Hijacked home page

Done. Combofix ran and the computer rebooted. A few error messages and then Superantispyware picked up an attempt to change the home page to go.microsoft.com.fwlink/?linkId=69157

Here's the log:

ComboFix 09-12-18.01 - BryanC 19/12/2009 17:38:17.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3572.2729 [GMT 11:00]
Running from: c:\documents and settings\bryanc\Desktop\commy.exe
Command switches used :: c:\documents and settings\bryanc\Desktop\CFScript.txt.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\GPhotos.scr"
"c:\windows\system32\oleacc.dll"
"c:\windows\system32\oleaccrc.dll"
"c:\windows\system32\pwrshplugin.dll"
"c:\windows\system32\uiautomationcore.dll"
"c:\windows\system32\wevtfwd.dll"
"c:\windows\system32\winrmprov.dll"
"c:\windows\system32\winrs.exe"
"c:\windows\system32\winrscmd.dll"
"c:\windows\system32\winrshost.exe"
"c:\windows\system32\winrsmgr.dll"
"c:\windows\system32\winrssrv.dll"
"c:\windows\system32\wsmanhttpconfig.exe"
"c:\windows\system32\WsmAuto.dll"
"c:\windows\system32\wsmplpxy.dll"
"c:\windows\system32\wsmprovhost.exe"
"c:\windows\system32\WsmRes.dll"
"c:\windows\system32\WsmSvc.dll"
"c:\windows\system32\WsmWmiPl.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\GPhotos.scr
c:\windows\system32\pwrshplugin.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\wevtfwd.dll
c:\windows\system32\winrmprov.dll
c:\windows\system32\winrs.exe
c:\windows\system32\winrscmd.dll
c:\windows\system32\winrshost.exe
c:\windows\system32\winrsmgr.dll
c:\windows\system32\winrssrv.dll
c:\windows\system32\wsmanhttpconfig.exe
c:\windows\system32\WsmAuto.dll
c:\windows\system32\wsmplpxy.dll
c:\windows\system32\wsmprovhost.exe
c:\windows\system32\WsmRes.dll
c:\windows\system32\WsmSvc.dll
c:\windows\system32\WsmWmiPl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_WinRM


