Got a virus/trojan?? through bad link - PLEASE HELP

[cjinca]

Yesterday morning, while not yet awake  , I checked  email, saw I had a message from facebook friend and clicked on link without noticing that the email format was a bit different than others (only been on fb 6 months, catching up with old friends). 
As soon as I hit link, I had the 'warning, warning, warning, computer at risk' type message pop up. I downloaded file after several attempts to ignore it, going back and forth with what to do. But after I downloaded it, I chose not to open/run it. Still, I think computer is screwed. I emptied download cache and changed password on fb. Then I came to spykiller, ran and saved first two files you ask for and then started on third gmer. It took literally ALL day, and computer seems to be frozen up with it. I'm writing from a different computer. I'd left last night and when I got home, it seemed to have completed but froze up when I tried to save it. Then again this morning, I noticed that the save file had finally opened but when I tried to change location to desktop, it froze. The screen was going blank and coming back on last night and since then, I can see files and folders on desktop, but no tool bar at the bottom.
Initially, I was going to ask if I could post without gmer. Unless it 'unfreezes' again, I'll have to attempt a restart, but hope I'll hear from you guys as to what the next best step is.
Thanks in advance for your help.  cj

[Derek]

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[cjinca]

Here is dds and attach. I'll now attempt combofix


DDS (Ver_09-12-01.01) - NTFSx86 
Run by Paul Legge at  8:47:47.01 on Thu 01/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.438 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul Legge\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070119
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\paulle~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://supportapj.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://camconsole.myloadspring.com/CAM/ica_web_client/wficat_9_100.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulle~1\applic~1\mozilla\firefox\profiles\0iozpr0t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.rand=0rpc4ocngagen
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\paul legge\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\paul legge\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\paul legge\application data\move networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-4 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-10 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-12-10 93320]
S2 0199001261576088mcinstcleanup;McAfee Application Installer Cleanup (0199001261576088);c:\windows\temp\019900~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\019900~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

=============== Created Last 30 ================

2010-01-11 19:10:39   22016   ----a-w-   c:\documents and settings\paul legge\I keep adding to this.doc

==================== Find3M  ====================

2009-12-12 22:18:24   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-12-08 05:18:53   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2009-11-21 15:51:04   471552   ----a-w-   c:\windows\system32\dllcache\aclayers.dll
2009-11-14 04:39:45   4876   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-10-28 14:36:11   70656   ------w-   c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11   13824   ------w-   c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16   634632   ------w-   c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46   161792   ------w-   c:\windows\system32\dllcache\ieakui.dll
2008-09-21 19:07:53   32768   -csha-w-   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH:  8:48:21.18 ===============

[cjinca]

I have windows xp, service pack 3 and firefox as my browser.
2. I disabled firewall, avira personal, spywareblaster and adaware before downloading combofix (then enabled after combofix completed).
3. Combofix went to download folder, normally after running from here, I have the program/file on desktop, but I did NOT on this. I completed combofix, but it is NOT on desktop. Sorry, please advise.
4. I haven't seen strange behavior on computer since closing gmer.

ComboFix 10-01-21.08 - Paul Legge 01/22/2010   8:47.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.389 [GMT -8:00]
Running from: c:\documents and settings\Paul Legge\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\EventSystem.log

.
(((((((((((((((((((((((((   Files Created from 2009-12-22 to 2010-01-22  )))))))))))))))))))))))))))))))
.

2010-01-22 16:27 . 2010-01-22 16:27   --------   d-----w-   c:\windows\LastGood

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 16:36 . 2009-07-07 06:01   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-21 15:46 . 2009-07-07 06:01   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-20 18:13 . 2009-07-04 16:07   372280   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-20 18:13 . 2009-10-10 16:09   3803208   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-20 18:11 . 2009-07-04 16:07   823928   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 05:22 . 2009-07-04 16:08   862040   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 05:22 . 2009-07-04 16:07   206944   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 05:22 . 2009-07-04 16:07   390288   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 05:22 . 2009-12-08 05:18   537576   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-15 05:22 . 2009-07-04 16:08   194104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-15 05:20 . 2009-07-04 16:07   6296864   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 05:20 . 2009-07-04 16:07   933120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 05:20 . 2009-07-04 16:07   816272   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 05:20 . 2009-07-04 16:07   1643272   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 05:20 . 2009-07-04 16:07   788880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 05:20 . 2009-07-04 16:07   1181328   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-14 01:34 . 2007-03-09 18:13   --------   d-----w-   c:\program files\Common Files\Adobe
2009-12-12 22:18 . 2009-12-10 21:08   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-12-10 21:48 . 2009-12-10 21:48   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2009-12-10 21:43 . 2009-12-10 21:43   --------   d-----w-   c:\program files\Common Files\McAfee
2009-12-10 21:43 . 2009-12-10 21:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2009-12-10 21:42 . 2007-01-20 00:20   --------   d-----w-   c:\program files\McAfee
2009-12-10 21:08 . 2009-12-10 21:08   --------   d-----w-   c:\program files\Avira
2009-12-10 21:08 . 2009-12-10 21:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2009-12-09 04:06 . 2009-12-09 04:06   208948   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-08 05:18 . 2009-11-10 17:24   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2009-12-08 05:18 . 2009-07-04 16:08   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-08 05:18 . 2009-07-04 16:07   163728   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-08 05:17 . 2009-07-04 16:07   327000   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-08 05:17 . 2009-07-04 16:07   87496   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-08 04:56 . 2009-12-08 04:56   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-06 18:30 . 2008-02-10 02:00   --------   d-----w-   c:\program files\QuickTime
2009-12-06 18:28 . 2009-12-06 18:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-06 18:27 . 2009-12-06 18:27   --------   d-----w-   c:\program files\Common Files\Apple
2009-12-06 18:27 . 2009-12-06 18:27   --------   d-----w-   c:\program files\Apple Software Update
2009-12-06 18:27 . 2009-12-06 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2009-11-21 15:51 . 2004-08-11 23:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-14 04:39 . 2009-11-14 04:39   4876   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-11-07 17:47 . 2009-07-13 00:08   127325   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Move Networks\uninstall.exe
2009-11-07 17:47 . 2009-08-13 19:21   4187512   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-07 17:47 . 2009-11-07 17:47   1408800   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-07 15:27 . 2009-08-03 21:48   4187512   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-11-07 15:27 . 2009-11-07 15:27   1407680   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-11-04 04:22 . 2009-11-04 04:22   152576   ----a-w-   c:\documents and settings\Paul Legge\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:46 . 2004-08-11 23:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-11 23:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-11 23:00   17408   ----a-w-   c:\windows\system32\corpol.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-17 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-15 788880]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Paul Legge\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-19 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/4/2009 8:08 AM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2009 1:08 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/10/2009 1:43 PM 93320]
S2 0199001261576088mcinstcleanup;McAfee Application Installer Cleanup (0199001261576088);c:\windows\TEMP\019900~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019900~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 4:20 AM 12648]
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:11]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:11]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:11]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:11]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Paul Legge\Application Data\Mozilla\Firefox\Profiles\0iozpr0t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.rand=0rpc4ocngagen
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Paul Legge\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Paul Legge\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 08:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-22  08:54:08
ComboFix-quarantined-files.txt  2010-01-22 16:53

Pre-Run: 39,520,591,872 bytes free
Post-Run: 39,494,463,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DB0A7C9DFFC21138F9F9FB6DEBA092F7

[Derek]

nothing showing anything obviously bad

* Run Kaspersky online virus scan  Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

If that won't run then
Run an online antivirus check from one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html

[cjinca]

Kaspersky shows that program and database are both 100% uploaded.
Left side of window looks like:

System Information

Update

Scan
  Critical areas
  My Computer

  Folder...
  File...

Report

Support

Help

Settings
when I select settings:

Scan computer for the presence of these threats:
  Viruses, worms Trojans, rootkits CHECKED
  Spyware, adware, dialers, and other riskware CHECKED
Scan compound objects (not applicable for single files selected individually:
  Archives CHECKED
  E-mail databases CHECKED
Do I leave the above as is? Then select, My Computer?
Or do I need to make changes to what is checked above?

[Derek]

that is fine

just press scan

[cjinca]

I saved report on desktop but it's a web page. shows one infection.  can you read this?

 file:///C:/Documents%20and%20Settings/Paul%20Legge/Desktop/kaspersky.html

EDIT this post - adding the following from kaspersky report:

C:\Documents and Settings\Paul Legge\My Documents\Downloads\MyFunCardsSetup2.3.50.56.ZUfox000.exe

   Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a.ay   

Also, I still have facebook email with bad link and it's in my facebook messages as well. I didn't want to delete till you said to. Do you want to investigate link?

[Derek]

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)  
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot  


please send me a personal message with the link
Don't [post it in public on the forum ( in case anyone else clicks on it & infects themselves)

[cjinca]

After starting malwareantibytes, avira prompted this warning:TR/FakeXPA.A.256 trojan

In c\Document sand Settings\Pal Legge\My Documents\...\Setup_430(2).exe
should I quarantine, delete, or??? I have to leave house in 20 minutes for entire day. I guess I'll either prompt quarantine or leave everything running if I don't hear.  Not sure which is safest. Thinking avira is keying off the other program that is running. Hopefully, that' s it.

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Software]

   7 day shop
  Software
   Antiviruses
     Kaspersky
     Trojan Remover
   Other Software
     Useful Downloads
     Spyware Fixing Tools
  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
   Process Library
     System Restore
  Software Reviews
     Wintasks
  Rss feeds
     Microsoft Security
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser