Extra "marketing" windows popping up

[The Mad Hatter]

Lately, when I've been doing random google searches, I will get an extra pop-up window, usually with something to the effect of AreaConnect Yellow Pages search results, and then local merchants listed for whatever I have googled.

Attached are my gmer and dds logs, per the New Instructions stickied in this forum...I have also run a HJT log, but won't post it yet per those instructions.

Thanks!


DDS (Version 1.0) - NTFSx86
Run by Owner at 8:54:44.04 on Wed 12/03/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.455 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DSL Extreme X-Dial Accelerator\PropelAC.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page =
uInternet Settings,ProxyOverride = localhost
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {656EC4B7-072B-4698-B504-2A414C1F0037} - c:\program files\dsl extreme x-dial accelerator\prpl_IePopupBlocker.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll
BHO: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\common\helper.dll
TB: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
uRun: [RecordNow!]
uRun: [Second Copy 2000] "c:\progra~1\seccopy\SecCopy.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Propel Accelerator] "c:\program files\dsl extreme x-dial accelerator\trayctl.exe" /STARTUPLAUNCH
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0a\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
mPolicies-explorer: NoActiveDesktopChanges = 0 (0x0)
mPolicies-system: DisableTaskMgr = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Allow pop-ups from this site - c:\program files\dsl extreme x-dial accelerator\pac-addwl.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-image.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: c:\program files\dsl extreme x-dial accelerator\prplsf.dll
TCP: {9F06EE57-57D1-454D-B697-163DC721F333} = 192.168.2.1,192.168.2.2
Filter: text/html - {61e31874-7e3d-4871-be7b-47af391bcbf6} - c:\windows\system32\mst120.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-30 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-16 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-10-14 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-14 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-2 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-30 76040]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
S3 nenum13E;nenum13E;\??\c:\docume~1\owner\locals~1\temp\nenum13E.sys []

=============== Created Last 30 ================

2008-12-03 08:02 250 a------- c:\windows\gmer.ini
2008-12-02 16:53 32,256 a------- c:\windows\system32\digeste.dll
2008-11-25 17:35 <DIR> --d----- c:\program files\Common
2008-11-18 18:41 8,216 a------- c:\windows\system32\mst120.dll
2008-11-03 13:34 <DIR> --d----- c:\program files\Firefly Studios

==================== Find3M ====================

2008-12-03 07:34 14,309 a------- c:\windows\system32\tablet.dat
2008-12-02 18:52 <DIR> --d----- c:\program files\gmax
2008-12-02 13:48 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2008-12-02 10:01 <DIR> --d----- c:\program files\SpeedFan
2008-12-02 10:00 <DIR> --d----- c:\program files\SecCopy
2008-12-01 14:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-10 14:32 <DIR> --d----- c:\program files\Games
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-14 17:15 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-10-14 17:13 <DIR> --d----- c:\program files\Zone Labs
2008-10-14 10:10 <DIR> --d----- c:\program files\Trend Micro
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 03:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-08-11 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-05-30 11:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-01-07 10:08 <DIR> --d----- c:\docume~1\owner\applic~1\AdobeAUM
2007-05-01 23:46 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire
2007-04-26 09:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2007-02-12 22:30 <DIR> --d----- c:\docume~1\owner\applic~1\DSL Extreme
2006-10-30 20:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2006-10-14 18:28 <DIR> --d----- c:\docume~1\owner\applic~1\Kinko's
2006-10-14 17:22 <DIR> --d----- c:\docume~1\owner\applic~1\Downloaded Installations
2006-06-21 21:01 <DIR> --d----- c:\docume~1\owner\applic~1\Lionhead Studios
2006-06-21 19:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lionhead Studios
2006-06-07 13:41 <DIR> --d----- c:\docume~1\owner\applic~1\msgy
2006-06-07 12:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2005-04-22 15:42 <DIR> --d----- c:\docume~1\owner\applic~1\spweng
2004-01-21 01:48 <DIR> --d----- c:\docume~1\owner\applic~1\Symantec
2004-01-20 17:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2004-06-14 20:03 0 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 8:55:27.75 ===============

[The Mad Hatter]

Recent developments - since this last post, I just had AVG pop a window up with a threat detection message, saying that it detected "digeste.dll." I moved it to the Virus Vault, but a quick google search of it brought up mention of a nasty little trojan called Bredolab. I will wait for a response, but thinking this may be the culprit?

[The Mad Hatter]

Second footnote - if this helps, one of the symptoms has been the audio message "Congratulations, you've won a free Nintendo Wii" popping up now and again while I am online...at first I thought, "wow this is a crazy amount of marketing," as I had heard it while visiting a number of sites, but now that I think about it I realize that it started about the same time as these marketing popups.

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[The Mad Hatter]

Thanks for the reply. I have downloaded and run combofix - however, I had forgotten that long ago I had installed the Windows Recovery Console (since I purchased this computer with XP pre-loaded and don't have the disk), so when I dragged the WRC icon onto the ComboFix icon, it launched the program before I realized to shut down my antivirus and firewall. It scanned fine and with no problems, but if the running AV and firewall will mess up the log, I can rerun and post again.

In the meantime, here is the log...


ComboFix 08-12-06.06 - Owner 2008-12-07 13:09:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.542 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-05 13:38 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-03 16:26 . 2008-12-03 16:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-12-03 08:02 . 2008-12-03 08:02 250 --a------ c:\windows\gmer.ini
2008-11-25 17:35 . 2008-12-07 13:10 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 03:51 --------- d-----w c:\program files\gmax
2008-12-05 00:16 --------- d-----w c:\program files\SpeedFan
2008-12-04 00:25 --------- d-----w c:\program files\Java
2008-12-02 21:48 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-02 18:00 --------- d-----w c:\program files\SecCopy
2008-12-01 22:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 19:30 1,411,584 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-10 22:32 --------- d-----w c:\program files\Games
2008-11-06 18:09 1,394,176 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-03 21:34 --------- d-----w c:\program files\Firefly Studios
2008-10-31 23:29 631 ----a-w c:\windows\Fonts\readme.txt
2008-10-31 23:28 422 ----a-w c:\windows\Fonts\DEUTSCH.TXT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 01:13 --------- d-----w c:\program files\Zone Labs
2008-10-14 18:10 --------- d-----w c:\program files\Trend Micro
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2004-06-15 04:03 0 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy 2000"="c:\progra~1\SecCopy\SecCopy.exe" [2001-09-17 1134080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-11 53248]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-10-08 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-21 180269]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 188416]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-08 212992]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Propel Accelerator"="c:\program files\DSL Extreme X-Dial Accelerator\trayctl.exe" [2005-03-07 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-11-14 32768]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-01 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-01 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0a\aoltray.exe [2004-06-11 36953]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-03-07 65588]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-10-03 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Kinko's\\FPFK\\FPKMain.exe"=
"c:\\Program Files\\Kinko's\\FPFK\\Kinkos.Jupiter.GUI.Queue.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-30 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-02 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-30 76040]
S3 nenum13E;nenum13E;\??\c:\docume~1\Owner\LOCALS~1\Temp\nenum13E.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-01 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#240#CN36F130NG6Q.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 12:45]

2008-12-05 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-05-22 05:03]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page =
uInternet Settings,ProxyOverride = localhost
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Allow pop-ups from this site - c:\program files\DSL Extreme X-Dial Accelerator\pac-addwl.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\DSL Extreme X-Dial Accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\DSL Extreme X-Dial Accelerator\pac-image.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
LSP: c:\program files\DSL Extreme X-Dial Accelerator\prplsf.dll
TCP: {9F06EE57-57D1-454D-B697-163DC721F333} = 192.168.2.1,192.168.2.2

c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
c:\windows\Downloaded Program Files\OSD2CBF.OSD

c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=eb9bd6a79bd90545629244b92d314bf2&url=http%3A%2F%2Fd.69.25.47.79.downloads.estara.com.%2Fas%2FOneCCDM.php&template=62035&sessionid=1387364455_69.25.47.79_42934&=&req=1159550798343OneCC.cab
c:\windows\Downloaded Program Files\OneCC.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 13:22:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\avgrsstx.dll
c:\program files\DSL Extreme X-Dial Accelerator\prplsf.dll
.
Completion time: 2008-12-07 13:24:48
ComboFix-quarantined-files.txt 2008-12-07 21:23:30

Pre-Run: 11,621,236,736 bytes free
Post-Run: 12,178,649,088 bytes free

187 --- E O F --- 2008-11-12 22:53:16

[sUBs]

Your symptoms should be gone. Let me know if that isnt so.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[The Mad Hatter]

Ran the Kaspersky scan, and the following is the log file that it generated.

The only symptom I've noticed since the ComboFix instructions followed yesterday, is that sometimes (and this has happened a number of times over the past month and a half) after I have started up the computer, it will completely freeze after five to ten minutes of usage, prompting a hard reboot. I suspect, however, that may be a heat or dust problem, since I haven't opened the case and cleaned it out in at least three or four months...

Let me know what the next step is...thanks!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 06:50:38
Records in database: 1443523
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 259458
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 04:54:20


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\4eacac17-36de7fd2 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\60\1065a5fc-2e0cad15 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

The selected area was scanned.

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\4eacac17-36de7fd2"
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\60\1065a5fc-2e0cad15"
"C:\Program Files\Common Files\Real\Toolbar\RealBar.dll"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[The Mad Hatter]

Just ran fix.bat, and it popped up a window that said "Deleted successfully." Then the window closed...

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[The Mad Hatter]

Re: your list of stuff...

1. ComboFix has been uninstalled.
2. I'm good on keeping up to date on the AV, it usually updates itself once a day, too.
3. I have it set to tell me when there are Windows updates available, and I'm usually pretty diligent on downloading and updating them as soon as I know.
4. Oooh, I will look into SpywareBlaster, it sounds good...!

I have been toying with the idea of switching to Firefox, and I think this is another good reason to do so. The Erunt stuff sounds sweet, too, especially the NTREGOPT functions...

One quick question re: the Javas - how do I know what Java I have installed and what applications/internet sites use the Sun Java vs. the MS Java? I'd like to avoid as many java exploits as possible...

[sUBs]

MS Java is pretty much defunct. Everyone use Sun Java now.

To find out which version you have installed, go to Control Panel
Click on the applet titled 'Java'.
Under the 'General' tab, click 'About'.
The current latest is Java(TM) 6 Update 11

[The Mad Hatter]

Yep, Sun Java 6 Update 11 is what I have...

Thanks a million, sUBs - you guys can move this to the finished folder... :)