XP Anti virus 2008 keeps showing up

[jobleman]

DDS (Version 1.1.0) - NTFSx86
Run by sandra obleman at 20:08:33.53 on Mon 12/29/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.451 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\XP Antivirus\xpa.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sandra obleman\My Documents\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.usadatanet.net
uStart Page = hxxp://www.rr.com/flash/index.cfm?division=43
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - blank
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: My Web Search Quick View: {1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} - c:\windows\system32\shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [44756472218584344388612955221835] c:\program files\xp antivirus\xpa.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /QS
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Search - http://edits.mywebsearch.com/toolbar...4YYUS_ZZzer000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: pcpitstop.com\www
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2008-11-30 37616]

=============== Created Last 30 ================

2008-12-27 11:27 215,040 a------- c:\windows\system32\CNMLM95.DLL
2008-11-30 16:27 37,616 a------- c:\windows\system32\drivers\ulink.sys
2008-11-30 16:27 <DIR> --d----- c:\windows\system32\drivers\USB
2008-11-30 16:27 <DIR> --d----- c:\program files\SuperLink

==================== Find3M ====================

2008-12-12 12:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-23 18:07 7,520 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:18 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2007-11-07 11:49 389,120 a------- c:\documents and settings\sandra obleman\GoToAssist_phone__268_en.exe

============= FINISH: 20:09:00.93 ===============


Windows security center and XP Anti virus 2008 keeps showing up as I use the computer.

Thanks
Jack

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[jobleman]

Thanks for responding, but I may have done something wrong.

When I tried to run the comboFix I got a pop-up that said "CFScript appears to be incorrectly spelt" then I hit OK and it does nothing but goes back to the windows screen. It appears that it did not run.

[tetonbob]

Were you just running ComboFix via double click on the exe file?

Were your AntiVirus and other protection applications disabled at the time?

Delete the existing version of ComboFix, download a fresh copy from here:

Download ComboFix from this link.

Disable your protection applications, and try again. Double click on Combo-Fix.exe to run it, and follow the prompts.

[jobleman]

Well I finally got it to work and attached is the log from Combofix.

ComboFix 09-01-05.03 - sandra obleman 2009-01-05 18:56:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.547 [GMT -5:00]
Running from: c:\documents and settings\sandra obleman\My Documents\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL
c:\program files\FunWebProducts\Installr\Cache\200E2B3C.exe
c:\program files\FunWebProducts\Installr\Cache\files.ini
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0001A65D
c:\program files\MyWebSearch\bar\Cache\001FA409.bin
c:\program files\MyWebSearch\bar\Cache\001FB0CB.bin
c:\program files\MyWebSearch\bar\Cache\001FB157.bin
c:\program files\MyWebSearch\bar\Cache\001FB1E4.bin
c:\program files\MyWebSearch\bar\Cache\07FB4AB3
c:\program files\MyWebSearch\bar\Cache\07FB4D92
c:\program files\MyWebSearch\bar\Cache\07FB4EF9.bin
c:\program files\MyWebSearch\bar\Cache\07FB5BDA.bin
c:\program files\MyWebSearch\bar\Cache\07FB5CF3.bin
c:\program files\MyWebSearch\bar\Cache\07FB5D80.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
c:\program files\XP Antivirus
c:\program files\XP Antivirus\xpa.exe
c:\windows\system32\f3PSSavr.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 19:47 . 2009-01-05 18:11 <DIR> d-------- C:\ComboFix
2008-12-29 20:10 . 2008-12-29 20:10 250 --a------ c:\windows\gmer.ini
2008-12-27 11:27 . 2008-12-27 11:27 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-27 11:27 . 2007-05-22 00:00 215,040 --a------ c:\windows\system32\CNMLM95.DLL
2008-12-24 12:17 . 2008-12-24 12:18 1,393 --a------ c:\windows\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:27 3,067,392 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-30 21:27 --------- d-----w c:\program files\SuperLink
2008-11-25 23:32 --------- d-----w c:\documents and settings\sandra obleman\Application Data\AdobeUM
2008-11-23 23:09 --------- d-----w c:\program files\Common Files\Corel
2008-11-23 23:07 7,520 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-11-23 23:06 --------- d-----w c:\documents and settings\sandra obleman\Application Data\Corel
2008-11-16 18:33 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-07 23:40 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-07 23:39 --------- d-----w c:\program files\Kodak
2008-11-07 23:38 --------- d-----w c:\program files\Common Files\Kodak
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 14:18 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2007-11-07 16:49 389,120 ----a-w c:\documents and settings\sandra obleman\GoToAssist_phone__268_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-26 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-26 168448]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-26 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2008-11-30 37616]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-02 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-10 06:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.rr.com/flash/index.cfm?division=43
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265QPUS
Trusted Zone: v4.windowsupdate.microsoft.com
Trusted Zone: www.pcpitstop.com
Trusted Zone: *.turbotax.com
Trusted Zone: online.musicmatch.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 18:57:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-05 18:58:48
ComboFix-quarantined-files.txt 2009-01-05 23:58:45

Pre-Run: 135,376,392,192 bytes free
Post-Run: 135,322,013,696 bytes free

252 --- E O F --- 2008-12-24 17:18:29

[tetonbob]

Hi, that looks better.

Quote:

Trend Micro PC-cillin Internet Security 12

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)

The subscription to your AntiVirus would appear to be outdated. Do you know if that's the case, and if so, do you intend to renew immediately? An outdated antivirus is only slightly better than none. I can provide free alternatives if need be.

[jobleman]

Well I can update my the PC-cillan if that is a good anti virus, or I can get a better one if I need.

[tetonbob]

What you choose is up to you, but please make the decision in short order. PC-Cillin is liked by some, and not so much by others. If you are comfortable using it, and like it's user interface, then the most efficient thing might be to simply renew the subscription or upgrade.

Personally, I prefer NOD32 by Eset for paid, and Avira AntiVir for free.

http://www.eset.com/download/registered_software.php

http://www.free-av.com/

Be sure to have only one AntiVirus installed at one time.


Once you've either updated PC-Cillin, or uninstalled it and installed your new AntiVirus, be sure to update the definitions and run a full system scan.

Next...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Run DDS once again, and post it's logs.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

• Contents of the DDS.txt posted as text in your reply
• Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

How is the machine behaving?

[jobleman]

Well I went through all the steps a I loaded up an anti-virus and the pop-up are not coming up any more. See attached for theresults of the scans.


Thanks

[tetonbob]

Looks good.

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\All Users\Application Data\services\services.dll"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

I noticed this in your log:

RP759: 1/7/2009 7:55:29 PM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP760: 1/7/2009 7:57:11 PM - Advanced Registry Optimizer Wed, Jan 07, 09 19:57

I'd like to point this out:

We do not recommend the use of registry cleaners/optimizers. Our colleague miekiemoes has an excellent writeup here

Another excellent article by Bill Castner is located here.

[jobleman]

I ran that and it stated "Deleted Successfully"

[jobleman]

As for the advance Regestry Optimizer I down loaded that by acident thinking it was the AntiVir, I have removed this program. --- I think

[tetonbob]

Quote:

Originally Posted by jobleman

As for the advance Regestry Optimizer I down loaded that by acident thinking it was the AntiVir, I have removed this program. --- I think

Ok, that's good.

The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help