Help please - can't remove Personal Antivirus and Mcafee won't update

angus1

Have done as you said with the combofix. Here is the log it produced

ComboFix 09-05-02.4 - Rebecca Jackson 02/05/2009 15:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.175 [GMT -12:00]
Running from: c:\documents and settings\Rebecca Jackson\Desktop\QWERTY.exe
Command switches used :: c:\documents and settings\Rebecca Jackson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090501-0] *On-access scanning disabled* (Updated)
FILE ::
c:\windows\Tasks\At107.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At107.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\program files\SUPERAntiSpyware
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\SUPERAntiSpyware.com
2009-05-02 11:23 . 2009-05-02 11:23

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\Red Kawa
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\Regensoft
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\AviSynth 2.5
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\Red Kawa
2009-05-02 05:10 . 2009-05-02 05:10

---

d

---

w c:\program files\Trend Micro
2009-05-01 06:36 . 2009-05-01 06:36

---

d

---

w c:\program files\Alwil Software
2009-05-01 02:54 . 2009-05-01 02:54

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\Malwarebytes
2009-05-01 02:54 . 2009-04-07 03:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 02:54 . 2009-04-07 03:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 02:53 . 2009-05-01 02:53

---

d

---

w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 02:53 . 2009-05-01 02:54

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-04-30 22:23 . 2009-04-30 22:23

---

d

---

w c:\windows\McAfee.com
2009-04-30 10:14 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-30 05:03 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-30 03:59 . 2009-04-30 03:59

---

d

---

w c:\program files\Common Files\Uninstall
2009-04-30 03:58 . 2009-05-01 05:13

---

d

---

w c:\program files\PAV
2009-04-28 23:24 . 2009-04-28 23:24

---

d

---

w c:\program files\log vc aim
2009-04-16 01:05 . 2008-05-03 11:55 2560

---

w c:\windows\system32\xpsp4res.dll
2009-04-16 01:05 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 05:52 . 2009-04-16 10:52

---

d

---

w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-04-07 05:48 . 2009-05-02 03:17

---

d

---

w c:\program files\Circl Developement
2009-04-07 05:48 . 2009-04-07 05:48

---

d

---

w c:\program files\Windows Live
2009-04-07 05:48 . 2009-04-07 05:51

---

d

---

w c:\program files\Messenger Plus! Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 03:32 . 2006-09-06 03:59 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 00:59 . 2009-04-30 10:08 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-02 22:32 . 2008-07-08 23:33

---

d

---

w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 04:08 . 2006-09-07 02:01

---

d

---

w c:\program files\MSN Messenger
2009-04-30 06:06 . 2006-09-06 23:09

---

d--h--w c:\program files\InstallShield Installation Information
2009-04-30 04:47 . 2006-09-06 03:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-28 23:19 . 2008-02-24 06:32 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-03-13 07:26 . 2009-03-13 07:26

---

d

---

w c:\program files\Microsoft Silverlight
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:06 . 2009-03-06 00:06

---

d

---

w c:\program files\Safari
2009-03-06 00:01 . 2007-08-20 15:57

---

d

---

w c:\program files\iTunes
2009-03-06 00:00 . 2009-03-06 00:00

---

d

---

w c:\program files\iPod
2009-03-05 23:50 . 2009-03-05 23:49

---

d

---

w c:\program files\QuickTime
2009-03-05 23:48 . 2007-08-20 15:55

---

d

---

w c:\program files\Common Files\Apple
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 07:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 07:22 . 2006-12-25 19:50 27640 ----a-w c:\documents and settings\Rebecca Jackson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-05 07:11 . 2006-09-06 03:42 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-05 07:08 . 2006-09-06 03:54 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-05 06:24 . 2009-02-05 06:25 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-09-07 02:05 . 2006-09-07 02:05 8 --sha-r c:\windows\system32\F084E71B5F.sys
2006-12-22 09:44 . 2006-09-07 02:05 5538 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-07-05 77892]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1184763857\ee\AOLSoftware.exe" [2006-11-17 50736]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-07 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-20 5674352]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-14 39264]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-31 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-31 51984]

angus1

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-23 00:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1184763857\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44edf72e-ea0b-11dd-99a0-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44edf732-ea0b-11dd-99a0-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89df1c9f-dd0c-11dc-9896-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89df1ca3-dd0c-11dc-9896-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f16ce0-4d39-11dd-98e2-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f16ce1-4d39-11dd-98e2-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-30 00:34]
2009-05-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 07:20]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-03 15:39
ComboFix-quarantined-files.txt 2009-05-03 03:37
ComboFix2.txt 2009-05-03 01:37
Pre-Run: 8,319,344,640 bytes free
Post-Run: 8,317,882,368 bytes free
202 --- E O F --- 2009-05-01 21:15

angus1

Have done everything up to hostsxpert. Got right to the end of that - clicked restore microsofts hosts file and then ok. Then got error message saying Cannot create file C:\WINDOW\system32\DRIVERS\ETC\hosts ?