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 00:04 . 2009-12-19 00:12 -------- d-----w- C:\commy
2009-12-16 09:54 . 2009-12-16 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-12-10 00:23 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-12-10 00:23 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-12-10 00:23 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-10 00:23 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-10 00:23 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-10 00:23 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-10 00:23 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-04 19:27 . 2009-12-04 19:27 -------- d-----w- c:\program files\Trend Micro
2009-12-04 14:56 . 2009-12-04 14:56 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-12-04 09:50 . 2009-12-04 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-04 09:49 . 2009-12-04 09:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-03 10:29 . 2009-12-03 10:29 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-02 20:18 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 20:18 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\bryanc\Application Data\Malwarebytes
2009-12-02 12:00 . 2009-12-15 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-02 08:59 . 2009-12-04 20:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 08:59 . 2009-12-02 08:59 -------- d-----w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com
2009-11-27 19:28 . 2009-11-27 19:28 -------- d-----w- c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 06:53 . 2009-09-02 23:31 0 ----a-w- c:\documents and settings\bryanc\Local Settings\Application Data\WavXMapDrive.bat
2009-12-19 06:37 . 2009-09-05 23:41 -------- d-----w- c:\documents and settings\bryanc\Application Data\Skype
2009-12-19 05:01 . 2009-09-05 23:44 -------- d-----w- c:\documents and settings\bryanc\Application Data\skypePM
2009-12-19 00:31 . 2009-09-04 11:15 -------- d-----w- c:\documents and settings\bryanc\Application Data\uTorrent
2009-12-19 00:03 . 2009-09-07 10:03 -------- d-----w- c:\documents and settings\bryanc\Application Data\U3
2009-12-18 06:36 . 2009-10-07 07:48 708928 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-18 05:57 . 2009-09-03 02:30 -------- d-----w- c:\program files\Paint Shop Pro 5
2009-12-16 21:40 . 2009-08-26 09:53 42206 ----a-w- c:\windows\system32\nvModes.dat
2009-12-10 07:06 . 2009-08-26 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-10 01:47 . 2009-08-26 10:38 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-10 01:42 . 2009-08-26 10:33 -------- d-----w- c:\program files\Microsoft.NET
2009-12-10 01:40 . 2009-08-26 10:40 -------- d-----w- c:\program files\Microsoft Small Business
2009-12-04 20:36 . 2009-12-04 09:50 117760 ----a-w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-04 14:56 . 2009-09-03 07:40 -------- d-----w- c:\program files\Google
2009-12-02 20:19 . 2009-12-02 20:19 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-29 04:41 . 2009-09-03 12:37 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-29 04:41 . 2009-08-26 10:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 19:29 . 2009-11-26 22:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 19:29 . 2009-11-26 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-27 19:29 . 2009-11-20 11:39 -------- d-----w- c:\documents and settings\bryanc\Application Data\DivX
2009-11-27 19:29 . 2009-11-23 12:28 -------- d-----w- c:\program files\Optus Wireless Broadband
2009-11-27 19:28 . 2009-11-20 11:37 -------- d-----w- c:\program files\DivX
2009-11-23 20:13 . 2009-11-23 20:13 4150 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{1F9ED934-AD0F-4879-BDFB-ED02BA2BB14F}\ARPPRODUCTICON.exe
2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\program files\Microsoft Voice Command
2009-11-21 15:51 . 2008-04-25 16:16 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 12:28 . 2009-09-04 09:18 -------- d-----w- c:\program files\Photomatix
2009-11-14 02:07 . 2009-11-14 02:06 -------- d-----w- c:\program files\iTunes
2009-11-14 02:06 . 2009-11-14 02:06 -------- d-----w- c:\program files\iPod
2009-11-14 02:06 . 2009-09-03 06:39 -------- d-----w- c:\program files\Common Files\Apple
2009-11-14 01:58 . 2009-11-14 01:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2009-10-29 07:45 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\wininet.dll
2009-10-27 07:04 . 2009-09-03 04:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 02:06 . 2009-10-19 02:06 223232 ------w- c:\windows\system32\wksprt.exe
2009-10-19 02:06 . 2009-10-19 02:06 46080 ------w- c:\windows\system32\TSWbPrxy.exe
2009-10-19 02:06 . 2009-10-19 02:06 12800 ------w- c:\windows\system32\wksprtPS.dll
2009-10-19 02:06 . 2008-04-25 21:26 36864 ----a-w- c:\windows\system32\tsgQec.dll
2009-10-19 02:06 . 2008-04-25 21:26 1033728 ----a-w- c:\windows\system32\mstsc.exe
2009-10-19 02:06 . 2008-04-25 21:26 2689024 ----a-w- c:\windows\system32\mstscax.dll
2009-10-19 02:06 . 2009-10-19 02:06 44544 ------w- c:\windows\system32\MsRdpWebAccess.dll
2009-10-19 02:06 . 2008-04-25 21:26 130560 ----a-w- c:\windows\system32\aaclient.dll
2009-10-18 21:32 . 2009-10-18 21:32 152576 ----a-w- c:\documents and settings\bryanc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-15 21:53 . 2009-09-02 23:40 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-15 21:53 . 2009-09-02 23:40 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-25 16:16 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 03:57 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 22:36 . 2009-10-01 22:36 45056 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2009-10-01 22:36 . 2009-10-01 22:36 10134 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-12-14_11.38.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-25 16:16 . 2009-12-19 06:54 84372 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2009-12-14 11:30 84372 c:\windows\system32\perfc009.dat
- 2009-09-01 07:29 . 2009-12-13 23:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-01 07:29 . 2009-12-19 00:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-25 16:16 . 2009-12-19 06:54 474570 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2009-12-14 11:30 474570 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-03-25 3261688]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-10 289584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-04 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"nwiz"="nwiz.exe" [2008-08-28 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-28 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-28 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"Ext2 Volume Manager"="c:\program files\Ext2Fsd\Ext2Mgr.exe" [2009-07-30 1216648]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-02 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-02 640376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1106720]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-2 50688]
Telstra Turbo Modem Manager.lnk - c:\program files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [2009-9-23 454656]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-04 20:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [10/10/2009 12:10 PM 651264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 8:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [29/12/2008 2:07 PM 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [22/01/2009 1:19 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [22/01/2009 1:19 PM 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [9/04/2009 5:02 PM 447264]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [27/08/2009 12:42 PM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [27/08/2009 12:43 PM 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [27/08/2009 12:42 PM 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/12/2009 6:56 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [26/08/2009 9:31 PM 232744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2009 5:43 PM 133104]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [23/09/2009 6:57 AM 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [23/09/2009 6:57 AM 87040]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nexus.northrop.com.au/Canberra/default.aspx
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 17:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\NetProvCredMan.dll

- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\wvauth.dll

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\drivers\audio\r213367\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-12-19 17:58:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 06:58
ComboFix2.txt 2009-12-19 00:12
ComboFix3.txt 2009-12-14 11:41
ComboFix4.txt 2009-12-04 19:47

Pre-Run: 2,556,612,608 bytes free
Post-Run: 2,444,931,072 bytes free

- - End Of File - - 30DF3AEE82F1AA0434B498716E6C3C62


see ya

Now time to clean up.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

this is the security check log

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
SRS Labs SRS Premium Sound SRSPremiumSoundBig_Small.exe
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Thankyou, explorer is working on my laptop again.
However on bootup I get a lot of error messages. About 6 of them.
Also superantispyware picked up an attemp to change the homepage again.

I can give you more details if you wish.

see ya

Download WhoCrashed from here
This program checks for any drivers which may have been causing your computer to crash....

Click on the file you just downloaded and run it.
Put a tick in Accept then click on Next
Put a tick in the Don't create a start menu folder then click Next
Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
Click Analyze
It will want to download the Debugger and install it Say Yes

WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply

here's the report. It didn't ask to download debugger.

see ya


--------------------------------------------------------------------------------
Welcome to WhoCrashed Home Edition 2.00
--------------------------------------------------------------------------------

This program checks for drivers which have been crashing your computer.

Whenever a computer suddenly reboots without displaying any notice or blue screen of death, the first thing that is often though about is a hardware failure. In reality, on Windows most crashes are caused by malfunctioning device drivers and kernel modules. In case of a kernel error, most computers do not show a blue screen unless they are configured to do so. Instead these systems suddenly reboot without any notice.

This program does post-mortem crash dump analysis with the single click of a button.


To obtain technical support visit www.resplendence.com/support

To check if a newer version of this program is available, click here.

Just click the Analyze button for a comprehensible report ...



--------------------------------------------------------------------------------
Home Edition notice
--------------------------------------------------------------------------------

This version of WhoCrashed is free for use at home only. If you would like to use this software at work or in a commercial environment you should get the professional edition. The professional edition of WhoCrashed also allows analysis of crashdumps on remote drives and computers on the network and offers more detailed analysis.


--------------------------------------------------------------------------------
Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.


No valid crash dumps have been found on your computer


--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

Crash dumps are enabled and no valid crash dumps have been found on your computer. In case your computer does experience sudden reboots it is likely these are caused by malfunctioning hardware, power failure or a thermal issue. To troubleshoot a thermal issue, check the temperature using your BIOS setup program, check for dust in CPU and motherboard fans and if your computer is portable make sure it's located on a hard surface. Otherwise it's suggested you contact the support department of the manufacturer of your system or test your system with a memory test utility for further investigation.

Just had an attempt to change the home page to the microsoft site I mentioned back a bit.
go.microsoft.com.fwlink/?linkId=69157

any clues

see ya

This program wont run. Error message is:

"The application failed to initialize properly (0xc000007b). Click on OK to terminate the application."

I get this same error message on other programes such as Skype.

see ya

Go Start and then to Run,
Type in: sfc /scannow
Click OK.
Have Windows CD/DVD handy.
If System File Checker (sfc) finds any errors, it may ask you for the CD/DVD.
If sfc does not find any errors in Windows XP, it will simply quit, without any message.

If you don't have Windows CD....

