Particularly vicious Antivirus Soft infection on PC laptop

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

My wife's laptop picked up the dreaded Antivirus Soft infection. She is running Windows Vista Home Premium Service Pack 1. I downloaded hijack this to my computer, put it on a usb stick and ran it on her laptop. Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:57 AM, on 3/17/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SearchHelper Class - {91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} - C:\Program Files\SGPSA\mtwb3sh.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [oocevvsu] C:\Users\Mindy\AppData\Local\hvuvld\ewtqsftav.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PFW - C:\Windows\SYSTEM32\UmxWnp.Dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

THANK YOU FOR ANY HELP YOU CAN OFFER!
Mark

TeMerc · **Posted:** Wed Mar 17, 2010 2:32 pm

Hello and w^*

to TeMerc Internet Countermeasures Forum and thanks for joining. 1rokon

Because some malware can be easily removed, we recommend Malwarebytes' Anti-Malware be run.

It's important to let me know however, if you experience any trouble getting to the site or downloading it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.

Download it from here and save it to your desktop. If you're using IE7 you may get prompted to allow the download, please do so.

Double-click mbam-setup.exe icon: and when the download dialog box appears, please tick the 'Launch Malwarebytes' Anti-Malware when download completes' as displayed:
Select your language when this option is displayed.
Follow default installation instructions
Decide if you would like a 'Start Menu' folder created when this option is displayed
Choose your options of preference on the 'Select Additional Tasks' screen
Review your choices at the 'Ready To Install' screen
At the end, be sure a checkmark is placed next to 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' as displayed here:
Then click the button
Please read the information box when it appears and click the button
Please allow access via your firewall if an alert is presented to you
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform quick scan'
Then click button
When the scan is complete, you will be presented with a message as such, click the button then click the button
Be sure that each item has its box ticked as displayed here: and click .
When completed, a log will open in Notepad. Please save it to your desktop for easy access. Copy the contents of the file and paste it back into your thread for review along with a new HJT log as well. The MBAM log is also default saved to the following location: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Then rescan with HijackThis and paste in the log.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Already tried with malwarebytes and it won't run, no matter what I name the file. This malware is somehow detecting the attempt to run mwb and blocking every attempt.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Okay, so I apologize.....Malwarebytes did run. Here is the logfile:

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18882

3/17/2010 7:19:52 PM
mbam-log-2010-03-17 (19-19-52).txt

Scan type: Quick Scan
Objects scanned: 106062
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

WHAT NOW? By the way.....THANK YOU for what you do!!!

TeMerc · **Posted:** Thu Mar 18, 2010 12:48 am

Thanks, but we need to get you updated, you're one full version behind and almost 400 database versions behind. We're currently at 3879 as of this writing after an update in the last 30 minutes.

Lets collect some more info off the system to see if we can spot the malicious files.

Download RSIT from the link below and save it to your desktop.
http://images.malwareremoval.com/random/RSIT.exe
You may have to change the name, change it to winlogon.exe
Double click on the file to run it.
Click Continue at the disclaimer screen. Please allow the download of Trend Micro's HijackThis to collect additional information not included in the default RSIT output.
Once it has finished, two logs will open.

Please attach the contents of LOG.txt (<<will be maximized-displayed on desktop)

***PLEASE DO NOT SEND INFO.TXT... if I need it I will ask specifically for it.***

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Your link doesn't work. I keep getting a (IE cannot connect) notice. Even tried opening a new window manually and pasting the url and it still says it can't connect. What am I doing wrong? Every other website I try to go to works. This one doesn't.

TeMerc · **Posted:** Fri Mar 19, 2010 12:30 am

marksteinway wrote:

Your link doesn't work. I keep getting a (IE cannot connect) notice. Even tried opening a new window manually and pasting the url and it still says it can't connect. What am I doing wrong? Every other website I try to go to works. This one doesn't.

It works ok for me, try this other tool instead.

Please download DDS from the link below and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/dds.scr
*Disable any security software before running
*Double click dds.scr to run the tool.
*When done, DDS.txt will open.
*Click Yes at the next prompt for Optional Scan
*Save both reports to your desktop using notepad.

