Completed 2/5 steps - please look over this and tell me what to do

[Ried]

I appreciate the info. In the meantime, keep this PC off the internet--disconnect it. Also, until you hear from me, do not do any further fixing on your end as it will just make my job more difficult.

[Ried]

Hello omgmizzle,

Let's continue. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

RenV::
----a-w            15,360 2008-01-13 06:34:56  C:\WINDOWS\system32\ctfmon .exe

File::
C:\Documents and Settings\All Users
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old

Folder::
C:\VundoFix Backups
C:\Program Files\EasySpywareCleaner
C:\Program Files\Registry Cleaner Trial

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05AB4120-EC20-4DB3-821A-DD83F15C09BE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F8808B0-DAA4-41E3-BD77-EE166B7AA0D9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2FAB54B-08FC-4214-9F40-83CDB2B410D2}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Registry Cleaner"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware.

Here are 2 very good free Antivirus products which are available:

• Avira AntiVir PersonalEdition Classic.
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

------------------------------------------------------

After you've completed the above, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior

[omgmizzle]

ComboFix 08-01-14.3 - Owner 2008-01-15 7:54:34.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.651 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\EasySpywareCleaner
C:\Program Files\Registry Cleaner Trial
C:\Program Files\Registry Cleaner Trial\Regclean.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\avp .exe.bad
C:\VundoFix Backups\avp.exe.bad
C:\VundoFix Backups\ctfmon.exe.bad
C:\VundoFix Backups\egjlm.ini.bad
C:\VundoFix Backups\egjlm.ini2.bad
C:\VundoFix Backups\hggfecb.dll.bad
C:\VundoFix Backups\ihkmp.ini.bad
C:\VundoFix Backups\ihkmp.ini2.bad
C:\VundoFix Backups\kmllm.ini.bad
C:\VundoFix Backups\kmllm.ini2.bad
C:\VundoFix Backups\lsass .exe.bad
C:\VundoFix Backups\lsass .exe.bad
C:\VundoFix Backups\lsass.exe.bad
C:\VundoFix Backups\mljge.dll.bad
C:\VundoFix Backups\mljge.exe.bad
C:\VundoFix Backups\mllmk.dll.bad
C:\VundoFix Backups\mllmk.exe.bad
C:\VundoFix Backups\pmkhi.dll.bad
C:\VundoFix Backups\pmkhi.exe.bad
C:\VundoFix Backups\printer.exe.bad
C:\VundoFix Backups\shell.exe.bad
C:\VundoFix Backups\spoolvs.exe.bad
C:\VundoFix Backups\winzoa32.dll.bad
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-13 22:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 21:27 . 2008-01-13 21:27 4,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-13 21:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 21:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 21:16 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-13 21:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-13 21:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 21:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 21:02 . 2008-01-13 21:02 <DIR> d-------- C:\Deckard
2008-01-13 20:57 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-13 20:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-13 14:19 . 2008-01-13 14:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 23:06 . 2008-01-11 23:06 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-11 23:04 . 2006-11-07 21:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-01-11 12:41 . 2008-01-11 12:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\EasySpywareCleaner.com
2008-01-08 22:53 . 2008-01-12 22:34 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-08 18:44 . 2008-01-08 18:44 0 --a------ C:\Install
2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-22 15:04 . 2007-12-28 21:44 520 --a------ C:\WINDOWS\netdet.ini
2007-12-19 17:31 . 2007-12-19 17:31 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2007-12-15 15:49 . 2007-12-19 17:31 <DIR> d-------- C:\Program Files\Cakewalk
2007-12-15 15:49 . 2007-12-19 17:32 <DIR> d-------- C:\Cakewalk Projects
2007-12-15 15:30 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-15 15:28 . 2007-12-15 15:28 <DIR> d-------- C:\Linksys Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 06:22 --------- d-----w C:\Program Files\QuickTime
2008-01-14 06:22 --------- d-----w C:\Program Files\iTunes
2008-01-13 23:49 --------- d-----w C:\Program Files\Viewpoint
2008-01-13 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-13 23:47 --------- d-----w C:\Program Files\MySpace
2008-01-13 23:45 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 23:43 --------- d-----w C:\Program Files\LimeWire
2008-01-13 23:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-13 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-13 21:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-10 00:50 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-28 21:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-28 00:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-24 01:07 --------- d-----w C:\Program Files\Diablo II
2007-12-15 23:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 09:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-01 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv(2).dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-02 20:17 2,273,106 -c--a-w C:\Program Files\SFM2Install.exe
2007-08-08 02:17 17 -c--a-w C:\Program Files\Sims2Pack Clean Installer.ini
2005-05-12 06:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

Code:

<pre>
----a-w             9,728 2008-01-13 06:35:29  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-14_13.49.54.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 06:16:00 8,146,944 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-15 15:54:31 7,827,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 06:16:01 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 15:54:32 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 15:10:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 22:34 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-13 10:12 1415824]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB2782"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]
"SpybotDeletingD8803"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-13 10:12 90112]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-13 10:12 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-13 10:12 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-13 10:12 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-13 10:12 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-13 10:12 851968]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-13 10:12 57344]
"zzzHPSETUP"="D:\Setup.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-13 10:12 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 10:12 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-13 10:12 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-13 10:12 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AOLRebootNeeded"="regsvr32.exe" [2004-08-04 11:00 11776 C:\WINDOWS\system32\regsvr32.exe]
"VundoFix"="C:\Documents and Settings\Owner\Desktop\vundofix.exe" [2008-01-13 14:16 132608]
"SpybotDeletingA7973"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]
"SpybotDeletingC5299"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun .exe [2008-01-12 22:35:29]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-07-23 20:22:05]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-02-01 07:38:18]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-13 10:12 267048 C:\Program Files\iTunes\iTunesHelper.exe

