[Cjreef]

Okay, done. I saved a log just in case you need it later if the problem comes back.


I still have an on and off problem with the delete key and getting screens allocated to shortcut letters when I type. This happens in Microsoft Work and Outlook. If it becomes a big problem I will start a new thread.

Thank you so much for all your help. If I were younger I would really enjoy learning more about computers and programming, it is fascinating.

I'll mark the thread as solved.

[Cookiegal]

You're welcome.

Here are some final instructions for you.


Follow these steps to uninstall Combofix and all of its files and components.

• Click START then RUN
• Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading SPYWAREBLASTER for added protection.

Read here for info on how to tighten your security.

[Cjreef]

Windows couldn't find ComboFix /u. Idid a search and couldn't find it either.
I did create a new restore point and downloaded Spywareblaster.

[Cookiegal]

I thought we had run ComboFix but we haven't. I think we should do that now.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

[Cjreef]

ComboFix 09-09-09.09 - Claude Poole 09/10/2009 11:23.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2518 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\install.dat
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Claude Poole\Application Data\install.dat
c:\program files\autorun.inf
c:\program files\BitDefender\BitDefender Online Backup\ntSVc.ocx
c:\windows\Installer\14f5b6f.msp
c:\windows\Installer\18c86d5.msp
c:\windows\Installer\18c86d6.msp
c:\windows\Installer\18c86d7.msp
c:\windows\Installer\18c86d8.msp
c:\windows\Installer\18c86d9.msp
c:\windows\Installer\18c86da.msp
c:\windows\Installer\18c86db.msp
c:\windows\Installer\18c86dc.msp
c:\windows\Installer\18c86dd.msp
c:\windows\Installer\18e1aa7.msp
c:\windows\Installer\18e1aa8.msp
c:\windows\Installer\18e1aa9.msp
c:\windows\Installer\18e1aaa.msp
c:\windows\Installer\18e1aab.msp
c:\windows\Installer\18e1aac.msp
c:\windows\Installer\18e1aad.msp
c:\windows\Installer\18e1aae.msp
c:\windows\Installer\18e1aaf.msp
c:\windows\Installer\18e1ab0.msp
c:\windows\Installer\18ea973.msp
c:\windows\Installer\18ea97d.msp
c:\windows\Installer\18ea988.msp
c:\windows\system32\config\system~1\applic~1\install.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-24 19:21 . 2009-08-24 19:28 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:11 . 2009-08-21 19:12 -------- d-----w- c:\program files\Revouninstaller
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 14:00 . 2009-09-10 02:04 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- C:\Binaries
2009-08-16 13:36 . 2009-08-16 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:33 . 2009-08-16 13:36 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 01:49 . 2009-08-16 01:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-12 13:17 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 13:23 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-26 20:26 . 2009-08-26 20:26 0 ----a-w- c:\windows\system32\bda156.tmp
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:21 . 2009-06-04 23:03 13 ------w- c:\windows\popcinfo.dat
2009-07-25 17:41 . 2009-05-15 04:30 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Marine Aquarium 3
2009-07-20 02:40 . 2009-06-04 22:00 -------- d-----w- c:\program files\Agile Lines
2009-07-18 19:25 . 2009-06-16 18:31 -------- d-----w- c:\program files\HP
2009-07-18 18:19 . 2009-07-18 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 19:22 . 2009-06-16 18:23 80537 ------w- c:\windows\HPHins08.dat
2009-06-16 18:39 . 2009-06-16 18:39 135 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\fusioncache.dat
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-25 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-06 c:\windows\Tasks\BitDefender Online Backup - oleyreef@ptd.net.job
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\extensions\speedtest@gotomyh elp.com\components\NetDiag.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-LoJackForLaptops - c:\program files\LFLInstall\InstallManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-09-10 11:29
ComboFix-quarantined-files.txt 2009-09-10 15:29

Pre-Run: 207,608,180,736 bytes free
Post-Run: 207,936,655,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

242 --- E O F --- 2009-09-10 02:04







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:52 AM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9090 bytes

I can't believe the amount of work you are doing for me. Thank you again, so much.

[Cookiegal]

It's no problem. I like to be thorough.

Please delete these two files manually:

c:\windows\system32\bda156.tmp
C:\windows\popcinfo.dat

Follow these steps to uninstall Combofix and all of its files and components.

• Click START then RUN
• Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they aren’t required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

[Cjreef]

Since my last post, Dell had an update which changed the BIOS. It said something about changing the registry while updating. Of course, it means nothing to me but I thought you might want to know in case you want to see a log or something before I go ahead and wipe out the restore points, I assume that's what you mean by "flash out"?
Also, I looked for those two files in Windows Explorer. I can't find them but I see they are listed in the ComboFix log. I'm sorry to bother you some more but I'll need instructions on how to find them and delete them. Thanks.

[Cookiegal]

No, there's no need for another log and it won't affect flushing the restore points.

Did you try to navigate to those files or did you do a search?

[Cjreef]

I tried to navigate to the files with Internet Explorer and I also ran searches, no dice.

ComboFix is gone and I have a new restore point.

[Cookiegal]

Have you already deleted ComboFix? If not we can use it to delete those files, in case they do still exist.

[Cjreef]

Yes, I have deleted ComboFix. What do those two files do? Can we just leave them? And, shouldn't they be visible in Windows Explorer?

I was working all day with my accounting program and the warning from Bit Defender kept cropping up every few minutes. Each time I told it to block. My program worked like a charm so whatever Windows wanted to do sure wasn't needed. I had not seen that warning in days. So, I guess I should change the thread back to unsolved, grrrr....

[Cookiegal]

Please post a screen shot of the alert you're getting.

[Cjreef]

[IMG]file:///C:/DOCUME%7E1/CLAUDE%7E1/LOCALS%7E1/Temp/moz-screenshot-4.png[/IMG]I don't seem to be able to post the screen shot. I have one saved in Microsoft Word. Any idea how I can transfer it? When I try the copy and paste I just get a light colored broken picture in the reply window.

Here is what it says:

Bit Defender Behavioral Scanner
! Bit Defender blocked a potentially malicious or infected Application
Microsoft(r)Windows(r) Operating System
Application:
C:\WINDOWS\System32\svchost.exe

Bit Defender detects applications based on their behavior. If this is a known and trusted application, please click "allow"

You can either click "allow" to allow this action to be performed, or, "OK" to block this action.


I have been clicking OK based on the Dell's tech claim that my computer was probably infected. Not allowing the action doesn't seem to be a problem with any of my programs but it is really annoying to have that screen pop up all the time.

[Cjreef]

[IMG]file:///C:/DOCUME%7E1/CLAUDE%7E1/LOCALS%7E1/Temp/moz-screenshot-5.png[/IMG]

[Cookiegal]

You have to save the screenshot in MS Paint and then upload it as an attachment.