Please attach the contents of the following file in your next reply:
DDS.txt

If I need the other log, I'll request it.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Pardon my ignorance, but some of this puzzles me. I'm in safe mode with networking on her laptop - only way that malware doesn't take over the computer functions and disable everything. I ran the tool the first time and it stated at the top of the log (as it does on the one I'm pasting here) that both CA Antivirus and Windows Defender are enabled. So I shut the window, opened CA and it said it was disabled and manually selected Windows Defender to not scan real time (didn't see a "disable" option).
Ran the utility again and here's what I got:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Mindy at 10:14:47.50 on Fri 03/19/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2371 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Users\Mindy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: SearchHelper Class: {91c18ed5-5e1c-4ae5-a148-a861de8c8e16} - c:\program files\sgpsa\mtwb3sh.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [oocevvsu] c:\users\mindy\appdata\local\hvuvld\ewtqsftav.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSSA] c:\program files\sgpsa\ie3sh.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll

============= SERVICES / DRIVERS ===============

S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-1-9 72696]
S1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-5-3 26352]
S1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-5-3 21104]
S1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-5-3 161008]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-5-3 73728]
S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-5-3 144696]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-5-3 128240]
S2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-1-9 1153528]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-1-9 797176]
S2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-9-2 289272]
S2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-5-3 292080]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-3 111616]
S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-1-9 205304]
S3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-5-3 133520]

=============== Created Last 30 ================

2010-03-17 12:51:45 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-17 02:16:09 0 d-----w- c:\users\mindy\appdata\roaming\Malwarebytes
2010-03-17 02:16:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 02:16:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 02:16:05 0 d-----w- c:\programdata\Malwarebytes
2010-03-17 02:16:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 09:01:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 09:01:09 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 09:01:09 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-11 05:25:55 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-11 05:25:55 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-05 05:50:02 0 d-----w- c:\windows\system32\EventProviders
2010-02-24 18:19:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 18:19:30 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 18:19:30 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 18:19:29 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 18:19:29 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 18:19:29 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 18:19:29 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 18:19:29 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 18:19:29 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 18:19:29 151040 ----a-w- c:\windows\system32\secproc_ssp.dll

==================== Find3M ====================

2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-09-17 23:41:59 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-17 23:41:59 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-17 23:41:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-05-04 01:57:12 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-04 01:39:19 76 --sh--r- c:\windows\CT4CET.bin
2009-12-01 06:31:46 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-12-01 06:31:46 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-12-01 06:31:46 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-12-01 06:31:46 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 10:14:54.52 ===============

Am I doing something wrong with attempting to disable the two programs or does this give you what you need?

TeMerc · **Posted:** Sat Mar 20, 2010 12:43 am

Thanks for the log.

Download The Avenger from the link below:
http://swandog46.geekstogo.com/avenger2/download.php

[*]Unzip/extract it to a folder on your desktop.
[*]Double click on avenger.exe to run The Avenger.
[*]Click OK.
[*]Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
[*]Copy all of the text in between the code box:

Code:

Files to delete:
c:\program files\sgpsa\BHO.dll
c:\program files\fast browser search\ie\FBStoolbar.dll
c:\users\mindy\appdata\local\hvuvld\ewtqsftav.exe

Folders to delete:
c:\program files\sgpsa
c:\program files\fast browser search
c:\users\mindy\appdata\local\hvuvld

[*]In the avenger window, click the Paste Script from Clipboard, button.
[*]Click the Execute button.
[*]You will be asked "Are you sure you want to execute the current script"
[*]Click Yes.
[*]You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
[*]Click Yes.
[*]Your PC will now be rebooted.
[*]Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
[*]If that is the case, it will force a BSOD on the first reboot. This is normal & expected behavior.
[*]After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
[*]Please paste this scan log. Even if you experience errors with the program, please check for the log in the above mentioned location.

Then rescan with HijackThis and fix the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: SearchHelper Class - {91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} - C:\Program Files\SGPSA\mtwb3sh.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKCU\..\Run: [oocevvsu] C:\Users\Mindy\AppData\Local\hvuvld\ewtqsftav.exe

Reboot and rescan and paste in the new log

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Near the end of your instructions, you say to rescan with HijackThis and fix the following lines......

When I open HJT, what option do I choose? Am I supposed to do your "fixes" before or after the scan? Sorry for my ignorance, but you need to be a little more detailed because I don't know these programs and I don't want to do the wrong thing.