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32f8ce28-469c-11dc-bbbf-0013d3b1bb15}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9a92e7e-5d4e-11dc-bbeb-0013d3b1bb15}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 04:22:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 07:55:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 7:55:47
ComboFix-quarantined-files.txt 2008-01-15 15:55:33
ComboFix2.txt 2008-01-15 15:41:49
ComboFix3.txt 2008-01-14 21:50:16
.
2008-01-13 05:23:36 --- E O F ---




New ComboFix log, I am attaching the HijackThis log next, and will download an AntiVirus program listed (:

[omgmizzle]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:30, on 2008-01-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Owner\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7973] command /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5299] cmd /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2782] command /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8803] cmd /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/def...GameLoader.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/def...s.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - http://zone.msn.com/bingame/rock/def...caploader1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/def...jolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/def...a.1.0.0.46.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SnoopFree Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8302 bytes


New HijackThis log. Currently scanning with Kaspersky and when done with that, will post on the results :)

[omgmizzle]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:30, on 2008-01-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Owner\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7973] command /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5299] cmd /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2782] command /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8803] cmd /c del "C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old"
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/def...GameLoader.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/def...s.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - http://zone.msn.com/bingame/rock/def...caploader1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/def...jolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/def...a.1.0.0.46.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SnoopFree Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8302 bytes


Kaspersky Scan :)

[omgmizzle]

I am downloading and installing Avira antivirus program, and will get a firewall. I have implemented many other things you have suggested, such as SpywareBlaster, Snoopfree, IE Spyad (?), and ZoneOut (?). Can't remember the names of the last two.

Thank you SO MUCH!

[omgmizzle]

System behavior:
-after two combofix scans, the computer clock hasn't reset itself. I'm wondering why, but this isn't a big problem.
-we no longer have popups, but continue to scan with Spybot and Ad-Aware. I had to uninstall Avira because it did not work, but now had downloaded AVG. As soon as that is installed, I will restart out of safe mode and check on the normal mode of our computer. We are still able get to control panel, thank God.

:)

[omgmizzle]

NOTE: We've been using Safe Mode to keep the viruses from running, because we found that Spybot found and deleted many more viruses in Safe Mode, and the viruses stopped running in Safe Mode. Is it safe to be in Safe Mode with Networking on this site? We are not going onto any other sites, but we're wary of going back to normal mode - I don't want the viruses to start back up and prevent us from using Control Panel again.

Please respond to this ASAP Ried. Thank you!

[Ried]

No, do not use Safe Mode with Networking as the AV will not function in Safe Mode.

It's perfectly fine to go into Normal Mode--in fact, I need you to do that.

[omgmizzle]

Okay, thank you. I am heading off to bed for tonight, and will hopefully make some more progress in the morning!

[Ried]

Ok, but please stop scanning with Spybot and any other programs as they are not what's needed right now--we already know what they can 'see' and attempt to remove.

Get the online scan at Kaspersky done first, and post those results so we can see if anything else is lurking about.

[omgmizzle]

I believe I posted the Kaspersy scan already...

EDIT: I realize I didn't, and will attach it as soon as possible

And thank you for the info!

[omgmizzle]

As soon as we start (in Normal Mode), a box shows up in the left corner. The title says "Personal Settings" and it says "Setting up personal settings for: Internet Explorer"

It will not get past that stage, and it doesn't load far enough so that we can click start (ie: as soon as it starts up the box shows, the computer doesn't load anything but the background)

Is this something to worry about?

It is physically disconnected from the internet, so I'm sure nothing else could be happening, but we have to get past this box to do anything else.

[Ried]

Quote:

I also uninstalled IE, as it was popping up with virus pages and had other errors.

You really did, didn't you?

Internet Explorer is more than just a browser--it is core to Windows Operating System. You need to reinstall it. Do you have the Windows XP install disc?

Back up all your important data and try a Repair Install.

Here's a good step by step guide.

Windows XP Home Repair for all service pack versions of XP*

Please let me know how that goes.

[omgmizzle]

My brother studied computers & began a job in whatever field you'd like to call it. He spent five years in college studying Windos & whatnot, and we uninstalled per his advice.

Should I do a windows repair?

We were going to just burn everything important onto disks and clear everything off. I don't remember exactly what that entails, but that's our other option.

[Ried]

This system is just about clean, so yes, try a Repair install first. The missing Internet Explorer is what's causing your current issue.

[omgmizzle]

Well it didn't start having this problem until we reinstalled IE. See how it's so confusing

[Ried]

When did you reinstall IE? In order for me to assist you, you have to keep me abreast of major things you are doing on your end in between replies from me. Actually, you shouldn't be doing anything on your end unless/until directed so by me.

Do the repair install. I'll not continue until you do so.

[omgmizzle]

We uninstalled IE before we started contacting TSF, and reinstalled IE so that we could do the Kaspersky Scan.

[Ried]

And the reinstall of IE did not go well--it rarely does.

Perform the Windows Repair Install, using the guide I linked you to earlier.