Help Internet Security 2010 Crashed ME

[Derek]

there is a little bit more to do to finish off this one

Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

 



 

This will start ComboFix again.  It may ask to reboot.  Post the contents of Combofix.txt in your next reply .


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum


then


Please download  free version of Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot 

[Sypalyons]

Derek, how do I disabled AVG?? It won't suspend?

[Derek]

just right click the icon in systray & select disable or turn off resident protection if there

if not just run cf anyway

[Sypalyons]

Nothing there. I did find I could  uncheck the shield in Advanced Settings, so have done that. Thank you.

[Sypalyons]

ComboFix 10-01-26.02 - Puddintaine 01/26/2010  17:04:17.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.546 [GMT -6:00]
Running from: c:\documents and settings\Puddintaine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Puddintaine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Qketesi.dat"
"c:\windows\Yjuxa.bin"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Qketesi.dat
c:\windows\Yjuxa.bin

.
(((((((((((((((((((((((((   Files Created from 2009-12-26 to 2010-01-26  )))))))))))))))))))))))))))))))
.

2010-01-26 15:37 . 2010-01-26 01:58   3777280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-26 15:37 . 2010-01-26 01:58   1260800   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-26 01:58 . 2010-01-26 16:15   --------   d-----w-   C:\$AVG
2010-01-26 01:58 . 2010-01-26 01:58   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-26 01:58 . 2010-01-26 01:58   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-26 01:58 . 2010-01-26 01:58   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-26 01:58 . 2010-01-26 01:58   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-26 01:58 . 2010-01-26 15:37   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-26 01:57 . 2010-01-26 01:57   --------   d-----w-   c:\program files\AVG
2010-01-26 01:57 . 2010-01-26 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-26 01:49 . 2010-01-26 01:49   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\SUPERAntiSpyware.com
2010-01-26 01:47 . 2010-01-26 01:47   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\Sammsoft
2010-01-08 00:24 . 2010-01-08 00:24   466944   ----a-w-   c:\windows\Lake Michigan Shoreline.scr
2010-01-08 00:24 . 2010-01-08 00:24   1917116   ----a-w-   c:\windows\Lake Michigan Shoreline.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 01:51 . 2008-06-14 01:46   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 16:58 . 2008-06-14 01:46   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-25 05:17 . 2009-12-26 02:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2010-01-24 17:56 . 2007-08-13 09:48   --------   d-----r-   c:\program files\Favorites
2010-01-14 17:12 . 2009-10-19 17:49   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-08 00:29 . 2009-12-06 19:18   28672   ----a-w-   c:\windows\system32\ssconfig.exe
2010-01-08 00:29 . 2009-12-06 19:18   180224   ----a-w-   c:\windows\UninstallWSST.exe
2010-01-05 10:00 . 2003-03-31 12:00   832512   ------w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-08-11 19:37   78336   ------w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-30 22:00 . 2009-12-26 02:46   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\skypePM
2009-12-29 02:21 . 2008-06-19 16:28   --------   d-----w-   c:\program files\Opera
2009-12-29 02:15 . 2007-08-15 05:25   --------   d-----w-   c:\program files\Lavasoft
2009-12-29 02:15 . 2007-08-15 05:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-25 17:46 . 2009-08-31 15:30   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\HPAppData
2009-12-25 14:50 . 2007-08-11 19:45   49368   ----a-w-   c:\documents and settings\Puddintaine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 02:21 . 2009-08-04 23:12   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\mjusbsp
2009-12-20 22:53 . 2009-12-20 22:53   26089140   ----a-w-   c:\windows\Faux Fire Saver.SCR
2009-12-20 22:53 . 2009-12-20 22:53   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\iScreensaver
2009-12-14 22:56 . 2008-08-26 20:17   --------   d-----w-   c:\program files\Quote-Fix
2009-12-06 19:25 . 2009-12-06 19:25   5879617   ----a-w-   c:\windows\christmas2005.scr
2009-12-06 19:18 . 2009-12-06 19:18   2610006   ----a-w-   c:\windows\Snow People.dat
2009-12-06 19:18 . 2009-12-06 19:18   466944   ----a-w-   c:\windows\Snow People.scr
2009-11-21 15:51 . 2003-03-31 12:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-12 03:30 . 2009-11-12 03:30   93360   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2009-10-10 01:26 . 2009-10-10 01:26   1615732   ----a-w-   c:\program files\ProcessExplorer.zip
2009-10-05 05:59 . 2009-10-05 05:59   4143779   ----a-w-   c:\program files\cdbxp_setup_4.2.6.1706.exe
2009-10-04 01:26 . 2009-10-04 01:26   308160   ----a-w-   c:\program files\avast_home_setup.exe
2009-09-02 00:01 . 2009-09-02 00:01   57182416   ----a-w-   c:\program files\Nero-9.4.12.3d_free.exe
2009-08-01 20:14 . 2009-08-01 20:14   442080   ----a-w-   c:\program files\msgr9us.exe
2009-01-27 13:20 . 2009-01-27 13:20   2874184   ----a-w-   c:\program files\EASetup.exe
2009-01-27 12:34 . 2009-01-27 12:34   0   ----a-w-   c:\program files\install_flash_player.exe
2009-01-27 12:34 . 2009-01-27 12:33   1778425   ----a-w-   c:\program files\install_flash_player.exe.part
2008-12-01 23:29 . 2008-12-01 23:29   2400784   ----a-w-   c:\program files\WLinstaller.exe
2008-07-28 04:43 . 2008-07-28 04:43   23766320   ----a-w-   c:\program files\Common Files\QuickTimeInstaller.exe
2008-06-24 01:23 . 2008-06-24 01:22   922042   ----a-w-   c:\program files\internet-eraser-setup.exe
2008-06-14 01:39 . 2008-06-14 01:39   2869536   ----a-w-   c:\program files\spywareblastersetup41.exe
2008-06-02 02:09 . 2008-06-02 02:09   2092744   ----a-w-   c:\program files\PPnews080215.mp3
2007-09-03 00:43 . 2007-09-03 00:42   1998664   ----a-w-   c:\program files\oeqbfull.zip
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Puddintaine\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-26 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-26 01:58   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli srfmomdb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31   80896   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 14:32   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 14:36   114688   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-31 20:23   149280   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Mail Scanner"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"avg8emc"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"McciCMService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Kurzweil Educational Systems\\Kurzweil 1000\\Kurzweil 1000.exe"=
"c:\\Documents and Settings\\Puddintaine\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [8/11/2007 10:01 PM 7168]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/25/2010 7:58 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/25/2010 7:58 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/25/2010 7:57 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/25/2010 7:57 PM 285392]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.breastcancer-experience.net/
Trusted Zone: advancial.org\www
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe
AddRemove-Advanced Registry Optimizer_is1 - c:\program files\Advanced Registry Optimizer\unins000.exe
AddRemove-{CD4D567E-44D7-4CDA-977D-C918D88FA3D9}_is1 - c:\program files\MemTurbo 4\unins000.exe