TeMerc · **Posted:** Sun Mar 21, 2010 12:23 am

Here ya go:
Open HJT and run another scan. Once it's completed the scan, look over the following entries I have listed, place a check in the boxes next to them as displayed(some may not be present due to previous instructions):

and press the

button. When you are doing this, make sure you have no browser windows open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: SearchHelper Class - {91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} - C:\Program Files\SGPSA\mtwb3sh.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKCU\..\Run: [oocevvsu] C:\Users\Mindy\AppData\Local\hvuvld\ewtqsftav.exe
Then reboot, rescan with Hijackthis and paste in the log

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Okay, so that didn't go as expected. Did as you instructed, but upon checking those boxes and starting HJT, Got an error message from HJT:

For some reason your system denied write access to the Hosts file.
If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad "C:Windows\System32\drivers\etc\hosts"

and press Enter. Find the line(s) HijackThis reports and delete them.
Save the file as "hosts." (with quotes), and reboot.

Then when I shut that window, got a 2nd error message:

An unexpected error has occurred at procedure:
modMain_CheckOther1Item()
Error #75 - Path/File access error

When I tried to do as HJT instructed me (opening up the hosts file and manually deleting lines), all I got was an empty file - none of those lines were there to delete, so I didn't save the file - just closed it.

Did I do something wrong? I'm lost now and don't know what to do.

TeMerc · **Posted:** Mon Mar 22, 2010 12:27 am

marksteinway wrote:

Okay, so that didn't go as expected. Did as you instructed, but upon checking those boxes and starting HJT, Got an error message from HJT:

For some reason your system denied write access to the Hosts file.
If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad "C:Windows\System32\drivers\etc\hosts"

and press Enter. Find the line(s) HijackThis reports and delete them.
Save the file as "hosts." (with quotes), and reboot.

Then when I shut that window, got a 2nd error message:

An unexpected error has occurred at procedure:
modMain_CheckOther1Item()
Error #75 - Path/File access error

When I tried to do as HJT instructed me (opening up the hosts file and manually deleting lines), all I got was an empty file - none of those lines were there to delete, so I didn't save the file - just closed it.

Did I do something wrong? I'm lost now and don't know what to do.

Ignore the error and continue on with the fix.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:59:00 AM, on 3/22/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PFW - C:\Windows\SYSTEM32\UmxWnp.Dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

sorry, forgot to reboot and rescan. Here it is after rebooting and rescanning:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:52 AM, on 3/22/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PFW - C:\Windows\SYSTEM32\UmxWnp.Dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

TeMerc · **Posted:** Tue Mar 23, 2010 1:07 am

OK, at this time you should have connectivity back and then please rescan with Hijackthis and fix the following lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)

Reboot, rescan

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:11 AM, on 3/23/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PFW - C:\Windows\SYSTEM32\UmxWnp.Dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

And thank you.....yes, connectivity is back. But are those pesky ones I've been trying to fix ever going away? Is there another utility we need to run?

TeMerc · **Posted:** Tue Mar 23, 2010 11:53 pm

marksteinway wrote:

And thank you.....yes, connectivity is back. But are those pesky ones I've been trying to fix ever going away? Is there another utility we need to run?

OK, thanks for the info. Let's run ComboFix.

Download ComboFix from one of the following links.
If ComboFix flashes and disappears and does not run it's possible you may have to rename the file as many malware infections block this tool(do not include 'combofix' as part of the new name). There is also a chance this will still fail. In that event, you may have to download the file from an uninfected computer, install it to a CD or USB stick and rename it before installing it to the infected machine

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Everything ran smoothly.
Here's the textlog:

