Member Avatar for azjanet

Hello everyone,

I've been getting a Help Assistant folder on my computer in Documents & Settings. It copies all of my files. I have been deleting it every day for the past couple of weeks since my anti-virus provider cannot solve this problem (so far).

This folder first appeared on January 23, but I did not notice it until April. On Startup, a boot screen shows up, but Windows then loads by itself. This is part of the Help Assistant problem. It has even uninstalled my firewall and I had to reinstall it. It copies my files and then makes copies of the copies, but changes the first two letters of the file name to "~$".

Any ideas? Thanks.

  • 3 Contributors
  • 21 Replies
  • 181 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by jholland1964
Member Avatar for azjanet

Please follow the steps in the linky below and post the requested scanlogs.
We'll have a look and go from there.

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

Thank you for your time and attention. I appreciate your help. :)

I first noticed this Help Assistant Folder on my computer on April 13, but it has been there since January 10. I used ComboFix per my StopSign Antivirus provider’s instructions, but the folder remained.

I sent the following web address to StopSign because it explained my problem much better than I can:
http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Next, I sent StopSign the following on April 24:

“More problems with Help Assistant that I have noticed. It keeps disabling StopSign Real Time Scanning and it either disables or uninstalls the StopSign firewall upon boot.

Besides duplicating my files, it also makes new files of my old ones, but changes the names slightly by replacing the first two letters of the file with these two signs: ~$ and I am unable to read the contents of these new files. It also changes the “date modified” so that the date modified is earlier than the “date created!”

Finally, because of all of these problems, I deleted the whole Help Assistant folder, but each time I boot my computer, it reappears after a short time so I delete it again, but it is not simple to delete. I have to delete individual folders within Help Assistant and then delete the main folder in Documents and Settings. Then, I can work normally on my computer until the next boot at which time I must start all over again deleting the now newly created Help Assistant folder.

Also, it did not let me delete some of my personal folders that I have on my desktop until after I deleted the Help Assistant folder. When trying to delete the desktop folders, I would get a message that stated that I could not delete it because the file was being used by another person, etc. So, I had to quickly delete the Help Assistant folder at Startup so that I could delete its contents and then the folder itself.”

On April 27, I disabled all Remote Access in Services except for Remote Procedure Call (RPC) and since then, the Help Assistant folder has not reappeared, but the boot screen still pops up before it loads Windows. This boot screen did not appear before January 10.

On April 29, StopSign informed me that it was a Windows configuration problem rather than an infection. I replied that I never had any of these problems nor the Help Assistant folder before January 10, so what or who started Help Assistant on my computer? This is when I decided to contact your forum for help.

On May 1, StopSign contacted me again and requested that I do another ComboFix which I did and now I am waiting to hear back from StopSign. I am attaching the May 1 ComboFix log.txt to this post also in case it found part or most of the problem.

I had no problems at all with any of the scanning steps that you asked me to do.

Thank you!


DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Janet at 16:34:56.15 on 05/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.147 [GMT -7:00]

AV: StopSign Antivirus *On-access scanning enabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\StopSign\OnAccess\onaccess.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\StopSign\Firewall\FWService.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://idm.east.cox.net/coxlogin/ui/internettools?TYPE=33554432&REALMOID=06-b6c69bf3-75c3-1017-a6a3-84a733520cb3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-a6gsmx1Vq9NIYcRcbL7P%2fDCE8%2bkzVnKzxsULW0ckVZpBzTswo5n0BmH436d6SiVV&TARGET=-SM-http%3a%2f%2fmyaccount%2ecox%2enet%2finternettools%2fhome%2ecox
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRunOnce: [WDM_MIDISYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{DFF220F3-F70F-11D0-B917-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{6994AD04-93EF-11D0-A3CC-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137981281312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {88CC5220-829C-4D14-8723-9C5CC8A54805} = 208.67.222.222,208.67.220.220
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\ehdp24rb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&q=
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2010-2-9 109664]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2010-1-23 263504]
R2 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [2005-11-1 105124]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-05-02 22:34:58 0 d-----w- c:\docume~1\janet\applic~1\Malwarebytes
2010-05-02 22:34:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 22:34:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 22:34:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 22:34:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 16:02:09 3924810 ----a-r- C:\cure.com
2010-04-20 15:30:07 0 d-----w- c:\program files\common files\xing shared
2010-04-13 23:48:44 0 d-sha-r- C:\cmdcons
2010-04-13 23:47:25 98816 ----a-w- c:\windows\sed.exe
2010-04-13 23:47:25 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 23:47:25 256512 ----a-w- c:\windows\PEV.exe
2010-04-13 23:47:25 161792 ----a-w- c:\windows\SWREG.exe
2010-04-13 23:09:26 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2010-04-10 00:02:15 0 d-----w- c:\windows\system32\NtmsData
2010-04-03 16:20:07 0 d-----w- c:\program files\Conduit
2010-04-03 16:20:06 0 d-----w- c:\program files\Swag_Bucks