**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-1580818891-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3EA73A8E-70E3-D08A-A8BE-1BAA36EB0185}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)
c:\windows\srfmomdb.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-26  17:11:12
ComboFix-quarantined-files.txt  2010-01-26 23:11
ComboFix2.txt  2010-01-25 23:23
ComboFix3.txt  2009-10-05 16:13

Pre-Run: 14,898,671,616 bytes free
Post-Run: 15,098,380,288 bytes free

- - End Of File - - 484133A1AFB909EE9C7F7078C2CAAB28

[Derek]

next

download attached lsa_notificationfix.reg
save it & doubleclick it to enter into registry
Allow any prompts

then

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
*  Click START then RUN
*  Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated,  that will help to plug the security holes that let these pests on in the first place

remember to r- enable your anti-virus

[Sypalyons]

AV and Firewall back on. This is the log (I hope   ):


ComboFix 10-01-26.02 - Puddintaine 01/26/2010  17:04:17.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.546 [GMT -6:00]
Running from: c:\documents and settings\Puddintaine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Puddintaine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Qketesi.dat"
"c:\windows\Yjuxa.bin"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Qketesi.dat
c:\windows\Yjuxa.bin

.
(((((((((((((((((((((((((   Files Created from 2009-12-26 to 2010-01-26  )))))))))))))))))))))))))))))))
.