ComboFix 10-03-23.04 - Mindy 03/24/2010 7:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1733 [GMT -5:00]
Running from: c:\users\Mindy\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oem13.inf
C:\zip.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 12:40 . 2010-03-24 12:42 -------- d-----w- C:\32788R22FWJFW
2010-03-20 13:39 . 2010-03-20 13:39 574 ----a-w- C:\cleanup.bat
2010-03-17 12:51 . 2008-01-02 21:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-17 02:16 . 2010-03-17 02:16 -------- d-----w- c:\users\Mindy\AppData\Roaming\Malwarebytes
2010-03-17 02:16 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 02:16 . 2010-03-17 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 02:16 . 2010-03-17 02:16 -------- d-----w- c:\programdata\Malwarebytes
2010-03-17 02:16 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 09:01 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 09:01 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-11 09:01 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 05:25 . 2009-12-08 20:52 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-11 05:25 . 2009-12-08 20:52 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-05 05:50 . 2010-03-05 05:50 -------- d-----w- c:\windows\system32\EventProviders
2010-02-24 18:19 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 18:19 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 18:19 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 18:19 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 18:19 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 18:19 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 18:19 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 18:19 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 18:19 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 18:19 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-22 22:38 . 2010-02-22 22:38 329536 ----a-w- c:\users\Public\RemoveSGP.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 08:00 . 2010-03-21 08:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-03-20 22:23 . 2009-11-12 00:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-17 19:33 . 2009-05-04 00:36 1356 ----a-w- c:\users\Mindy\AppData\Local\d3d9caps.dat
2010-03-11 09:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-26 00:34 . 2009-05-04 00:37 100432 ----a-w- c:\users\Mindy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-03 19:53 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 09:00 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100216.005\NAVENG.SYS
2010-02-16 09:00 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100216.005\NAVEX15.SYS
2010-02-11 06:15 . 2009-05-09 20:02 -------- d-----w- c:\program files\Google
2010-02-11 03:02 . 2010-02-11 03:02 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb316D.tmp.exe
2010-01-31 02:31 . 2010-01-31 02:31 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE032.tmp.exe
2010-01-29 18:55 . 2010-01-29 18:51 151353216 ----a-w- c:\programdata\CA\Consumer\CCube\tmp\CE2108DDDEEE318E1EF71856A9F08C73.exe
2010-01-18 09:00 . 2010-02-16 21:27 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100216.005\CCERASER.DLL
2010-01-18 09:00 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\CCERASER.DLL
2010-01-02 06:38 . 2010-01-22 05:26 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 05:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 05:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 05:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 12:35 . 2010-02-11 03:07 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-11 03:07 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-11 03:07 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-11 03:07 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-11 03:07 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-11 03:07 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-11 03:07 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-11 03:07 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-11 03:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28 . 2010-02-11 03:07 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-05-04 01:39 . 2009-05-04 01:39 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 174616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 148888]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-11-30 271600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 21:46 79368 ----a-w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2009-01-09 72696]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2009-11-11 128240]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2009-01-09 1153528]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2009-01-09 797176]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-09-02 289272]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2009-01-09 205304]

.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 06:15]

2010-03-21 c:\windows\Tasks\Norton Security Scan for Mindy.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-07 19:12]

2010-03-24 c:\windows\Tasks\User_Feed_Synchronization-{20443DEE-914F-465B-A2CC-29C0CF72467B}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\windows\system32\VetRedir.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-FBSSA - c:\program files\SGPSA\ie3sh.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSSA = c:\program files\SGPSA\ie3sh.exe?=no,copyhistory=no'); } publish_window.focus();; return false;" hre

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-24 07:51:31
ComboFix-quarantined-files.txt 2010-03-24 12:51

Pre-Run: 172,997,185,536 bytes free
Post-Run: 174,720,184,320 bytes free

- - End Of File - - B45961A579C31663D3DAD52F6C6A06FC

TeMerc · **Posted:** Thu Mar 25, 2010 12:27 am

That grabbed a couple of things, how's the system now? Please advise, also update and rescan with Malwarebytes

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

It seems to be working well. Thank you! One more thing before I post the logfile: Somewhere going through the various software utilities I forget where I saw it, but one of them mentioned buying a utility that would prevent this type of malware from invading. Since my wife is not as savvy and sometimes falls victim to phony security "warnings", is there such a product I can put on her laptop?

Also, should I regularly scan with one of these utilities? And what should I look for?

Thanks again for your help.

Here's the logfile:

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/25/2010 7:03:04 AM
mbam-log-2010-03-25 (07-03-04).txt

Scan type: Quick Scan
Objects scanned: 106786
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TeMerc · **Posted:** Thu Mar 25, 2010 8:06 pm

marksteinway wrote:

It seems to be working well. Thank you! One more thing before I post the logfile: Somewhere going through the various software utilities I forget where I saw it, but one of them mentioned buying a utility that would prevent this type of malware from invading. Since my wife is not as savvy and sometimes falls victim to phony security "warnings", is there such a product I can put on her laptop?