Go Start and then Run
type in regedit and click OK


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

On the right hand side, find: SourcePath

It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
All we need to do is change it to: C:
Now, double click the SourcePath setting and a new box will pop up.
Change the drive letter from your CD drive to your root drive, usually C:
Close Registry Editor.

Now restart your computer and try sfc /scannow again!

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.

You guys are very clever!! Almost there...

Still get one error message on startup

Cant find component.
ChangeTPMAuth.exe ......can't find Tspl.dll


also can't connect to the web when at work. I can get the compony homepage and navigate through it, but can't go anywhere else, including here.

see ya

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

here you go Kaspersky log adress

http://www.getsysteminfo.com/read.php?file=9c25c081f7faf47e08240c53879b79aa

see ya

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Explorer was working for a bit today, then I had a homepage change attempt and it stopped again. I'm on new computer.

When I try to update Malwarebytes I get an error message.
Än error has occurred. Please report the following error code to the MWB support team Error code 732 (12029,0)

I didn't run the scan.

Please navigate to this webpage: http://support.microsoft.com/kb/313222 and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

==

Open a run line by clicking start -> run

Copy and paste the following bolded text into the Open: box and click OK

cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt

Paste back the contents of the atapi.txt

here ya go:

Volume in drive C is OS
Volume Serial Number is 2AFE-9375

Directory of c:\WINDOWS\ERDNT\cache

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\dllcache

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\drivers

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
3 File(s) 289,536 bytes
0 Dir(s) 16,415,948,800 bytes free

All done. I updated Malwarebytes and ran it.

This is what I had:
Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/12/2009 11:57:58 PM
mbam-log-2009-12-22 (23-57-53).txt

Scan type: Quick Scan
Objects scanned: 146288
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


and this is the log after fixing the issues with malwarebytes:

Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/12/2009 11:57:58 PM
mbam-log-2009-12-22 (23-57-53).txt

Scan type: Quick Scan
Objects scanned: 146288
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


see ya

Please download Rooter and Save it to your desktop

1. Double click it to start the tool.
   
2. Click Scan.
   
3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
   

here ya go:

