I have suddenly started getting redirected when I hit hyperlinks in Firefox and IE and pop ups are coming up for no particular reason. Any help to remove whatever is doing this would be appreciated a HJT log is attached:

Things have gotten substantially worse since I switched the computer off and on, most applications including the HJT installer do not run.

It was a substantial challenge to get this log. Please help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:27, on 7/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\ld12.exe
C:\windows\freddy49.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\ANDREW\Application Data\Mozilla\Profiles\default\ujwkzwy6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ANDREW\Application Data\Mozilla\Profiles\default\ujwkzwy6.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BHO - {8567EDFA-408C-43e9-B929-4C25C04F5003} - C:\WINDOWS\system32\iehelper.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6743 bytes

Hi,

Please do the following:

Note: It is very important that you rename ComboFix before you save it

Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2
Link 3


During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

I had to use a 2nd computer to download Combo fix. Nothing happens in the infected computer when I click on the provided link. Unfortunately when I try to run the (re-named) Combo-Fix program, I just get a message that reads

Windows Security Alert - Application cannot be executed. The file combo-fix.exe is infected. Please activate your antivirus software

I should add that the message appears when I try to run the program on the computer that is infected.

Hi,

Please do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  

  
  c:\windows\explorer.exe
  

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Do the same for the following files:

c:\windows\system32\userinit.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\spoolsv.exe

Thank you for your help. I've done as you suggested. Clipboard contents for each file are attached:

Result for Explorer:

VirSCAN.org Scanned Report :
Scanned time : 2009/07/06 01:15:13 (EST)
Scanner results: All Scanners reported not find malware!
File Name : explorer.exe
File Size : 1033216 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 97bd6515465659ff8f3b7be375b2ea87
SHA1 : 972307a3ef93680afdd03603df20f2241047a934
Online report : http://virscan.org/report/e7027680cfafcd13...3df5f09984.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090705150128 2009-07-05 2.82 -
AhnLab V3 2009.07.05.01 2009.07.05 2009-07-05 0.77 -
AntiVir 8.2.0.204 7.1.4.180 2009-07-03 0.36 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907041246 2009-07-04 0.07 -
Authentium 5.1.1 200907041615 2009-07-04 2.17 -
AVAST! 4.7.4 090704-0 2009-07-04 0.05 -
AVG 8.5.286 270.13.5/2219 2009-07-05 3.54 -
BitDefender 7.81008.3654120 7.26384 2009-07-05 3.24 -
CA (VET) 9.0.0.143 31.6.6595 2009-07-03 7.80 -
ClamAV 0.95.2 9537 2009-07-03 0.16 -
Comodo 3.9 1538 2009-07-02 0.80 -
CP Secure 1.1.0.715 2009.07.03 2009-07-03 11.03 -
Dr.Web 4.44.0.9170 2009.07.05 2009-07-05 5.12 -
F-Prot 4.4.4.56 20090704 2009-07-04 2.17 -
F-Secure 5.51.6100 2009.07.05.01 2009-07-05 6.09 -
Fortinet 2.81-3.117 10.569 2009-07-05 0.17 -
GData 19.6281/19.385 20090705 2009-07-05 4.40 -
ViRobot 20090703 2009.07.03 2009-07-03 0.41 -
Ikarus T3.1.01.64 2009.07.05.72980 2009-07-05 2.97 -
JiangMin 11.0.800 2009.07.05 2009-07-05 3.47 -
Kaspersky 5.5.10 2009.07.05 2009-07-05 0.06 -
KingSoft 2009.2.5.15 2009.7.5.15 2009-07-05 0.47 -
McAfee 5.3.00 5666 2009-07-04 2.97 -
Microsoft 1.4803 2009.07.05 2009-07-05 4.87 -
mks_vir 2.01 2009.07.05 2009-07-05 3.29 -
Norman 6.01.09 6.01.00 2009-07-04 4.01 -
Panda 9.05.01 2009.07.04 2009-07-04 1.93 -
Trend Micro 8.700-1004 6.246.09 2009-07-05 0.03 -
Quick Heal 10.00 2009.07.03 2009-07-03 1.30 -
Rising 20.0 21.36.62.00 2009-07-05 0.93 -
Sophos 2.88.0 4.43 2009-07-05 2.66 -
Sunbelt 5225 5225 2009-07-04 0.82 -
Symantec 1.3.0.24 20090704.006 2009-07-04 0.06 -
nProtect 20090705.01 4827290 2009-07-05 6.15 -
The Hacker 6.3.4.3 v00362 2009-07-04 0.65 -
VBA32 3.12.10.7 20090704.1432 2009-07-04 2.16 -
VirusBuster 4.5.11.10 10.107.36/1760558 2009-07-05 2.41 -