Also, should I regularly scan with one of these utilities? And what should I look for?

Thanks again for your help.

You don't really need to spend a dime to surf and stay safe. I'll post some stuff once we're done you can add to keep the system more secure.

Quote:

Here's the logfile:

Malwarebytes' Anti-Malware 1.43
Database version: 3458

You need to update, you're one version behind and like 500 database updates behind.

Please uninstall Malwarebytes via Add or Remove Programs applet.

Reboot the system.

Then run this clean up tool and allow a reboot when prompted. If this tool displays an error, continue on with reinstall please.
http://www.malwarebytes.org/mbam-clean.exe

Then reinstall Malwarebytes Anti-Malware from the link below (downloads do not differ, registration with your ID & key activate the Pro features)
http://mbam.malwarebytes.org/program/mbam-setup.exe

Save the file to your desktop then double-click it to begin installation.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Don't know if you need to see this, but here it is:

Malwarebytes' Anti-Malware 1.44
Database version: 3915
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/25/2010 11:14:56 PM
mbam-log-2010-03-25 (23-14-56).txt

Scan type: Quick Scan
Objects scanned: 118744
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What now?

TeMerc · **Posted:** Fri Mar 26, 2010 11:59 pm

Ok, that's good, all clean.

Guess it's time we cleaned up some of the tools we used and then our recommendations to remain malware free.

Any specialty tools which were downloaded may be deleted and all pertaining folders as well. These tools constantly have their databases updated and\or have the method of how they work altered and in all likelihood you would need to download new ones.

Be sure your Java is up to date, many infections use exploits of unpatched systems.

Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then Download and install the newest version from here

Now that you have regained control of your machine, lets keep it clean. The apps listed below are the ones we recommend. They will help prevent further infections and can be trusted to work well on all systems

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable all protection and you're done.

And either of the two following hosts file databases will keep an even stronger layer of defense:

The latter contains more sites as they tend to include domains\IPs which are involved in even the slightest way with malware distribution or sites involved in any other sort of salacious activities. Basically, lay with dogs, get fleas type of thing.

To manage your hosts file we recommend using HostsXpert. With this tool, you can download the latest updates, merge them with another hosts file, edit entries and much more. It's freeware and works very well on all systems

And to prevent unknown applications from being installed on your machine install WinPatrol 2008 v15. WinPatrol is also great at controlling which applications start with Windows. It's even got a nifty 'delay' feature.

Another thing I would suggest, is to install SiteAdvisor or SiteHound. Each provide similar protection, tho SiteAdvisor also rates sites on business practices and spam. SiteHound will offer some content advice as well as security alerts on known rogue sites.

Confused about which apps are good or not? Read about anti-spyware apps pretending to be just that, but are in fact apps which will infect you. For the latest software rated as such check out the this page.

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Happy surfing!!
Tom

As your infection removal here in this forum has been completed, we hope you take the time to look around and get involved in some of the other forums. The forums grow and become even more helpful with input from all of our members. We can all help everyone together as a community.

And if we've helped you out and you'd like to contribute to the costs maintaining the site please use the PayPal button as displayed at the top of the page.

This is 100% optional as all our help to you has always been free and will continue be free forever.

marksteinway · **Joined:** Tue Mar 16, 2010 4:32 pm **Posts:** 15

Thank you for all of your help. You guys rock!

TeMerc · **Posted:** Sat Mar 27, 2010 8:26 pm

You're quite welcome, happy to have helped.

****This topic has been successfully resolved and is now locked. If the original user needs to have this thread re-opened please PM me

Any other users with similar problems please use the 'New Topic' button to begin a new thread.****
Tom\TeMerc

***Due to lack of reply, this topic is now locked. If the original user requires it re-opened, please PM me.

Forum rules

Particularly vicious Antivirus Soft infection on PC laptop

Who is online

Who is online

Who is online
	In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes) Most users ever online was 282 on Tue Sep 25, 2012 11:30 am Users browsing this forum: No registered users and 1 guest