==================== Find3M ====================

2010-04-03 18:09:04 2000000 ----atw- c:\windows\system32\HJSMEM.DAT
2010-03-15 17:30:06 109664 ----a-w- c:\windows\system32\drivers\fwcore.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2007-02-21 19:14:58 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-12-13 15:09:20 3278 ----a-w- c:\program files\EULA.rtf
2004-12-13 10:34:12 415 ----a-w- c:\program files\readme.txt
2004-09-10 20:40:38 75264 ----a-w- c:\program files\DECCHECK.exe
2004-09-10 20:40:38 5970 ----a-w- c:\program files\eula.txt
1999-10-31 05:54:32 561152 ----a-w- c:\program files\convert.exe
2009-10-14 00:47:21 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:35:53.48 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/19/2005 4:18:08 PM
System Uptime: 05/02/2010 4:28:22 PM (0 hours ago)

Motherboard: Intel Corporation               |  | D865PERL                       
Processor:                 Intel(R) Celeron(R) CPU 2.80GHz | J2E1 | 2793/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 54.799 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: 
Device ID: ROOT\IMAGE\0000
Manufacturer: 
Name: 
PNP Device ID: ROOT\IMAGE\0000
Service: 

==== System Restore Points ===================

RP517: 02/08/2010 11:44:32 AM - System Checkpoint
RP518: 02/09/2010 1:15:03 PM - System Checkpoint
RP519: 02/10/2010 9:59:46 AM - Software Distribution Service 3.0
RP520: 02/24/2010 9:53:33 AM - Software Distribution Service 3.0
RP521: 03/03/2010 5:44:53 PM - System Checkpoint
RP522: 03/08/2010 7:06:58 PM - System Checkpoint
RP523: 03/10/2010 11:45:41 PM - Software Distribution Service 3.0
RP524: 03/23/2010 9:19:53 PM - System Checkpoint
RP525: 03/26/2010 9:04:59 AM - System Checkpoint
RP526: 03/27/2010 6:11:31 PM - System Checkpoint
RP527: 03/29/2010 3:51:58 PM - System Checkpoint
RP528: 03/31/2010 1:00:26 PM - Software Distribution Service 3.0
RP529: 04/08/2010 4:33:11 PM - System Checkpoint
RP530: 04/13/2010 1:00:21 PM - Software Distribution Service 3.0
RP531: 04/13/2010 5:45:15 PM - Software Distribution Service 3.0
RP532: 04/15/2010 1:50:47 PM - System Checkpoint
RP533: 04/17/2010 7:09:50 PM - System Checkpoint
RP534: 04/20/2010 10:28:00 AM - System Checkpoint
RP535: 04/26/2010 9:23:18 AM - Removed SonicStage
RP536: 04/28/2010 2:30:19 PM - System Checkpoint
RP537: 04/29/2010 6:03:37 PM - System Checkpoint
RP538: 05/02/2010 2:48:27 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 4.0 Sprint
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Apple Software Update
Audacity 1.2.6
BufferChm
Calendar Magic V17.0
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Compatibility Pack for the 2007 Office system
Convert
Copier 2.0
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
D1300
D1300_Help
DeviceManagementQFolder
DVD Decrypter (Remove Only)
e-Sword
Easy-WebPrint
eBook SWITCHWORDS
Eraser 5.8.7
eSupportQFolder
FL 2001 Registration
Galaxy of MahJongg
Google Toolbar for Internet Explorer
Google Update Helper
Hallmark Card Studio Special Edition
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Smart Web Printing
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
Intel(R) PRO Network Adapters and Drivers
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Lernout & Hauspie TruVoice American English TTS Engine
Locked Programs
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
MarketResearch
MDB Browser and Editor
Memorex exPressit Label Design Studio
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Publisher 97
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Publishing Wizard 1.52
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft Works 6-9 Converter
MiraScan V3.42
Moffsoft FreeCalc
Mozilla Firefox (3.5.9)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My Bug Free PC v1.0
Nero 7 Essentials
NetBeans IDE 4.1
NTI Backup NOW! 4
NTI CD-Maker
NTI DriveBackup! 4
NVIDIA Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
OpenDNS Updater 2.2
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
OverDrive Media Console
PDF reDirect (remove only)
Photo To Sketch 3.51
PhotoFiltre
PrintFolder 1.2
PrintMaster Platinum 8.0
Quicken Family Lawyer 2001
QuickTime
RealArcade
RealPlayer
RealUpgrade 1.0
RegCure
Rhapsody Player Engine
ScanButton 2.0
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB9738
ComboFix 10-04-30.03 - Janet 05/01/2010   9:15.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.301 [GMT -7:00]
Running from: C:\cure.com
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate

.
original MBR restored successfully !
.
(((((((((((((((((((((((((   Files Created from 2010-04-01 to 2010-05-01  )))))))))))))))))))))))))))))))
.

2010-05-01 16:02 . 2010-05-01 16:02	3924810	----a-r-	C:\cure.com
2010-04-20 15:32 . 2010-04-20 15:32	--------	d-----w-	c:\documents and settings\Janet\Local Settings\Application Data\Real
2010-04-20 15:31 . 2010-04-20 15:31	49152	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-20 15:31 . 2010-04-20 15:31	45056	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-20 15:31 . 2010-04-20 15:31	45056	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-20 15:31 . 2010-04-20 15:31	45056	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-20 15:31 . 2010-04-20 15:31	45056	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-20 15:31 . 2010-04-20 15:31	40960	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-20 15:31 . 2010-04-20 15:31	308808	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-20 15:31 . 2010-04-20 15:31	14848	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-20 15:31 . 2010-04-20 15:31	341600	----a-w-	c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-20 15:30 . 2010-04-20 15:30	--------	d-----w-	c:\program files\Common Files\xing shared
2010-04-13 23:09 . 2010-04-13 23:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\FileCure
2010-04-10 00:02 . 2010-04-10 00:06	--------	d-----w-	c:\windows\system32\NtmsData
2010-04-03 17:38 . 2010-04-26 15:45	--------	d-----w-	c:\documents and settings\Janet\Local Settings\Application Data\Thunderbird
2010-04-03 17:38 . 2010-04-03 17:38	--------	d-----w-	c:\documents and settings\Janet\Application Data\Thunderbird
2010-04-03 17:37 . 2010-04-26 15:45	--------	d-----w-	c:\program files\Mozilla Thunderbird
2010-04-03 16:20 . 2010-04-03 16:20	--------	d-----w-	c:\documents and settings\Janet\Local Settings\Application Data\Conduit
2010-04-03 16:20 . 2010-04-03 16:20	--------	d-----w-	c:\program files\Conduit
2010-04-03 16:20 . 2010-04-03 16:20	--------	d-----w-	c:\documents and settings\Janet\Local Settings\Application Data\Swag_Bucks
2010-04-03 16:20 . 2010-04-03 16:20	--------	d-----w-	c:\program files\Swag_Bucks
2010-04-02 23:58 . 2010-01-22 00:14	52224	----a-w-	c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
2010-04-02 23:58 . 2010-01-22 00:14	101376	----a-w-	c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
2010-04-02 17:29 . 2010-04-02 21:17	--------	d-----w-	c:\documents and settings\All Users\Application Data\RegCure
2010-04-02 17:29 . 2010-04-02 19:25	--------	d-----w-	c:\program files\RegCure