Rooter log

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:15 Go )
D:\ [CD_Rom]
E:\ [Removable]
F:\ [Removable]
I:\ [Network] .. ( Total:0 Go - Free:0 Go )
J:\ [Network] .. ( Total:0 Go - Free:0 Go )
S:\ [Network] .. ( Total:0 Go - Free:0 Go )
.
Scan : 07:18.51
Path : C:\Documents and Settings\bryanc\Desktop\Rooter.exe
User : BryanC ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (828)
______ \??\C:\WINDOWS\system32\csrss.exe (884)
______ \??\C:\WINDOWS\system32\winlogon.exe (912)
______ C:\WINDOWS\system32\services.exe (956)
______ C:\WINDOWS\system32\lsass.exe (968)
______ C:\WINDOWS\system32\svchost.exe (1148)
______ C:\WINDOWS\system32\svchost.exe (1216)
______ C:\WINDOWS\System32\svchost.exe (1256)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (1344)
______ C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (1396)
______ C:\WINDOWS\system32\svchost.exe (1432)
______ C:\WINDOWS\system32\svchost.exe (1508)
______ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (1776)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
______ c:\drivers\audio\r213367\stacsv.exe (1996)
______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (312)
______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (332)
______ C:\WINDOWS\System32\SCardSvr.exe (356)
______ C:\WINDOWS\system32\svchost.exe (212)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (328)
______ C:\Program Files\Intel\ASF Agent\ASFAgent.exe (500)
______ C:\Program Files\Bonjour\mDNSResponder.exe (508)
______ C:\Program Files\Intel\WiFi\bin\EvtEng.exe (584)
______ C:\WINDOWS\system32\nvsvc32.exe (1336)
______ C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (1332)
______ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1784)
______ C:\WINDOWS\system32\svchost.exe (444)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (2060)
______ C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (2264)
______ C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (2460)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2632)
______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (2816)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (2932)
______ C:\WINDOWS\system32\SearchIndexer.exe (2996)
______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (3316)
______ C:\WINDOWS\System32\alg.exe (3716)
______ C:\WINDOWS\Explorer.EXE (3872)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (3988)
______ C:\Program Files\DellTPad\Apoint.exe (1696)
______ C:\Program Files\DellTPad\ApMsgFwd.exe (1724)
______ C:\Program Files\DellTPad\HidFind.exe (2144)
______ C:\Program Files\IDT\WDM\sttray.exe (2376)
______ C:\Program Files\DellTPad\Apntex.exe (2260)
______ C:\WINDOWS\system32\AESTFltr.exe (3328)
______ C:\WINDOWS\system32\rundll32.exe (1016)
______ C:\WINDOWS\system32\RUNDLL32.EXE (1356)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (1304)
______ C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe (548)
______ C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (1188)
______ C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (1640)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (1680)
______ C:\Program Files\Ext2Fsd\Ext2Mgr.exe (2396)
______ C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (3264)
______ C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (3612)
______ C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (2452)
______ C:\Program Files\iTunes\iTunesHelper.exe (3148)
______ C:\Program Files\Microsoft ActiveSync\wcescomm.exe (1648)
______ C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe (2308)
______ C:\Program Files\uTorrent\uTorrent.exe (3960)
______ C:\PROGRA~1\MI3AA1~1\rapimgr.exe (1888)
______ C:\Program Files\Skype\Phone\Skype.exe (2684)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (820)
______ C:\WINDOWS\system32\ctfmon.exe (4504)
______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (4900)
______ C:\Program Files\iPod\bin\iPodService.exe (5396)
______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (1564)
______ C:\Program Files\Digital Line Detect\DLG.exe (4160)
______ C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe (4204)
______ C:\Program Files\Windows Desktop Search\WindowsSearch.exe (4260)
______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (5136)
______ C:\WINDOWS\System32\svchost.exe (5360)
______ C:\WINDOWS\system32\wuauclt.exe (4324)
______ C:\Program Files\Internet Explorer\iexplore.exe (2068)
______ C:\Program Files\Internet Explorer\iexplore.exe (5764)
______ C:\Program Files\Windows Live\Toolbar\wltuser.exe (2192)
______ C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe (1252)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (4176)
______ C:\WINDOWS\system32\SearchFilterHost.exe (5228)
______ C:\Program Files\Internet Explorer\iexplore.exe (5868)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (2648)
______ C:\Documents and Settings\bryanc\Desktop\Rooter.exe (5408)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:222050304)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:222082560 | Length:249834654720)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD13B3EA-061B-4977-B7E0-44EEA53537C9}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 07:19.32
.
C:\Rooter$\Rooter_1.txt - (23/12/2009 | 07:19.32)

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

got a blue screen error message half way through the scan:

Culpritt seemed to be kgrorpog.sys.

I'll try again

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.



Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

Gmer log. I just ran it again and it worked.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-23 19:21:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8B128A70 ZwAlertResumeThread
SSDT 8A451438 ZwAlertThread
SSDT 8A483CD8 ZwAllocateVirtualMemory
SSDT 8A35E108 ZwConnectPort
SSDT 8A547BB8 ZwCreateMutant
SSDT 8A4B9FB0 ZwCreateThread
SSDT 8A46BDF0 ZwFreeVirtualMemory
SSDT 8A63F918 ZwImpersonateAnonymousToken
SSDT 8AAC19E0 ZwImpersonateThread
SSDT 8A4CF340 ZwMapViewOfSection
SSDT 8B0112C8 ZwOpenEvent
SSDT 8A479EA8 ZwOpenProcessToken
SSDT 8A63D888 ZwOpenThreadToken
SSDT 8A374108 ZwResumeThread
SSDT 8A453C08 ZwSetContextThread
SSDT 8B00B348 ZwSetInformationProcess
SSDT 8A64E258 ZwSetInformationThread
SSDT 8A446C28 ZwSuspendProcess
SSDT 8A450A20 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD18A0B0]
SSDT 8A44A838 ZwTerminateThread
SSDT 8A6224B8 ZwUnmapViewOfSection
SSDT 8A46AAE0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB903A380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2780] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.

mbytes log

Malwarebytes' Anti-Malware 1.42
Database version: 3414
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 11:25:47 PM
mbam-log-2009-12-23 (23-25-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289351
Time elapsed: 2 hour(s), 24 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP140\A0048107.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP145\A0055151.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055360.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055445.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055756.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055757.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055759.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0041601.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP122\A0042886.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0044198.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP125\A0045090.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0045928.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0046020.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Looks good?