Result for Userinit

VirSCAN.org Scanned Report :
Scanned time : 2009/07/06 01:30:56 (EST)
Scanner results: 3% Scanner(1/38) found malware!
File Name : userinit.exe
File Size : 24576 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
Online report : http://virscan.org/report/d6ca43d48749e80d...1807484d46.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090705150128 2009-07-05 2.61 -
AhnLab V3 2009.07.05.01 2009.07.05 2009-07-05 0.75 -
AntiVir 8.2.0.204 7.1.4.180 2009-07-03 0.30 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907041246 2009-07-04 0.04 -
Authentium 5.1.1 200907041615 2009-07-04 1.18 -
AVAST! 4.7.4 090704-0 2009-07-04 0.01 -
AVG 8.5.286 270.13.5/2219 2009-07-05 3.46 -
BitDefender 7.81008.3654120 7.26384 2009-07-05 3.27 -
CA (VET) 9.0.0.143 31.6.6595 2009-07-03 8.11 -
ClamAV 0.95.2 9537 2009-07-03 0.01 -
Comodo 3.9 1538 2009-07-02 0.85 -
CP Secure 1.1.0.715 2009.07.03 2009-07-03 10.98 -
Dr.Web 4.44.0.9170 2009.07.05 2009-07-05 4.89 -
F-Prot 4.4.4.56 20090704 2009-07-04 1.24 -
F-Secure 5.51.6100 2009.07.05.01 2009-07-05 6.76 -
Fortinet 2.81-3.117 10.569 2009-07-05 0.14 -
GData 19.6281/19.385 20090705 2009-07-05 4.33 -
ViRobot 20090703 2009.07.03 2009-07-03 0.41 -
Ikarus T3.1.01.64 2009.07.05.72980 2009-07-05 2.97 -
JiangMin 11.0.800 2009.07.05 2009-07-05 4.34 -
Kaspersky 5.5.10 2009.07.05 2009-07-05 0.10 -
KingSoft 2009.2.5.15 2009.7.5.22 2009-07-05 0.48 -
McAfee 5.3.00 5666 2009-07-04 2.99 -
Microsoft 1.4803 2009.07.05 2009-07-05 5.38 -
mks_vir 2.01 2009.07.05 2009-07-05 3.14 Worm.Ixbot_F
Norman 6.01.09 6.01.00 2009-07-04 4.01 -
Panda 9.05.01 2009.07.04 2009-07-04 1.61 -
Trend Micro 8.700-1004 6.246.09 2009-07-05 0.03 -
Quick Heal 10.00 2009.07.03 2009-07-03 1.05 -
Rising 20.0 21.36.62.00 2009-07-05 0.79 -
Sophos 2.88.0 4.43 2009-07-05 2.66 -
Sunbelt 5225 5225 2009-07-04 0.83 -
Symantec 1.3.0.24 20090704.006 2009-07-04 0.05 -
nProtect 20090705.01 4827290 2009-07-05 6.37 -
The Hacker 6.3.4.3 v00362 2009-07-04 0.68 -
VBA32 3.12.10.7 20090704.1432 2009-07-04 2.15 -
VirusBuster 4.5.11.10 10.107.36/1760558 2009-07-05 2.16 -