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 15:31 . 2006-01-24 19:00	--------	d-----w-	c:\program files\Common Files\Real
2010-04-20 15:30 . 2006-01-24 19:00	--------	d-----w-	c:\program files\Real
2010-04-03 18:10 . 2005-10-19 23:05	--------	d-----w-	c:\program files\Freedom Scientific
2010-04-03 18:10 . 2005-10-19 21:15	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-04-03 18:09 . 2005-10-19 23:09	2000000	----atw-	c:\windows\system32\HJSMEM.DAT
2010-03-27 18:25 . 2006-11-24 21:28	--------	d-----w-	c:\documents and settings\Janet\Application Data\Image Zone Express
2010-03-15 17:30 . 2010-02-09 21:37	109664	----a-w-	c:\windows\system32\drivers\fwcore.sys
2010-03-10 06:15 . 2004-08-04 12:00	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00	916480	------w-	c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2004-08-04 12:00	2189952	------w-	c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59	2066816	------w-	c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00	226880	----a-w-	c:\windows\system32\drivers\tcpip6.sys
2007-02-21 19:14 . 2007-02-21 19:15	774144	----a-w-	c:\program files\RngInterstitial.dll
2004-12-13 15:09 . 2004-12-13 15:09	3278	----a-w-	c:\program files\EULA.rtf
2004-12-13 10:34 . 2004-12-13 10:34	415	----a-w-	c:\program files\readme.txt
2004-09-10 20:40 . 2004-09-10 20:40	75264	----a-w-	c:\program files\DECCHECK.exe
2004-09-10 20:40 . 2004-09-10 20:40	5970	----a-w-	c:\program files\eula.txt
1999-10-31 05:54 . 1999-10-31 05:54	561152	----a-w-	c:\program files\convert.exe
2009-05-21 03:36 . 2009-05-21 03:36	28488	----a-w-	c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-10 23:04 . 2009-05-21 03:36	185240	----a-w-	c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-05-21 03:37 . 2009-05-21 03:37	99216	----a-w-	c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
2010-03-17 22:45	2355224	----a-w-	c:\program files\Swag_Bucks\tbSwag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-11-16 839168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"webscan"="c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe" [2010-03-30 1389920]
"SoftwareStation"="c:\program files\eAcceleration\Station\station.exe" [2010-01-07 177488]
"OnAccess"="c:\program files\StopSign\OnAccess\onaccess.exe" [2009-07-22 255328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-30 4603904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WDM_MIDISYNTH0"="streamci.dll" [2004-08-04 8192]
"WDM_MIDISYNTH1"="streamci.dll" [2004-08-04 8192]
"WDM_MIDISYNTH2"="streamci.dll" [2004-08-04 8192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42DD0873-5FA9-465D-90DE-0826020416A5}"= "c:\program files\StopSign\OnAccess\onaccess_hk32.dll" [2009-07-22 165216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Calendar Magic.lnk]
backup=c:\windows\pss\Calendar Magic.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanButton 2.0.lnk]
backup=c:\windows\pss\ScanButton 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=c:\windows\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Janet^Start Menu^Programs^Startup^SonicOffice 1.0.lnk]
backup=c:\windows\pss\SonicOffice 1.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Janet^Start Menu^Programs^Startup^Workrave.lnk]
backup=c:\windows\pss\Workrave.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???????? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???????? [?]

[HKEY_LOCAL_MACHINE\softwa
DDS (Ver_10-03-17.01) - NTFSx86  
Run by Janet at 16:34:56.15 on 05/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.147 [GMT -7:00]

AV: StopSign Antivirus *On-access scanning enabled* (Updated)   {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled*   {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\StopSign\OnAccess\onaccess.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\StopSign\Firewall\FWService.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://idm.east.cox.net/coxlogin/ui/internettools?TYPE=33554432&REALMOID=06-b6c69bf3-75c3-1017-a6a3-84a733520cb3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-a6gsmx1Vq9NIYcRcbL7P%2fDCE8%2bkzVnKzxsULW0ckVZpBzTswo5n0BmH436d6SiVV&TARGET=-SM-http%3a%2f%2fmyaccount%2ecox%2enet%2finternettools%2fhome%2ecox
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRunOnce: [WDM_MIDISYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{DFF220F3-F70F-11D0-B917-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{6994AD04-93EF-11D0-A3CC-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137981281312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {88CC5220-829C-4D14-8723-9C5CC8A54805} = 208.67.222.222,208.67.220.220
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\ehdp24rb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&q=
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2010-2-9 109664]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-02 13:17:33
Windows 5.1.2600 Service Pack 3
Running: yuyqwoml.exe; Driver: C:\DOCUME~1\Janet\LOCALS~1\Temp\pfgyipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip     fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Tcp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Udp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\RawIp  fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-02 15:29:31
Windows 5.1.2600 Service Pack 3
Running: yuyqwoml.exe; Driver: C:\DOCUME~1\Janet\LOCALS~1\Temp\pfgyipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip     fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Tcp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Udp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\RawIp  fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- EOF - GMER 1.0.15 ----
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/02/2010 4:23:55 PM
mbam-log-2010-05-02 (16-23-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 213422
Time elapsed: 40 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbxyl6e.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Member Avatar for PhilliePhan

I sent the following web address to StopSign because it explained my problem much better than I can:
http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Right - this is a well known issue. That link illuminates it well.

On May 1, StopSign contacted me again and requested that I do another ComboFix which I did and now I am waiting to hear back from StopSign. I am attaching the May 1 ComboFix log.txt to this post also in case it found part or most of the problem.

A few things ( and please bear in mind that this is solely my opinion ):
I am not particularly enamored with StopSign. You can do a lot better. Especially if you are going to spend money on protection (though there are free options that perform better than StopSign...).

Since you are dealing with them, it would be counterproductive for me to jump into the middle of the mess - too confusing.

-- It looks as though combofix has addressed the MBR issue. Likewise, the GMER scans are clean - I don't see anything there.
We'll see what the fresh run of combofix does (BTW - combofix should be run from Desktop), but I'd like to hold off while StopSign is advising you.

-- You have a number of security risks showing. Risky programs and legit items that need updating (Adobe Reader / Java / etc...).
Again, I'll wait until StopSign has spoken before jumping in.

Cheers :)
PP

Member Avatar for azjanet

Hi PP,

I finished StopSign's new "fix" today, but Real Time scanning still becomes disabled while I use it. I've uninstalled it and re-installed it per their instructions, but the problem still remains after the "fix."

I now have a separate limited acct. that I surf the net with that supposedly will not give anyone access to my system files (per StopSign's advice). Your comment, please?

I disabled all remote access services except for Remote Procedure Call (RPC) (a couple of weeks ago) while I was waiting for help from StopSign. I need RPC enabled in order to get Windows updates, etc.?

StopSign does not recommend RegCure or My Bugfree PC or any other registry cleaners. Your comment, please?

Security risks showing? Update legit programs? I'd like to learn what to do next, but not from StopSign if possible. StopSign is solely my husband's idea although I did get this Trojan or whatever it is while I was using McAfee.

Help would definitely be appreciated. :) Thank you!

Edited by azjanet because: n/a
Member Avatar for jholland1964

My Bugfree PC by eSunsoft Technologies is likely a very dangerous program. Even their home website gets a google warning that the website may be dangerous to your computer. Certainly wouldn't trust ANY software whose home website is considered dangerous, in fact I am totally blocked from even checking out the site by my security software, and the WOT rating for the site is a "1". The absolute lowest possible out of 100. I have never seen one with that low a rating, so NO on that. If you do have it installed on your computer uninstall it IMMEDIATELY.
RegCure? It's home website ALSO ranks way at the bottom by WOT and others. It is known for Phishing, Scam software, Rogue software, Bad Customer Experience. So you choose.If you want to cause more damage to your computer then use one of these automated cleaners.

No automated registry cleaner ever gives solid proof that their programs work. Millions of people every day all over the world use their computers without ever having one of these useless programs on their computers and the computers move along just fine.

Member Avatar for azjanet

YIKES! I have uninstalled both Registry cleaner programs.

I set up other identities (non-admin. user accts.) to surf online per StopSign's advice, but they kept freezing up my computer so I deleted them. I tried several times, but each time the new identity would freeze up my computer.

Do you use your own admin. acct. to surf online? If so, how do you protect your computer?

Please, I'd like your advice if you have time, on how to clean my computer of all present malware since StopSign's advice has not solved all the problems. I have dealt with them for over a month, but I am still having problems. Their Real Time virus scanning component keeps disabling even while I am using it.

Thank you!

Member Avatar for jholland1964

Quite honestly here I am somewhat confused. Have none of your difficulties been corrected?
I would like to see the second Combofix log that you say you sent to StopSign or whoever it was who asked you to do another run with it. I am not clear as to WHY they requested a second log. This really isn't the usual way to use combofix, unless they had given you a script to run using combofix, was this the case?
Didn't they give you any specific instructions on the running of combofix? As PP stated it should be run from the desktop, you show it running from something called C:\cure.com. What is this? Your firewall was also enabled during the run. The accepted and normally used instructions for the running of combofix state that it must be run from the desktop and ALL security programs, including anti-virus and firewalls must be disabled. So it wasn't run correctly to begin with. I think it did it's work as PP stated but we have not seen this second log or given a reason WHY it was run again.

I would like to see a HiJackThis system scan log if you don't mind. Here is the link for HiJackThis Version 2.0.4 that is the one you need to use.http://free.antivirus.com/hijackthis/
Please run that scan, save the log and post back here with it and also please answer my questions.

Member Avatar for PhilliePhan

Hi Judy,

Thanks for jumping in :) - I've been a bit preoccupied with work lately.

-- I did not see any evidence of the MBR infection in previous scanlogs. Did not want to get in the way of the Stop Sign people ( and vice versa ).

If Janet is still having trouble with this baddie, there are a couple relatively painless avenues we can follow to try to remove it once and for all.

I, too, would like to see the latest logs.

PP:)

Member Avatar for azjanet

Hello everyone,

After I disabled all Remote Access except for Remote Procedure Call (RPC), the Help Assistant (HA) file and folder finally did not reappear again when I deleted them again (for the umpteenth time).

Do I need RPC in order for my computer to access the internet and to receive Windows updates, etc.?

Something is still not quite right since StopSign's Real Time virus scanner keeps disabling while I am using it.

C:\Cure.com is part of StopSign's custom cure procedure and apparently includes ComboFix.

I'd like to generate new logs to send to you to analyze with both the firewall and virus protection disabled so I will follow the procedure outlined on this website and send you the new logs.

Thanks! :)

Until later...

Member Avatar for azjanet

FYI: This was the last communication that I received from StopSign and I did as instructed with their Custom Cure.

** If you have not done so recently, I would highly recommend backing
up any important data such as pictures, music, documents etc. before
proceeding. **

1. Click the link below.
RUN THIS FILE ONLY AFTER YOU HAVE BACKED UP YOUR DATA!

http://www2.gmer.net/mbr/mbr.exe

2. Choose to SAVE or SAVE AS and choose to save it to
LOCAL DISK C:\

3. Click START>RUN and in the run box type "CMD"

A black window will open.

4. In that windows, type "CD\"

5. Now type "mbr.exe -f" and follow the prompts.

Proceed to the custom cure directions below.


*************************************************************

Your System Snapshot has been analyzed and we have created a
CUSTOM CURE (TM) to correct the problems you are experiencing.
**There are four sections in this cleaning process, please follow
all steps below to ensure your system is fully clean.

------------------------------------------------------------
Note: Text in UPPERCASE or "phrases in quotes" indicate text
you will see on your computer screen.

Please print these instructions before beginning so you have
a reference during the cleaning process.
------------------------------------------------------------

SECTION 1 - DOWNLOADING THE CUSTOM CURE (TM):

1) Click the link below and select SAVE. When you are asked
where to save the file, select DESKTOP. When the download is
complete you will have a new icon on your desktop.

http://www.avcleaner.eacceleration.com/download/qa/hartmannjanetCustomCure.exe

2) Double-click the new icon on your desktop to execute the
cleaning operation. You will see a box asking if you would
like to run the CUSTOM CURE (TM). Choose YES. Note: During the Cleaning
process, you will see a progress bar indicating that your Custom
CUSTOM CURE (TM) is working.

3) When prompted to Restart your computer, choose Yes. Allow
the computer to restart normally, and fully load. Wait until
you see your desktop icons before proceeding.

NOTE: In some cases, it may take a few hours for the CUSTOM CURE (TM)
to run, depending on the severity of the infection. However,
the CUSTOM CURE (TM) may run in less than an hour.

SECTION 2 - RUNNING CUSTOM CURE (TM) IN SAFE MODE:

To start your computer in SAFE MODE and complete the required
tasks, follow these instructions:

1) Restart your computer.

2) As your computer is restarting, press the F8 key repeatedly.

3) At the menu, use the Arrow Keys to start up in SAFE MODE.
Select your current Operating System and press Enter.

4) Log in with the User Profile you normally use.

5) Double-click the CUSTOM CURE (TM) icon and click YES to run the CUSTOM CURE (TM).

6) When prompted to Restart your computer, choose NO.

NOTE: In some cases, it may take a few hours for the CUSTOM CURE (TM)
to run, depending on the severity of the infection. However,
the CUSTOM CURE (TM) may run in less than an hour.

SECTION 3 - RUN A STOPSIGN SCAN IN SAFE MODE

7) Run a StopSign Threat Scan. Click START > PROGRAMS >
EACCELERATION > STOP-SIGN > START SCAN. Allow the scan to
finish and clean up any remaining files.

8) Restart the computer and allow it to start normally.

SECTION 4 - FINAL SCAN:

After rebooting your system normally, run an eAcceleration Anti-
Virus scan.

1) Click START > PROGRAMS > EACCELERATION > STOP-SIGN > START
SCAN.

2) Verify that your computer is clean.


You may now delete your CUSTOM CURE (TM) icon from your computer.

Edited by azjanet because: n/a
Member Avatar for jholland1964

I am sorry. But you need to stick with them. It would do no good for two places to be analyzing logs and making comments. You began with them then that is where you should be posting.

Member Avatar for azjanet

I've stuck with them, but I still have problems even though it seems that one major problem was fixed by StopSign according to the mbr.log from May 12th that I have enclosed below. I've spent over a month waiting for them to solve the problems and now I'd like someone else's expertise, if possible, instead of continuing with them.

StopSign's Custom Cure: May 12th mbr.log:

[Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !]

Today, after I disabled the firewalls in order to run the tools required by Daniweb for diagnosis, the computer made new folders and files in Documents and Settings for two of the new identities that I had created and then deleted yesterday in "user accounts." I had deleted all files concerning them yesterday, yet they showed up again today. Help Assistant folder did not show up again. I deleted the new user accts. because when I tried to use them, each of those new accounts kept freezing up my computer.

My computer also started duplicating files again after StopSign's "cure." It made a new "duplicated" file called "~$aniweb.doc" on my desktop right underneath the legitimate file called "daniweb.doc". I opened it, but it showed only shapes like rectangles. This new file then disappeared a few hours later without me deleting it. It looked like a hidden file. I used explorer and searched for it, but turned up nothing.

This is crazy, but, now, it is back again on my desktop while I am uploading files so I am uploading it for you along with the other files requested.

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Janet at 22:06:26.28 on 05/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.371 [GMT -7:00]

AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\StopSign\Firewall\FWService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://idm.east.cox.net/coxlogin/ui/internettools?TYPE=33554432&REALMOID=06-b6c69bf3-75c3-1017-a6a3-84a733520cb3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-a6gsmx1Vq9NIYcRcbL7P%2fDCE8%2bkzVnKzxsULW0ckVZpBzTswo5n0BmH436d6SiVV&TARGET=-SM-http%3a%2f%2fmyaccount%2ecox%2enet%2finternettools%2fhome%2ecox
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [Marcs Updater] "c:\program files\opendns updater\marcs updater\Marcs Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [WDM_MIDISYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{DFF220F3-F70F-11D0-B917-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{6994AD04-93EF-11D0-A3CC-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137981281312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {88CC5220-829C-4D14-8723-9C5CC8A54805} = 208.67.222.222,208.67.220.220
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\ehdp24rb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2010-2-9 109664]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2010-1-23 263504]
R2 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
R2 Marcs Updater;Marcs Updater;c:\program files\opendns updater\marcs updater\Marcs Updater.exe [2010-5-13 607512]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [2005-11-1 105124]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-05-14 02:35:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-14 02:35:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 01:13:50 0 d-----w- C:\Desktop
2010-05-13 07:13:53 774144 ----a-w- c:\program files\RngInterstitial.dll
2010-05-12 16:30:17 77312 ----a-w- C:\mbr.exe
2010-05-02 22:34:58 0 d-----w- c:\docume~1\janet\applic~1\Malwarebytes
2010-05-02 22:34:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 22:34:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 22:34:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 22:34:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 16:02:09 3924810 ----a-r- C:\cure.com
2010-04-20 15:30:07 0 d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 00:47:21 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 22:07:06.76 ===============


All help is greatly appreciated. Thank you! :) Perhaps my computer is haunted by gremlins. :icon_eek:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/19/2005 4:18:08 PM
System Uptime: 05/14/2010 9:57:47 PM (1 hours ago)

Motherboard: Intel Corporation               |  | D865PERL                       
Processor:                 Intel(R) Celeron(R) CPU 2.80GHz | J2E1 | 2792/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 54.525 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: 
Device ID: ROOT\IMAGE\0000
Manufacturer: 
Name: 
PNP Device ID: ROOT\IMAGE\0000
Service: 

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

ABBYY FineReader 4.0 Sprint
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Audacity 1.2.6
BufferChm
Calendar Magic V17.0
Compatibility Pack for the 2007 Office system
Convert
Copier 2.0
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
D1300
D1300_Help
DeviceManagementQFolder
DVD Decrypter (Remove Only)
e-Sword
Easy-WebPrint
eBook SWITCHWORDS
Eraser 5.8.7
eSupportQFolder
FL 2001 Registration
Galaxy of MahJongg
GoodSearch Toolbar
Google Toolbar for Internet Explorer
Google Update Helper
Hallmark Card Studio Special Edition
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Smart Web Printing
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
Intel(R) PRO Network Adapters and Drivers
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 20
Lernout & Hauspie TruVoice American English TTS Engine
Locked Programs
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Marcs Updater
MDB Browser and Editor
Memorex exPressit Label Design Studio
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Publisher 97
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Publishing Wizard 1.52
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft Works 6-9 Converter
MiraScan V3.42
Moffsoft FreeCalc
Mozilla Firefox (3.5.9)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
NetBeans IDE 4.1
NTI Backup NOW! 4
NTI CD-Maker
NTI DriveBackup! 4
NVIDIA Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
OverDrive Media Console
PDF reDirect (remove only)
Photo To Sketch 3.51
PhotoFiltre
PrintFolder 1.2
PrintMaster Platinum 8.0
Quicken Family Lawyer 2001
RealArcade
RealPlayer
RealUpgrade 1.0
Rhapsody Player Engine
ScanButton 2.0
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sentinel System Driver
SmartWebPrintingOC
Snapshot Viewer
SolutionCenter
Sonic CinePlayer DVD Pack
SonicOffice 1.0
SoundMAX
Status
StopSign Internet Security
System Requirements Lab
Toolbox
TrayApp
Ulead Photo Express 3.0 SE
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB971930)
Update for
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-14 18:34:26
Windows 5.1.2600 Service Pack 3
Running: 1uh5851r.exe; Driver: C:\DOCUME~1\Janet\LOCALS~1\Temp\pfgyipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip     fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Tcp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Udp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\RawIp  fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-14 20:42:19
Windows 5.1.2600 Service Pack 3
Running: 1uh5851r.exe; Driver: C:\DOCUME~1\Janet\LOCALS~1\Temp\pfgyipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip     fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Tcp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\Udp    fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice  \Driver\Tcpip \Device\RawIp  fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- EOF - GMER 1.0.15 ----
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4103

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/14/2010 9:30:17 PM
mbam-log-2010-05-14 (21-30-17).txt

Scan type: Full scan (C:\|)
Objects scanned: 210070
Time elapsed: 38 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
~aniweb.doc (0.16 KB)
Member Avatar for azjanet

Thank you for your help. I thought that I may have to do this in order to solve the problem. Can you point me to instructions on the best way to do this? :)

Member Avatar for jholland1964

This link is excellent.

http://michaelstevenstech.com/cleanxpinstall.html

Read it carefully. It gives step by step. Remember, you will need to reinstall all updates, programs, etc. AFTER the reformat and reinstall.
Also, if you have important items you don't wan to lose...pictures, personal papers, etc. You need to back these up some place OFF the computer otherwise these will all be lost with the reformat. The drive IS wiped clean.

Member Avatar for azjanet

Thank you very much! :) I'll be working on this "project" next week.

Member Avatar for jholland1964

A reformat and reload takes a couple hours to get the computer back up and running. Then do the Windows Updates. Then put on a decent Anti-virus program.
Avira FREE is excellent. Then put all your programs back on there, updating any which need updating.
As far as printer, scanner and whatever else you have on there I would update the computer first. You likely though will have to download new drivers for the printer, etc. Do it from that manufacturers website not some odd website that supposedly has all drivers.

Member Avatar for azjanet

Thank you for the recommendation for Avira (Free). I had been wondering which Anti-virus program to use. I will let you know how this clean install process worked out for me after I get it finished. Is it possible to download software programs such as JAVA from the internet without using the admin. acct.? Every time I tried to use a different "user" other than the "admin.," it would not let me download.

Member Avatar for jholland1964

You are running XP so Admin account would not be needed. The Java download won't be needed until you have done your full reformat and reinstall.
Here is where you should ALWAYS go for the latest Java. http://www.java.com/en/download/manual.jsp

Always choose the Offline Install and save it to the desktop. Once the download is complete then close all browsers and double click to install.
Watch install carefully. Very often extra and unneeded toolbars may be included unless you remove the check from the permission box before the install.

Member Avatar for azjanet

Success! The Clean Install of XP is now working great. I installed Avira, too.

My XP Home Edition does require Admin acct. privileges in order to download programs from the internet so now I only go online with the Admin acct. to download the programs and then I log off the Admin. acct. again in order to go back online.

Now, I am having "fun" re-organizing my personal files. This needed to be done l-o-n-g ago. :)

Thank you for all your help. It is much appreciated!

Member Avatar for jholland1964

Sometimes a good cleaning is needed with everything. Glad this all worked so well.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.