understand that I will need to install several anit malware programs my concern is that will I be able to remove them from my machine after the cleansing procedure?

Regards

Yes. You can remove the programs after your log is clean.

Kaspersky's log highlighted this infection

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 11:58:52
Records in database: 2017642
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 61628
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:01:31


File name / Threat name / Threats count
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP152\A0036843.exe Infected: not-a-virus:FraudTool.Win32.SearchAndDestroy.r 1

The selected area was scanned.

I take it that this is only a log and the infection is still present and not removed?

It's been a long day! I ran a few online scanners and once I got to Spybot, it found 19 entries of Adwarealert files, fixewd them and restarted windows when at that point several dos windows openend and couldnt find cmd and nvt files? I promptly closed them down and eventually my desktop appeared.

At this point I'm reluctant to install and run more software and I apologise but I went on and ran the highjackthis scan and fixed the followinf file.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

All my microsoft patches are up to date.

I will restart windows and see if the same dos windows appear and will continue with the other scans and I would appreciate your optional fixes.

Do I need to do anything regardsing the Kaspersky log?

Regards
Pendu

Quote

The System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points. There is a System Volume Information folder on every partition on your computer. When we get your computer cleaned, we will disable and enable System Restore which will delete all files in the System Volume Information folder.

Please complete the steps. Nothing we are doing would cause the problem you are describing. As soon as your log is clean, I will give you instructions on the Optional Fixes.

Adware and spyware blaster didn't find anything. Please find MBAM log below. Now proceeding with SAS and avast and hope to complete tonight.

Regards

Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 3

07/04/2009 21:14:47
mbam-log-2009-04-07 (21-14-47).txt

Scan type: Quick Scan
Objects scanned: 79907
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good job. Let me know if you have any questions.

Steps 9 SAS log with highjackthis log

Regards

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2009 at 00:15 AM

Application Version : 4.26.1000

Core Rules Database Version : 3833
Trace Rules Database Version: 1789

Scan type : Complete Scan
Total Scan Time : 02:30:01

Memory items scanned : 576
Memory threats detected : 0
Registry items scanned : 5649
Registry threats detected : 0
File items scanned : 60529
File threats detected : 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:30:56, on 08/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154982565248
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c99d014fe1cea0) (gupdate1c99d014fe1cea0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9732 bytes

Quote

I cannot find much information on the Macspyware detector program which reported the Trojan.Zlob on your computer so I wanted to do some checking to see if perhaps it was a false positive. I did not see anything in your HijackThis log to confirm the finding; however, your statement about "find girls in my location" sounds suspicious. I decided that I needed to warn you about backdoor trojans like Trojan.Zlob.

Your computer may be infected with backdoor trojans. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. These trojans leave a backdoor open on the system that can allow hacker total and complete access to your computer. Backdoor trojans send your identity information to a third party who may use that information for their own purposes such as identity theft, stolen bank funds, stealing credit card information etc. Hackers can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

There are so many changes that could have been done if that backdoor was used. Even if we cleaned the infections, it would not help to recover the information that has been compromised and it is doubtful that you could trust your computer. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted.

I advise you to do the following:

• Disconnect the computer from the Internet and from any networked computers.
  
• Back up all your important data except programs. The programs can be reinstalled from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you do not mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  
• Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Most experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

I recommend backing up your important files and reinstalling everything from scratch.

Here are some informative links to use to help you make a decision:

Danger: Remote Access Trojans

Consumers – Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Microsoft Says Recovery from Malware Becoming Impossible

How to report ID theft, fraud, drive-by installs, hijacking and malware? (#10451)

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.