Malwarebytes' Anti-Malware 1.42
Database version: 3418
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/12/2009 6:42:23 AM
mbam-log-2009-12-24 (06-42-23).txt

Scan type: Quick Scan
Objects scanned: 146226
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes.

Thanks mate I appreciate all your time. I'll be heading off to the "donate" page shortly :-)

I have symantec endpoint protection as part of my work stuff. I now have superantispyware, spyware blaster running. Just the free versions. Is there a benefit in getting the paid version of either of these? Real time protection?

Also how about that vbs.runauto thingy on my thumb drives. Is it bad?

see ya and Merry Christmas

You can remove those. That is Symantec's reaction to autorun.

do you know what the tsp1.dll error on start up is related to. It says reinstalling the program may help. Which program? I repaired Active sync that didn't help

see ya

See if you can find the following file:

c:\windows\system32\Tsp1.dll

Then let me know if you see it.

Nope, it's not there.

You need that file. Not sure how you would get it. But, since that file is not there, you will get that error continually.

Thanks for all your help. I have been away for a while. Just got back.

An attempt to change the home page just occurred. I ran Malwarebytes (full version now) and it found nothing.

My web access is still OK. I tried to download combifix from BleepingComputer.com and I noticed it is blocked by the list in my new hosts file.

Any clues?

see ya

Go to C:\windows\system32\drivers\etc

You will see something that says HOSTS

Double-click on it, and open it with Notepad.

Please post the contents of that in your next reply.

It's over 2mbs and keeps freezing things when I cut to paste.
Should I send it in bits?

Take a different route here:

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

here ya go.....

http://www.getsysteminfo.com/read.php?file=5ef40b52d2cc91291a14d8a6e1cbc2d7

see ya

Malwarebytes ran a scheduled scan last night and picked up and removed Disabled.SecurityCenter

After reboot Superantispyware has just identified an attempt to change home page again. I'll run Superantispyware now.

see ya

Seems to be ok.

Let's do another close check for rootkits:

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Interesting... while I was away form the computer and internet explorer was off I got a message from MWB saying that it had blocked access to a malicious ip adress. Here is the log:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125

Here is the teh gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-01 12:06:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8A45C818 ZwAlertResumeThread
SSDT 8A43F888 ZwAlertThread
SSDT 8A3FA3D8 ZwAllocateVirtualMemory
SSDT 8A56F008 ZwConnectPort
SSDT 8A35B8A0 ZwCreateMutant
SSDT 8A641550 ZwCreateThread
SSDT 89F97D90 ZwFreeVirtualMemory
SSDT 8A465450 ZwImpersonateAnonymousToken
SSDT 8A465488 ZwImpersonateThread
SSDT 8A608E60 ZwMapViewOfSection
SSDT 8A45BCD0 ZwOpenEvent
SSDT 8A366A70 ZwOpenProcessToken
SSDT 8A369218 ZwOpenThreadToken
SSDT 8A4AE518 ZwResumeThread
SSDT 8A464DD8 ZwSetContextThread
SSDT 8A37CD30 ZwSetInformationProcess
SSDT 8A38F008 ZwSetInformationThread
SSDT 8A4570B8 ZwSuspendProcess
SSDT 8A473908 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA96E00B0]
SSDT 8A45B878 ZwTerminateThread
SSDT 8A4746E8 ZwUnmapViewOfSection
SSDT 8A35F988 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FF0 8050488C 4 Bytes CALL C4DA8FD7
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86BD380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2940] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

And another attempt to access an IP adress. this time with explorer running:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125
13:50:25 BryanC IP-BLOCK 218.8.103.222

the number of malicious sites being blocked by MWBs is growing. It happens when internet explorer is not up and running as well as when it is.

here is the win32kdiag log. It is very short.

Running from: C:\Documents and Settings\bryanc\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\bryanc\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

It has got to be somewhere.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
  
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
  
  
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
    
  
  
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now