For svchost.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/07/06 01:38:02 (EST)
Scanner results: All Scanners reported not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/8268bdbd104fe88c...80514f9080.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090705150128 2009-07-05 40.13 -
AhnLab V3 2009.07.05.01 2009.07.05 2009-07-05 0.81 -
AntiVir 8.2.0.204 7.1.4.180 2009-07-03 0.05 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907041246 2009-07-04 0.03 -
Authentium 5.1.1 200907041615 2009-07-04 1.16 -
AVAST! 4.7.4 090704-0 2009-07-04 0.00 -
AVG 8.5.286 270.13.5/2219 2009-07-05 3.47 -
BitDefender 7.81008.3654120 7.26384 2009-07-05 3.26 -
CA (VET) 9.0.0.143 31.6.6595 2009-07-03 7.70 -
ClamAV 0.95.2 9537 2009-07-03 0.01 -
Comodo 3.9 1538 2009-07-02 0.85 -
CP Secure 1.1.0.715 2009.07.03 2009-07-03 10.98 -
Dr.Web 4.44.0.9170 2009.07.05 2009-07-05 5.03 -
F-Prot 4.4.4.56 20090704 2009-07-04 1.17 -
F-Secure 5.51.6100 2009.07.05.01 2009-07-05 0.08 -
Fortinet 2.81-3.117 10.569 2009-07-05 0.15 -
GData 19.6281/19.385 20090705 2009-07-05 4.82 -
ViRobot 20090703 2009.07.03 2009-07-03 0.53 -
Ikarus T3.1.01.64 2009.07.05.72980 2009-07-05 2.95 -
JiangMin 11.0.800 2009.07.05 2009-07-05 4.61 -
Kaspersky 5.5.10 2009.07.05 2009-07-05 0.06 -
KingSoft 2009.2.5.15 2009.7.5.22 2009-07-05 0.49 -
McAfee 5.3.00 5666 2009-07-04 2.98 -
Microsoft 1.4803 2009.07.05 2009-07-05 4.96 -
mks_vir 2.01 2009.07.05 2009-07-05 3.21 -
Norman 6.01.09 6.01.00 2009-07-04 4.01 -
Panda 9.05.01 2009.07.04 2009-07-04 3.79 -
Trend Micro 8.700-1004 6.246.09 2009-07-05 0.03 -
Quick Heal 10.00 2009.07.03 2009-07-03 1.44 -
Rising 20.0 21.36.62.00 2009-07-05 0.81 -
Sophos 2.88.0 4.43 2009-07-05 2.71 -
Sunbelt 5225 5225 2009-07-04 0.84 -
Symantec 1.3.0.24 20090704.006 2009-07-04 0.06 -
nProtect 20090705.01 4827290 2009-07-05 6.25 -
The Hacker 6.3.4.3 v00362 2009-07-04 0.66 -
VBA32 3.12.10.7 20090704.1432 2009-07-04 2.03 -
VirusBuster 4.5.11.10 10.107.36/1760558 2009-07-05 2.15 -

And ctfmon.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/07/06 01:46:04 (EST)
Scanner results: All Scanners reported not find malware!
File Name : ctfmon.exe
File Size : 15360 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 24232996a38c0b0cf151c2140ae29fc8
SHA1 : b36d03b56a30187ffc6257459d632a4faac48af2
Online report : http://virscan.org/report/ee55121f8026a5c8...32022a81d3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090705150128 2009-07-05 2.18 -
AhnLab V3 2009.07.05.01 2009.07.05 2009-07-05 0.85 -
AntiVir 8.2.0.204 7.1.4.180 2009-07-03 0.20 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907041246 2009-07-04 0.03 -
Authentium 5.1.1 200907041615 2009-07-04 1.18 -
AVAST! 4.7.4 090704-0 2009-07-04 0.00 -
AVG 8.5.286 270.13.5/2219 2009-07-05 3.54 -
BitDefender 7.81008.3654120 7.26384 2009-07-05 3.60 -
CA (VET) 9.0.0.143 31.6.6595 2009-07-03 5.58 -
ClamAV 0.95.2 9537 2009-07-03 0.01 -
Comodo 3.9 1538 2009-07-02 0.75 -
CP Secure 1.1.0.715 2009.07.03 2009-07-03 10.86 -
Dr.Web 4.44.0.9170 2009.07.05 2009-07-05 4.81 -
F-Prot 4.4.4.56 20090704 2009-07-04 1.14 -
F-Secure 5.51.6100 2009.07.05.01 2009-07-05 0.10 -
Fortinet 2.81-3.117 10.569 2009-07-05 0.14 -
GData 19.6281/19.385 20090705 2009-07-05 4.28 -
ViRobot 20090703 2009.07.03 2009-07-03 0.41 -
Ikarus T3.1.01.64 2009.07.05.72980 2009-07-05 2.94 -
JiangMin 11.0.800 2009.07.05 2009-07-05 3.27 -
Kaspersky 5.5.10 2009.07.05 2009-07-05 0.09 -
KingSoft 2009.2.5.15 2009.7.5.22 2009-07-05 0.47 -
McAfee 5.3.00 5667 2009-07-05 2.96 -
Microsoft 1.4803 2009.07.05 2009-07-05 4.92 -
mks_vir 2.01 2009.07.05 2009-07-05 3.20 -
Norman 6.01.09 6.01.00 2009-07-04 4.01 -
Panda 9.05.01 2009.07.04 2009-07-04 1.67 -
Trend Micro 8.700-1004 6.246.09 2009-07-05 0.03 -
Quick Heal 10.00 2009.07.03 2009-07-03 0.99 -
Rising 20.0 21.36.62.00 2009-07-05 0.80 -
Sophos 2.88.0 4.43 2009-07-05 2.66 -
Sunbelt 5225 5225 2009-07-04 0.82 -
Symantec 1.3.0.24 20090704.006 2009-07-04 0.05 -
nProtect 20090705.01 4827290 2009-07-05 6.18 -
The Hacker 6.3.4.3 v00362 2009-07-04 0.75 -
VBA32 3.12.10.7 20090704.1432 2009-07-04 2.12 -
VirusBuster 4.5.11.10 10.107.36/1760558 2009-07-05 2.16 -


