[b]My computer I use Win. xp when I close Internet explorer a advertisement comes on thru the speakers. Nothing on the screen. Also when I open a site, another site pops up alot..mostly a advertisement or a survey. I copied what my system showed in Trend MicroHijack of my files: Need help in getting rid of this finally. Also, when I click on a site after searching in Explorer, it always goes to a totally different site..not the one you click on. ANY easy help Id so appreciate. Here's what the scan *(my log) showed: [/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:13 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O20 - Winlogon Notify: pxod13 - C:\WINDOWS\SYSTEM32\pxod13.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3937 bytes

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Still shows nothing on Malwarebytes. Still going to a totally different site than the one you click on, ads coming over the speaker and nothing on the screen, also 2nd window keeps opening. Now what can I do??? Need more help.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Thank you for the help so far!!! Here's the log.

ComboFix 09-12-02.05 - Owner 12/02/2009 16:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.26 [GMT -6:00]
Running from: c:\documents and settings\Owner\desktop\commy.exe
Command switches used :: /stepdel
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SGPSA
c:\program files\SGPSA\SearchAssistant.dll
D:\Autorun.inf

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 02:55 . 2009-12-02 02:55 -------- d-----w- c:\program files\Enigma Software Group
2009-12-02 02:18 . 2009-12-02 02:18 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-02 02:17 . 2009-12-02 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-02 02:17 . 2009-12-02 02:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 02:17 . 2009-12-02 02:17 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-02 02:16 . 2009-12-02 02:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 22:09 . 2009-12-01 22:09 -------- d-----w- c:\program files\Trend Micro
2009-12-01 21:38 . 2009-12-01 21:38 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-01 04:28 . 2009-12-01 04:28 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-01 04:28 . 2009-12-01 04:28 -------- d-----w- c:\program files\Norton Security Scan
2009-12-01 04:22 . 2009-12-01 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-01 04:22 . 2009-12-01 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-01 04:21 . 2009-12-01 04:28 -------- d-----w- c:\program files\NortonInstaller
2009-12-01 04:21 . 2009-12-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-01 03:53 . 2009-12-01 03:54 -------- d-----w- c:\windows\BDOSCAN8
2009-11-29 19:28 . 2009-11-29 19:28 -------- d-----w- c:\program files\AVG
2009-11-29 19:28 . 2009-11-29 19:28 -------- d-----w- C:\users
2009-11-29 19:26 . 2009-11-29 19:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-11-29 19:26 . 2009-12-02 19:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 03:09 . 2009-11-29 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 03:09 . 2009-11-29 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 23:05 . 2009-11-22 23:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-22 23:05 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 23:05 . 2009-11-29 19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 23:05 . 2009-11-22 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 23:05 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 15:29 . 2001-08-17 20:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-19 04:28 . 2009-12-02 05:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-04 15:30 . 2009-11-04 15:30 16384 ----a-w- c:\documents and settings\Owner\Application Data\blank.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 01:37 . 2009-08-02 19:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-11-29 19:26 . 2009-05-31 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-11-29 19:26 . 2009-10-02 22:20 -------- d-----w- c:\program files\iTunes
2009-11-29 19:26 . 2009-10-02 22:21 -------- d-----w- c:\program files\iPod
2009-11-29 19:26 . 2009-07-16 01:05 -------- d-----w- c:\program files\Common Files\Apple
2009-11-29 19:26 . 2009-10-02 22:18 -------- d-----w- c:\program files\Bonjour
2009-11-29 19:26 . 2009-10-02 22:17 -------- d-----w- c:\program files\QuickTime
2009-11-29 19:25 . 2009-06-09 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-11-29 19:25 . 2009-05-28 01:15 -------- d-----w- c:\program files\Glary Utilities
2009-11-27 22:03 . 2009-06-07 23:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2009-11-18 09:07 . 2009-11-18 09:07 6737154 ----a-w- c:\documents and settings\Owner\Application Data\Kelly Clarkson - Already Gone.zip
2009-11-17 01:49 . 2009-05-31 20:55 43160 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 04:52 . 2009-10-07 17:53 36336 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-07 18:13 . 2009-09-03 00:29 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-02 22:05 . 2009-10-02 22:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-10-14 3217368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SharedAccess"=2 (0x2)
"RSVP"=3 (0x3)
"NtLmSsp"=3 (0x3)
"nSvcLog"=2 (0x2)
"nSvcIp"=2 (0x2)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"gupdate1c9f9f3142bad20"=2 (0x2)
"gusvc"=2 (0x2)
"aspnet_state"=3 (0x3)
"SSDPSRV"=3 (0x3)
"ForcewareWebInterface"=2 (0x2)
"wuauserv"=2 (0x2)
"TrkWks"=2 (0x2)
"TapiSrv"=3 (0x3)
"SamSs"=2 (0x2)
"ERSvc"=2 (0x2)
"CryptSvc"=3 (0x3)
"WZCSVC"=2 (0x2)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"wscsvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"MBAMService"=2 (0x2)
"MSDTC"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [12/1/2009 3:38 PM 583640]
S2 nwadzgcb;nwadzgcb;\??\c:\windows\system32\drivers\kyrpqdrdan.sys --> c:\windows\system32\drivers\kyrpqdrdan.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/22/2009 5:05 PM 19160]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/22/2009 5:05 PM 269648]
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-05-28 21:09]

2009-12-01 c:\windows\Tasks\Malwarebytes' Scheduled Update for Owner.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-22 20:53]

2009-12-01 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-12-01 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pscts5s4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={CE292844-BB22-C28C-30A7-B0C9934779D6}&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x812E9369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9f9df28
\Driver\ACPI -> ACPI.sys @ 0xf9db0cb8
\Driver\atapi -> atapi.sys @ 0xf9d50852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-02 16:38
ComboFix-quarantined-files.txt 2009-12-02 22:38

Pre-Run: 81,045,794,816 bytes free
Post-Run: 81,273,294,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 81AAFDFA826E31C9CD344101245FC8FA

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys


  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here you go. Thanks SO much again!!!

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:36 on 02/12/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [21:25 27/05/2009] [19:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [22:35 02/12/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll -----c 181248 bytes [13:16 27/05/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 181248 bytes [22:12 06/01/2007] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [21:25 27/05/2009] [19:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [22:35 02/12/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -----c 407040 bytes [13:15 27/05/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [22:11 06/01/2007] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [21:26 27/05/2009] [19:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [22:35 02/12/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [13:14 27/05/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 56320 bytes [22:09 06/01/2007] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c 502272 bytes [21:25 27/05/2009] [19:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 507904 bytes [22:35 02/12/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe -----c 507904 bytes [13:17 27/05/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe ------ 507904 bytes [22:12 06/01/2007] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "comres.dll"
C:\WINDOWS\$NtServicePackUninstall$\comres.dll -----c 792064 bytes [21:26 27/05/2009] [19:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\ServicePackFiles\i386\comres.dll -----c 792064 bytes [13:13 27/05/2009] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [22:09 06/01/2007] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D

Searching for "crypt32.dll"
C:\WINDOWS\$NtServicePackUninstall$\crypt32.dll -----c 597504 bytes [21:26 27/05/2009] [19:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\ServicePackFiles\i386\crypt32.dll -----c 599040 bytes [13:13 27/05/2009] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\crypt32.dll --a--- 599040 bytes [22:09 06/01/2007] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\dllcache\crypt32.dll --a--c 599040 bytes [22:09 06/01/2007] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77

Searching for "gpedit.dll"
No files found.

Searching for "rundll32.exe"
C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c 33280 bytes [21:25 27/05/2009] [19:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe -----c 33280 bytes [13:16 27/05/2009] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [22:12 06/01/2007] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6

Searching for "sfc.dll"
C:\WINDOWS\$NtServicePackUninstall$\sfc.dll -----c 5120 bytes [21:25 27/05/2009] [19:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 5120 bytes [22:35 02/12/2009] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\ServicePackFiles\i386\sfc.dll -----c 5120 bytes [13:16 27/05/2009] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\sfc.dll ------ 5120 bytes [22:12 06/01/2007] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 14336 bytes [21:25 27/05/2009] [19:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [22:35 02/12/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe -----c 14336 bytes [13:16 27/05/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [22:12 06/01/2007] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 4224 bytes [22:35 02/12/2009] [19:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c 4224 bytes [22:09 06/01/2007] [19:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys ------ 4224 bytes [22:09 06/01/2007] [19:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe -----c 13824 bytes [21:27 27/05/2009] [19:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a--- 13824 bytes [22:35 02/12/2009] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe -----c 13824 bytes [13:18 27/05/2009] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c 13824 bytes [22:12 06/01/2007] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe -----c 13824 bytes [22:12 06/01/2007] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [21:24 27/05/2009] [19:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:35 02/12/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [13:13 27/05/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [22:08 06/01/2007] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys --a--c 95360 bytes [23:15 27/05/2009] [19:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):

Files to delete:
C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "C:\WINDOWS\system32\drivers\atapi.sys"
Deletion of file "C:\WINDOWS\system32\drivers\atapi.sys" failed!
Status: 0xc0000043 (STATUS_SHARING_VIOLATION)


Completed script processing.

*******************

Finished! Terminate.

Warning to outside readers, these instructions are for this user only. Following them, can hurt your computer.

Please open Malwarebytes' Anti-Malware, and click More Tools tab. Under FileASSASSIN, click Run Tool.

For each file listed below (this process only handles one file at a time), find its location, and you will see the name of the file in the Filename box, then click Open.

Files to delete using FileASSASSIN:
C:\WINDOWS\system32\drivers\atapi.sys


The FileASSASSIN will then delete the file, or ask you to reboot your computer in order to delete it. Please allow it to reboot, if necessary.

Let me know if the file deleted successfully.