aliEnRIK

Dont worry about it. Skip onto the kaspersky scan

angus1

Hi Alienrik that's everything done that you suggested and here is the Kaspersky log. Thanks for your help so far

Sunday, May 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 18:04:22
Records in database: 2120968

Scan settingsScan using the following databaseextendedScan archivesyesScan mail databasesyesScan areaMy ComputerC:\
\
E:\ Scan statisticsFiles scanned71424Threat name2Infected objects24Suspicious objects0Duration of the scan02:07:25
File nameThreat nameThreats countC:\Documents and Settings\All Users\Application Data\up hold blue delete\roam glue.exeInfected: Trojan.Win32.Swizzor.a1C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\kukkihln.exeInfected: Trojan.Win32.Swizzor.a1C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\settings real itch dent.exeInfected: Trojan.Win32.Swizzor.a1C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\THATWAVEMP3.exeInfected: Trojan.Win32.Swizzor.a1C:\Documents and Settings\Rebecca Jackson\My Documents\LimeWire\Saved\cascada perfect day.mp3Infected: Trojan-Downloader.WMA.GetCodec.c1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP52\A0073038.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP53\A0073375.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP54\A0073401.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073463.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073529.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075486.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075551.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075892.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075945.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075960.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP56\A0075997.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076044.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076067.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076088.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076104.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076137.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0077141.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078132.exeInfected: Trojan.Win32.Swizzor.a1C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078158.exeInfected: Trojan.Win32.Swizzor.a1The selected area was scanned

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
C:\Documents and Settings\All Users\Application Data\up hold blue delete\roam glue.exe
C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\kukkihln.exe
C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\settings real itch dent.exe
C:\Documents and Settings\Rebecca Jackson\Application Data\log vc aim\THATWAVEMP3.exe
C:\Documents and Settings\Rebecca Jackson\My Documents\LimeWire\Saved\cascada perfect day.mp3
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP52\A0073038.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP53\A0073375.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP54\A0073401.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073463.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073529.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075486.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075551.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075892.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075945.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075960.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP56\A0075997.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076044.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076067.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076088.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076104.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076137.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0077141.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078132.exe
C:\System Volume Information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078158.exe


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

aliEnRIK

Looks like a LIMEWIRE file caused one of the problems (As usual)

aliEnRIK

Id suggest updating MALWAREBYTES and running another FULL scan

angus1

Thanks, will get on to all of that now. Don't even know what Limewire is, should I remove it from her list of programs?

angus1

ComboFix 09-05-02.4 - Rebecca Jackson 03/05/2009 13:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.195 [GMT -12:00]
Running from: c:\documents and settings\Rebecca Jackson\Desktop\QWERTY.exe
Command switches used :: c:\documents and settings\Rebecca Jackson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090502-0] *On-access scanning enabled* (Updated)
FILE ::
c:\documents and settings\All Users\Application Data\up hold blue delete\roam glue.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\kukkihln.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\settings real itch dent.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\THATWAVEMP3.exe
c:\documents and settings\Rebecca Jackson\My Documents\LimeWire\Saved\cascada perfect day.mp3
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP52\A0073038.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP53\A0073375.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP54\A0073401.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073463.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073529.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075486.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075551.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075892.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075945.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075960.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP56\A0075997.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076044.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076067.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076088.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076104.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076137.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0077141.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078132.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078158.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\up hold blue delete\roam glue.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\kukkihln.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\settings real itch dent.exe
c:\documents and settings\Rebecca Jackson\Application Data\log vc aim\THATWAVEMP3.exe
c:\documents and settings\Rebecca Jackson\My Documents\LimeWire\Saved\cascada perfect day.mp3
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP52\A0073038.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP53\A0073375.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP54\A0073401.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073463.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0073529.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075486.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075551.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075892.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075945.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP55\A0075960.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP56\A0075997.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076044.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP60\A0076067.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076088.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076104.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0076137.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0077141.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078132.exe
c:\system volume information\_restore{2994FBAF-6749-4A84-A582-F482EDEC7053}\RP61\A0078158.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.
2009-05-03 03:48 . 2009-05-03 03:48

---

d

---

w c:\program files\CCleaner
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\program files\SUPERAntiSpyware
2009-05-02 22:33 . 2009-05-02 22:33

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\SUPERAntiSpyware.com
2009-05-02 11:23 . 2009-05-02 11:23

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\Red Kawa
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\Regensoft
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\AviSynth 2.5
2009-05-02 11:14 . 2009-05-02 11:14

---

d

---

w c:\program files\Red Kawa
2009-05-02 05:10 . 2009-05-02 05:10

---

d

---

w c:\program files\Trend Micro
2009-05-01 06:36 . 2009-05-01 06:36

---

d

---

w c:\program files\Alwil Software
2009-05-01 02:54 . 2009-05-01 02:54

---

d

---

w c:\documents and settings\Rebecca Jackson\Application Data\Malwarebytes
2009-05-01 02:54 . 2009-04-07 03:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 02:54 . 2009-04-07 03:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 02:53 . 2009-05-01 02:53

---

d

---

w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 02:53 . 2009-05-01 02:54

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-04-30 22:23 . 2009-04-30 22:23

---

d

---

w c:\windows\McAfee.com
2009-04-30 10:14 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-30 05:03 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-30 03:59 . 2009-04-30 03:59

---

d

---

w c:\program files\Common Files\Uninstall
2009-04-30 03:58 . 2009-05-01 05:13

---

d

---

w c:\program files\PAV
2009-04-28 23:24 . 2009-04-28 23:24

---

d

---

w c:\program files\log vc aim
2009-04-16 01:05 . 2008-05-03 11:55 2560

---

w c:\windows\system32\xpsp4res.dll
2009-04-16 01:05 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 05:52 . 2009-04-16 10:52

---

d

---

w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-04-07 05:48 . 2009-05-02 03:17

---

d

---

w c:\program files\Circl Developement
2009-04-07 05:48 . 2009-04-07 05:48

---

d

---

w c:\program files\Windows Live
2009-04-07 05:48 . 2009-04-07 05:51

---

d

---

w c:\program files\Messenger Plus! Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 01:29 . 2006-09-06 03:59 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 01:13 . 2009-04-30 10:08 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-02 22:32 . 2008-07-08 23:33

---

d

---

w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 04:08 . 2006-09-07 02:01

---

d

---

w c:\program files\MSN Messenger
2009-04-30 06:06 . 2006-09-06 23:09

---

d--h--w c:\program files\InstallShield Installation Information
2009-04-30 04:47 . 2006-09-06 03:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-28 23:19 . 2008-02-24 06:32 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-03-13 07:26 . 2009-03-13 07:26

---

d

---

w c:\program files\Microsoft Silverlight
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:06 . 2009-03-06 00:06

---

d

---

w c:\program files\Safari
2009-03-06 00:01 . 2007-08-20 15:57

---

d

---

w c:\program files\iTunes
2009-03-06 00:00 . 2009-03-06 00:00

---

d

---

w c:\program files\iPod
2009-03-05 23:50 . 2009-03-05 23:49

---

d

---

w c:\program files\QuickTime
2009-03-05 23:48 . 2007-08-20 15:55

---

d

---

w c:\program files\Common Files\Apple
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 07:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 07:22 . 2006-12-25 19:50 27640 ----a-w c:\documents and settings\Rebecca Jackson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-05 07:11 . 2006-09-06 03:42 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-05 07:08 . 2006-09-06 03:54 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-05 06:24 . 2009-02-05 06:25 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-09-07 02:05 . 2006-09-07 02:05 8 --sha-r c:\windows\system32\F084E71B5F.sys
2006-12-22 09:44 . 2006-09-07 02:05 5538 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-05-03_01.33.43"]SnapShot@2009-05-03_01.33.43[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 01:11 . 2009-05-04 01:11 16384 c:\windows\Temp\Perflib_Perfdata_910.dat
+ 2009-05-04 01:10 . 2009-05-04 01:10 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-07-05 77892]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1184763857\ee\AOLSoftware.exe" [2006-11-17 50736]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-07 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]