and finally spoolsv.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/07/06 02:10:46 (EST)
Scanner results: All Scanners reported not find malware!
File Name : spoolsv.exe
File Size : 57856 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : da81ec57acd4cdc3d4c51cf3d409af9f
SHA1 : 7047ed8bd91f3e57972483feaa56e3499cd8c668
Online report : http://virscan.org/report/088eacae0872374f...2772fbac66.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090705150128 2009-07-05 2.17 -
AhnLab V3 2009.07.05.01 2009.07.05 2009-07-05 0.73 -
AntiVir 8.2.0.204 7.1.4.181 2009-07-05 0.55 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907041246 2009-07-04 0.05 -
Authentium 5.1.1 200907041615 2009-07-04 1.25 -
AVAST! 4.7.4 090704-0 2009-07-04 0.01 -
AVG 8.5.286 270.13.5/2219 2009-07-05 121.59 -
BitDefender 7.81008.3654124 7.26386 2009-07-05 3.24 -
CA (VET) 9.0.0.143 31.6.6595 2009-07-03 9.65 -
ClamAV 0.95.2 9537 2009-07-03 0.02 -
Comodo 3.9 1538 2009-07-02 0.73 -
CP Secure 1.1.0.715 2009.07.03 2009-07-03 10.99 -
Dr.Web 4.44.0.9170 2009.07.05 2009-07-05 4.92 -
F-Prot 4.4.4.56 20090704 2009-07-04 1.23 -
F-Secure 5.51.6100 2009.07.05.01 2009-07-05 6.26 -
Fortinet 2.81-3.117 10.569 2009-07-05 0.60 -
GData 19.6281/19.385 20090705 2009-07-05 4.91 -
ViRobot 20090703 2009.07.03 2009-07-03 0.43 -
Ikarus T3.1.01.64 2009.07.05.72980 2009-07-05 2.99 -
JiangMin 11.0.800 2009.07.05 2009-07-05 3.33 -
Kaspersky 5.5.10 2009.07.05 2009-07-05 0.05 -
KingSoft 2009.2.5.15 2009.7.5.22 2009-07-05 0.50 -
McAfee 5.3.00 5667 2009-07-05 2.97 -
Microsoft 1.4803 2009.07.05 2009-07-05 4.92 -
mks_vir 2.01 2009.07.05 2009-07-05 3.20 -
Norman 6.01.09 6.01.00 2009-07-04 4.00 -
Panda 9.05.01 2009.07.04 2009-07-04 1.68 -
Trend Micro 8.700-1004 6.246.09 2009-07-05 0.03 -
Quick Heal 10.00 2009.07.03 2009-07-03 1.10 -
Rising 20.0 21.36.62.00 2009-07-05 0.83 -
Sophos 2.88.0 4.43 2009-07-05 2.70 -
Sunbelt 5225 5225 2009-07-04 1.06 -
Symantec 1.3.0.24 20090704.006 2009-07-04 0.05 -
nProtect 20090705.01 4827290 2009-07-05 6.31 -
The Hacker 6.3.4.3 v00362 2009-07-04 0.65 -
VBA32 3.12.10.7 20090704.1432 2009-07-04 2.12 -
VirusBuster 4.5.11.10 10.107.36/1760558 2009-07-05 2.17 -

Hi,

Ok, that's good.

Lets see if we can get rid off a few things so we can get combofix to run.

Please do the following:

• Open HiJackThis
• Click on Do a system scan only
• Check the boxes next to ONLY the entries listed below (if still present):

O2 - BHO: BHO - {8567EDFA-408C-43e9-B929-4C25C04F5003} - C:\WINDOWS\system32\iehelper.dll
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe

• Close all windows except Hijackthis and click Fix Checked
• Click Yes when prompted
• Close HijackThis.

Now delete the copy of ComboFix that you have on your desktop.

Download a fresh copy naming it to Combafix this time and re run it.

Try it in safemode if it will not run in normal mode.

Post the resulting log

Combo Fix log is attached

ComboFix 09-07-04.09 - Andrew 07/06/2009 2:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1096 [GMT 10:00]
Running from: c:\documents and settings\Andrew\Desktop\CombaFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP221\A0013986.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-05 16:50 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-05 16:45 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\cryptsvc.dll
2009-07-05 14:43 . 2009-07-05 16:40 -------- d-s---w- C:\Combo-Fix
2009-07-05 14:42 . 2009-07-05 14:43 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-07-05 12:25 . 2009-07-05 12:25 -------- d-----w- c:\program files\Trend Micro
2009-07-04 17:16 . 2009-07-04 17:16 1 ---h--w- c:\windows\jmmark2.dat
2009-07-04 17:16 . 2009-07-04 17:16 1 ---h--w- c:\windows\bf23567.dat
2009-07-04 16:16 . 2009-07-04 16:16 -------- d-----w- c:\program files\drv
2009-06-17 15:14 . 2009-07-04 15:03 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 13:58 . 2007-08-16 12:15 -------- d-----w- c:\documents and settings\Andrew\Application Data\SecondLife
2009-05-30 14:59 . 2009-05-30 14:40 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2009-05-30 14:33 . 2009-05-30 14:33 -------- d-----w- c:\program files\VideoLAN
2009-05-30 14:10 . 2009-05-30 14:10 -------- d-----w- c:\program files\Haali
2009-05-22 13:44 . 2009-05-22 13:43 -------- d-----w- c:\program files\SecondLife
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjsplit
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjspli
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-03 149040]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-13 83608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2002-09-03 253952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-03 161328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-08-01 364544]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]
Registration-Studio 8.lnk - c:\program files\Pinnacle\Studio 8\Register\RegTool.exe [2008-12-30 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/5/2009 2:16 AM 9344]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/11/2007 3:24 AM 16512]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/2/2008 12:21 AM 10112]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [8/16/2002 3:09 PM 98452]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\pjocjidi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 02:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2384)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
.
Completion time: 2009-07-05 2:51
ComboFix-quarantined-files.txt 2009-07-05 16:51
ComboFix2.txt 2009-07-05 16:40

Pre-Run: 24,498,655,232 bytes free
Post-Run: 24,478,470,144 bytes free

123 --- E O F --- 2008-12-18 16:00

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Thanks again. I have done as you suggested, log is below.

PLease note I had to rename 'combafix.exe' back to 'combofix.exe' to get this to run.



ComboFix 09-07-04.09 - Andrew 07/06/2009 12:14.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1080 [GMT 10:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt

file zipped: c:\program files\drv\drv.sys
file zipped: c:\windows\bf23567.dat
file zipped: c:\windows\jmmark2.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW.0.tmp
c:\32788r22fwjfw.0.tmp\DirName00
c:\program files\drv
c:\program files\drv\drv.dll
c:\program files\drv\drv.sys
c:\windows\bf23567.dat
c:\windows\jmmark2.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 02:10 . 2009-07-06 02:11 -------- d-s---w- C:\CombaFix
2009-07-05 16:50 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-05 16:45 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\cryptsvc.dll
2009-07-05 14:43 . 2009-07-05 16:40 -------- d-s---w- C:\Combo-Fix
2009-07-05 12:25 . 2009-07-05 12:25 -------- d-----w- c:\program files\Trend Micro
2009-06-17 15:14 . 2009-07-04 15:03 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 13:58 . 2007-08-16 12:15 -------- d-----w- c:\documents and settings\Andrew\Application Data\SecondLife
2009-05-30 14:59 . 2009-05-30 14:40 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2009-05-30 14:33 . 2009-05-30 14:33 -------- d-----w- c:\program files\VideoLAN
2009-05-30 14:10 . 2009-05-30 14:10 -------- d-----w- c:\program files\Haali
2009-05-22 13:44 . 2009-05-22 13:43 -------- d-----w- c:\program files\SecondLife
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjsplit
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjspli
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-03 149040]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-13 83608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2002-09-03 253952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-03 161328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-08-01 364544]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]
Registration-Studio 8.lnk - c:\program files\Pinnacle\Studio 8\Register\RegTool.exe [2008-12-30 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/11/2007 3:24 AM 16512]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/2/2008 12:21 AM 10112]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [8/16/2002 3:09 PM 98452]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CRYPTSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\pjocjidi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3232)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2009-07-06 12:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 02:22
ComboFix2.txt 2009-07-05 16:51
ComboFix3.txt 2009-07-05 16:40

Pre-Run: 24,492,752,896 bytes free
Post-Run: 24,476,422,144 bytes free

148 --- E O F --- 2008-12-18 16:00

Hi,

Please do the following:

**NOTE**
=================

• Combofix failed to upload the files I had requested - please do the following:
• Go to Start >> My Computer > C:\
• Then Navigate to the C:\Qoobox\Quarantine folder.
• Find the archive zip file called "[4]-Submit_Date_Time.zip" (Date_time will be todays date and the time of the most recent ComboFix run)
• Simply go to This Channel and upload the submit.zip archive file to me.
• Follow the instructions on that page to copy/paste/send the requested file.Please advise if you were successful in uploading them

Thank-you.

Next

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

Also, Please advise how your computer is running now and if there are any outstanding issues

Sorry about the delay, all of the last set of instructions took a little while.

You should find that the submit file has been uploaded as instructed

Malwarebytes' Anti-Malware log follows:

Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 2

7/6/2009 1:07:52 PM
mbam-log-2009-07-06 (13-07-52).txt

Scan type: Quick Scan
Objects scanned: 80380
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Next is the Kaspersky log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 7, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 06, 2009 13:09:31
Records in database: 2432254
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
J:\
K:\

Scan statistics:
Files scanned: 149638
Threat name: 9
Infected objects: 20
Suspicious objects: 4
Duration of the scan: 04:01:28


File name / Threat name / Threats count
C:\Documents and Settings\Andrew\Local Settings\Application Data\Identities\{1C4046A8-5CD9-494A-893F-DB4DA99F5A4F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\Andrew\Local Settings\Application Data\Identities\{1C4046A8-5CD9-494A-893F-DB4DA99F5A4F}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Andrew\Local Settings\Application Data\Identities\{1C4046A8-5CD9-494A-893F-DB4DA99F5A4F}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Andrew\Local Settings\Application Data\Identities\{1C4046A8-5CD9-494A-893F-DB4DA99F5A4F}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.c 1
C:\Documents and Settings\Andrew\Local Settings\Application Data\Identities\{1C4046A8-5CD9-494A-893F-DB4DA99F5A4F}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.d 1
C:\Qoobox\Quarantine\C\Program Files\drv\drv.dll.vir Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ppkfqimx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\soqdjkea.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uzkmza.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yaprwx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP221\A0014012.exe Infected: Trojan-Downloader.Win32.Agent.chps 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP222\A0015235.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP222\A0015237.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gdc 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP222\A0015238.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gdc 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP222\A0015240.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\System Volume Information\_restore{F5F025B4-9CED-4D69-8BE5-19683F6CD5F5}\RP222\A0015471.dll Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\WINDOWS\system32\bgnricav.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\gvbvxkbq.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\lbhshsma.dll Infected: Trojan.Win32.Monder.gen 1
F:\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen 1
F:\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
F:\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
F:\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.c 1
F:\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.d 1

The selected area was scanned.



The computer seems to be running well now. The only odd thing us a red shield with a white x on it in the taskbar while keeps popping up messages relating to anti-viral software. If I place the mouse over it, a textbox pops up with the words "Windows Security Alerts". I don't know whether or not that is normal.

Thanks for your help

Hi,

Note: Kaspersky alerted to a number of items in your email, unfortunately it cannot pinpoint which particular emails are infected. you will have to use your best judgment as to which emails are suspicious. Delete anything from anyone you don't know, or any that have attachments. Unless its extremely important from a very trusted source - delete it, then empty the trash can.

NEXT

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


As for the alert box:

Does it look like this

If so - that is windows alerting you that you need to install security updates.

You should have that set to update automatically

Turn on Automatic Updates. To do this, follow these steps:

Click Start, click Run,
type sysdm.cpl into the open run box then press OK
Click the Automatic Updates tab
click the Automatic (recommended) Automatically download recommended updates for my computer and install them option
(you can then choose the frequency and time this occurs)
Click OK

Please advise if there are any outstanding issues.

Post a fresh HJT log so I can ensure you are clean, then we can clean up the tools.

Hello,

ComboFix log follows:

ComboFix 09-07-04.09 - Andrew 07/07/2009 21:51.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1156 [GMT 10:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\bgnricav.dll"
"c:\windows\system32\gvbvxkbq.dll"
"c:\windows\system32\lbhshsma.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bgnricav.dll
c:\windows\system32\gvbvxkbq.dll
c:\windows\system32\lbhshsma.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 11:39 . 2009-07-06 11:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 11:38 . 2009-07-06 11:38 152576 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-06 02:43 . 2009-07-06 02:43 -------- d-----w- c:\windows\LastGood
2009-07-06 02:10 . 2009-07-06 02:11 -------- d-s---w- C:\CombaFix
2009-07-05 16:50 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-05 16:45 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\cryptsvc.dll
2009-07-05 14:43 . 2009-07-05 16:40 -------- d-s---w- C:\Combo-Fix
2009-07-05 12:25 . 2009-07-05 12:25 -------- d-----w- c:\program files\Trend Micro
2009-06-17 15:14 . 2009-07-06 15:53 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 11:38 . 2007-06-25 11:45 -------- d-----w- c:\program files\Java
2009-07-06 03:00 . 2008-10-04 15:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 13:58 . 2007-08-16 12:15 -------- d-----w- c:\documents and settings\Andrew\Application Data\SecondLife
2009-06-17 01:27 . 2008-10-04 15:16 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 01:27 . 2008-10-04 15:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:59 . 2009-05-30 14:40 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2009-05-30 14:33 . 2009-05-30 14:33 -------- d-----w- c:\program files\VideoLAN
2009-05-30 14:10 . 2009-05-30 14:10 -------- d-----w- c:\program files\Haali
2009-05-22 13:44 . 2009-05-22 13:43 -------- d-----w- c:\program files\SecondLife
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjsplit
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\program files\hjspli
.

((((((((((((((((((((((((((((( SnapShot@2009-07-05_14.50.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 11:39 . 2009-07-06 11:39 16384 c:\windows\temp\Perflib_Perfdata_ce8.dat
+ 2009-07-06 11:39 . 2009-07-06 11:38 148888 c:\windows\system32\javaws.exe
+ 2009-07-06 11:39 . 2009-07-06 11:38 144792 c:\windows\system32\javaw.exe
+ 2009-07-06 11:39 . 2009-07-06 11:38 144792 c:\windows\system32\java.exe
+ 2009-07-06 11:38 . 2009-07-06 11:38 536576 c:\windows\Installer\1ec74a1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-03 149040]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2002-09-03 253952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-03 161328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-08-01 364544]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]
Registration-Studio 8.lnk - c:\program files\Pinnacle\Studio 8\Register\RegTool.exe [2008-12-30 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/11/2007 3:24 AM 16512]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/2/2008 12:21 AM 10112]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [8/16/2002 3:09 PM 98452]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\pjocjidi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 21:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-07 21:53
ComboFix-quarantined-files.txt 2009-07-07 11:52
ComboFix2.txt 2009-07-06 02:22
ComboFix3.txt 2009-07-05 16:51
ComboFix4.txt 2009-07-05 16:40

Pre-Run: 24,221,138,944 bytes free
Post-Run: 24,285,663,232 bytes free

137 --- E O F --- 2009-07-06 17:00


And HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\ANDREW\Application Data\Mozilla\Profiles\default\ujwkzwy6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ANDREW\Application Data\Mozilla\Profiles\default\ujwkzwy6.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6605 bytes

There are no obvious outstanding issues.

Interestingly when I went to turn on the automatic updates (the symbol is exactly as you described) it seemed to already be at the settings you described.

Thank you again for your help.

Hi,

You are clean,

time to do some housekeeping:

Go to Start> Control Panel > Add/Remove programs
a list of your installed programs will populate
remove all your old Java programs
Leave the Java version 6 update 14 in place as that is the most recent


NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.