2010-01-26 15:37 . 2010-01-26 01:58   3777280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-26 15:37 . 2010-01-26 01:58   1260800   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-26 01:58 . 2010-01-26 16:15   --------   d-----w-   C:\$AVG
2010-01-26 01:58 . 2010-01-26 01:58   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-26 01:58 . 2010-01-26 01:58   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-26 01:58 . 2010-01-26 01:58   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-26 01:58 . 2010-01-26 01:58   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-26 01:58 . 2010-01-26 15:37   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-26 01:57 . 2010-01-26 01:57   --------   d-----w-   c:\program files\AVG
2010-01-26 01:57 . 2010-01-26 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-26 01:49 . 2010-01-26 01:49   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\SUPERAntiSpyware.com
2010-01-26 01:47 . 2010-01-26 01:47   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\Sammsoft
2010-01-08 00:24 . 2010-01-08 00:24   466944   ----a-w-   c:\windows\Lake Michigan Shoreline.scr
2010-01-08 00:24 . 2010-01-08 00:24   1917116   ----a-w-   c:\windows\Lake Michigan Shoreline.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 01:51 . 2008-06-14 01:46   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 16:58 . 2008-06-14 01:46   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-25 05:17 . 2009-12-26 02:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2010-01-24 17:56 . 2007-08-13 09:48   --------   d-----r-   c:\program files\Favorites
2010-01-14 17:12 . 2009-10-19 17:49   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-08 00:29 . 2009-12-06 19:18   28672   ----a-w-   c:\windows\system32\ssconfig.exe
2010-01-08 00:29 . 2009-12-06 19:18   180224   ----a-w-   c:\windows\UninstallWSST.exe
2010-01-05 10:00 . 2003-03-31 12:00   832512   ------w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-08-11 19:37   78336   ------w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-30 22:00 . 2009-12-26 02:46   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\skypePM
2009-12-29 02:21 . 2008-06-19 16:28   --------   d-----w-   c:\program files\Opera
2009-12-29 02:15 . 2007-08-15 05:25   --------   d-----w-   c:\program files\Lavasoft
2009-12-29 02:15 . 2007-08-15 05:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-25 17:46 . 2009-08-31 15:30   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\HPAppData
2009-12-25 14:50 . 2007-08-11 19:45   49368   ----a-w-   c:\documents and settings\Puddintaine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 02:21 . 2009-08-04 23:12   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\mjusbsp
2009-12-20 22:53 . 2009-12-20 22:53   26089140   ----a-w-   c:\windows\Faux Fire Saver.SCR
2009-12-20 22:53 . 2009-12-20 22:53   --------   d-----w-   c:\documents and settings\Puddintaine\Application Data\iScreensaver
2009-12-14 22:56 . 2008-08-26 20:17   --------   d-----w-   c:\program files\Quote-Fix
2009-12-06 19:25 . 2009-12-06 19:25   5879617   ----a-w-   c:\windows\christmas2005.scr
2009-12-06 19:18 . 2009-12-06 19:18   2610006   ----a-w-   c:\windows\Snow People.dat
2009-12-06 19:18 . 2009-12-06 19:18   466944   ----a-w-   c:\windows\Snow People.scr
2009-11-21 15:51 . 2003-03-31 12:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-12 03:30 . 2009-11-12 03:30   93360   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2009-10-10 01:26 . 2009-10-10 01:26   1615732   ----a-w-   c:\program files\ProcessExplorer.zip
2009-10-05 05:59 . 2009-10-05 05:59   4143779   ----a-w-   c:\program files\cdbxp_setup_4.2.6.1706.exe
2009-10-04 01:26 . 2009-10-04 01:26   308160   ----a-w-   c:\program files\avast_home_setup.exe
2009-09-02 00:01 . 2009-09-02 00:01   57182416   ----a-w-   c:\program files\Nero-9.4.12.3d_free.exe
2009-08-01 20:14 . 2009-08-01 20:14   442080   ----a-w-   c:\program files\msgr9us.exe
2009-01-27 13:20 . 2009-01-27 13:20   2874184   ----a-w-   c:\program files\EASetup.exe
2009-01-27 12:34 . 2009-01-27 12:34   0   ----a-w-   c:\program files\install_flash_player.exe
2009-01-27 12:34 . 2009-01-27 12:33   1778425   ----a-w-   c:\program files\install_flash_player.exe.part
2008-12-01 23:29 . 2008-12-01 23:29   2400784   ----a-w-   c:\program files\WLinstaller.exe
2008-07-28 04:43 . 2008-07-28 04:43   23766320   ----a-w-   c:\program files\Common Files\QuickTimeInstaller.exe
2008-06-24 01:23 . 2008-06-24 01:22   922042   ----a-w-   c:\program files\internet-eraser-setup.exe
2008-06-14 01:39 . 2008-06-14 01:39   2869536   ----a-w-   c:\program files\spywareblastersetup41.exe
2008-06-02 02:09 . 2008-06-02 02:09   2092744   ----a-w-   c:\program files\PPnews080215.mp3
2007-09-03 00:43 . 2007-09-03 00:42   1998664   ----a-w-   c:\program files\oeqbfull.zip
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Puddintaine\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-26 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-26 01:58   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli srfmomdb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31   80896   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 14:32   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 14:36   114688   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-31 20:23   149280   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Mail Scanner"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"avg8emc"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"McciCMService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Kurzweil Educational Systems\\Kurzweil 1000\\Kurzweil 1000.exe"=
"c:\\Documents and Settings\\Puddintaine\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [8/11/2007 10:01 PM 7168]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/25/2010 7:58 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/25/2010 7:58 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/25/2010 7:57 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/25/2010 7:57 PM 285392]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.breastcancer-experience.net/
Trusted Zone: advancial.org\www
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe
AddRemove-Advanced Registry Optimizer_is1 - c:\program files\Advanced Registry Optimizer\unins000.exe
AddRemove-{CD4D567E-44D7-4CDA-977D-C918D88FA3D9}_is1 - c:\program files\MemTurbo 4\unins000.exe



**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-1580818891-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3EA73A8E-70E3-D08A-A8BE-1BAA36EB0185}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)
c:\windows\srfmomdb.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-26  17:11:12
ComboFix-quarantined-files.txt  2010-01-26 23:11
ComboFix2.txt  2010-01-25 23:23
ComboFix3.txt  2009-10-05 16:13

Pre-Run: 14,898,671,616 bytes free
Post-Run: 15,098,380,288 bytes free

- - End Of File - - 484133A1AFB909EE9C7F7078C2CAAB28

[Sypalyons]

"Caught" my AV in time, Derek. But "This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot." Nothing in the recycle bin - I'm rebooting, though. TTFN.

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser