Help? Please

[Pam H]

Ourcomputer sometime skips space, letters, enter when typed.
An ad will start playing audio without being prompted.
I cannot run security programs.
Our anti virus (AVG) was deleted.




DDS (Ver_09-12-01.01) - NTFSx86 
Run by Alex at 11:44:30.39 on Sat 01/30/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.2036.1208 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Users\Alex\Documents\my Ebooks\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.hbeark.com/
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Jteyakiheva] rundll32.exe "c:\users\alex\appdata\local\mag402.dll",Startup
uRun: [Nmogasaxo] rundll32.exe "c:\users\alex\appdata\local\asiqivoqul.dll",Startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.3; SLCC1; .NET CLR 2.0.50727; MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.postopia.com/Games/gamepage.aspx?sitegameid=47"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\users\alex\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hslda.webex.com/client/T26L10NSP49EP26/event/ieatgpc1.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-14 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-1-17 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-1-17 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-14 233136]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-14 112592]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-14 359624]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-14 1141712]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-1-14 70408]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2009-6-29 7548]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-1-17 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2010-01-30 16:14:13   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 16:14:12   0   d-----w-   c:\programdata\Malwarebytes
2010-01-30 16:14:11   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-30 16:14:11   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-30 15:40:33   0   d-----w-   c:\programdata\Office Genuine Advantage
2010-01-30 15:22:59   0   d-----w-   c:\program files\Anti-Virus Elite
2010-01-20 01:49:39   8361504   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2010-01-20 01:49:39   112772   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2010-01-19 20:32:16   3958   ----a-w-   C:\rollback.ini
2010-01-19 19:53:54   0   d-----w-   c:\programdata\ParetoLogic Anti-Virus PLUS
2010-01-19 19:53:54   0   d-----w-   c:\programdata\ParetoLogic
2010-01-19 19:53:54   0   d-----w-   c:\program files\common files\ParetoLogic
2010-01-19 19:52:22   10954752   ----a-w-   C:\ParetoLogic Anti-Virus PLUS.msi
2010-01-18 00:39:50   59664   --s---w-   c:\windows\system32\drivers\TfSysMon.sys
2010-01-18 00:39:50   33552   --s---w-   c:\windows\system32\drivers\TfNetMon.sys
2010-01-18 00:39:49   51984   --s---w-   c:\windows\system32\drivers\TfFsMon.sys
2010-01-14 23:06:46   883   ----a-w-   c:\windows\RegSDImport.xml
2010-01-14 23:06:46   880   ----a-w-   c:\windows\RegISSImport.xml
2010-01-14 23:06:46   767952   ----a-w-   c:\windows\BDTSupport.dll
2010-01-14 23:06:46   149456   ----a-w-   c:\windows\SGDetectionTool.dll
2010-01-14 23:06:46   131   ----a-w-   c:\windows\IDB.zip
2010-01-14 23:06:45   165840   ----a-w-   c:\windows\PCTBDRes.dll
2010-01-14 23:06:45   1640400   ----a-w-   c:\windows\PCTBDCore.dll
2010-01-14 23:06:45   1152444   ----a-w-   c:\windows\UDB.zip
2010-01-14 22:48:17   7387   ----a-w-   c:\windows\system32\drivers\pctgntdi.cat
2010-01-14 22:48:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-01-14 22:48:16   98600   ----a-w-   c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-14 22:48:08   87784   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-14 22:48:08   7412   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-14 22:48:08   7383   ----a-w-   c:\windows\system32\drivers\pctcore.cat
2010-01-14 22:48:08   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-01-14 22:48:03   7383   ----a-w-   c:\windows\system32\drivers\pctplsg.cat
2010-01-14 22:48:03   70408   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2010-01-14 22:47:58   0   d-----w-   c:\users\alex\appdata\roaming\PC Tools
2010-01-14 22:47:58   0   d-----w-   c:\programdata\PC Tools
2010-01-14 22:47:58   0   d-----w-   c:\program files\Spyware Doctor
2010-01-14 22:47:58   0   d-----w-   c:\program files\common files\PC Tools
2010-01-14 14:29:13   0   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-01-14 14:29:13   0   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-14 03:51:27   0   d-----w-   c:\programdata\Lavasoft
2010-01-14 03:51:27   0   d-----w-   c:\program files\Lavasoft
2010-01-13 19:02:10   215583256   ----a-w-   c:\windows\MEMORY.DMP
2010-01-13 12:47:26   72704   ----a-w-   c:\windows\system32\fontsub.dll
2010-01-13 12:47:26   156672   ----a-w-   c:\windows\system32\t2embed.dll
2010-01-12 23:32:23   0   d---a-w-   c:\programdata\TEMP
2010-01-09 05:36:39   10752   ----a-w-   c:\windows\DCEBoot.exe
2010-01-09 05:18:14   157712   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-01-09 04:56:54   0   d-sh--w-   c:\users\alex\.COMMgr
2010-01-09 01:09:01   280   ----a-w-   c:\windows\system32\drivers\kgpfr2.cfg
2010-01-09 01:08:29   800   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-01-09 01:03:16   0   d-----w-   c:\programdata\SITEguard
2010-01-09 01:02:20   0   d-----w-   c:\program files\STOPzilla!
2010-01-09 01:02:20   0   d-----w-   c:\program files\common files\iS3
2010-01-09 01:02:19   0   d-----w-   c:\programdata\STOPzilla!
2010-01-08 23:50:40   0   d-----w-   c:\program files\Adware Professional
2010-01-04 01:07:54   872   ----a-w-   c:\windows\system32\krl32mainweq.dll
2010-01-04 01:06:33   202   ----a-w-   c:\windows\system32\srcr.dat

==================== Find3M  ====================

2010-01-22 03:02:18   1748   ----a-w-   c:\users\alex\appdata\roaming\wklnhst.dat
2010-01-02 06:38:20   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-01-02 06:32:33   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-01-02 06:32:33   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-12-25 22:37:09   51200   ----a-w-   c:\windows\inf\infpub.dat
2009-12-25 22:37:09   143360   ----a-w-   c:\windows\inf\infstrng.dat
2009-12-25 22:37:01   86016   ----a-w-   c:\windows\inf\infstor.dat
2009-11-03 02:42:06   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-02-18 23:47:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2008-01-21 02:57:01   174   --sha-w-   c:\program files\desktop.ini
2006-11-02 12:39:34   30674   ----a-w-   c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34   30674   ----a-w-   c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34   287440   ----a-w-   c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34   287440   ----a-w-   c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21   287440   ----a-w-   c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21   287440   ----a-w-   c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19   30674   ----a-w-   c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19   30674   ----a-w-   c:\windows\inf\perflib\0000\perfc.dat
2009-10-20 17:58:30   245760   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-02-18 23:32:04   8192   --sha-w-   c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:45:55.63 ===============

[Derek]

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[Pam H]

I cannot access bleeping computer at all. And this site sometimes won't load either.

[Pam H]

I looked at the cached pages for the bleeping computer instructions for disabling the security programs. I can't launch them to disable them.

[Derek]

see if Combofix downloads from http://www.forospyware.com/sUBs/ComboFix.exe

if they are both blocked try


download the free trial of http://www.prevx.com/freescan.asp 

Double click the file to install it

scan with it

if it finds a  rootkit it will offer to fix it, let it do the fix. if it finds anything else, report what it finds please

It is only free to deal with rootkits and some  adwares but will suggest you buy it to fix anything else

before you do that ( if you decide to ) post its report so we can  advise if it is necessary or whether we can deal with it another way

to get the report

right click the prevx icon in sys tray

select configure monitoring, then select the tools tab & save scan results

attach that file here to your next reply ( it might be too big to attach so zip it first)

[Pam H]

I hope this is right.  winging it.....

[Derek]

you zipped the instructions & not the report prevx made when it ran

[Pam H]

Ha!
Sorry for wasting your time.
Try this....

[Derek]

OK I can see what is wrong from that

I am attaching a  renamed copy of combofix (pamh.exe) because you are blocked from other combofix download sites by this malware

run it as I said to in my previous post

[Pam H]

Derek,
I was able to download and run the combofix from the renamed file.  It took the rest of the day to run it.  I saw the lil black box run and look complete. It froze my whole computer up. Are you fed up with me yet?

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser