please check logs

[Chercat]

Well, I have tried to post several times and cannot - not even in safe mode : (
Just want to see if this allows me to post without any logs attached and is there a suggestion as to how I can post the logs. It will not allow me to email them to myself either . I guess worst case scenario I could copy by hand and post from another pc but they are quite long : (

[Chercat]

Keep trying to post but no luck - it keeps saying Internet Explorer cannot connect but I am already connected so it does not allow me to post for help.
I can tell you that SAS comes out clean except for cookies but they are located in C/NetworkService which never has appeared before . The MWB scans with no prob. detected .
There are two suspicious files in hjthis -
both are BHO's one says JQSIEStartDeterctorImpl and a series of numbers and another 02 BHO says Java(tm)Plug in SSV ,etc
The rest appear legitimate from prior scans I had analyzed . Is it safe to just check fix on those two > Seeing if it will allow me to post

[Broni]

Your two posts got here.
Try Firefox and see, if you have same problems.
If possible, post HJT log.
What are computer's issues?

[Chercat]

Ok, just Dl'd Firefox and trying again in safe mode - pc seemed fine , just did not trust after multiple issues with trojans successfully ( supposedly) deleted and when I went here or tried to post logs to myself via email ,the internet connection disappears. As you can see, I can get on fine if I just post text.

Ok, just tried to post hjt and got messages saying page was reset and network connection disappeared and try again and it will not let me post via firefox either : (

[Chercat]

Ok, things keep getting worse. I called Comcast to verify that my network connections had not been tampered with - big runaround there with people who knew about the same as myself - not much : ( Anyway , for a time ,the firewall had been disconnected and now there are even more issues ! Yikes . This is as bad as I have ever seen.
The disabled my Malwarebytes and I can no longer access that at all even in safe mode : (
I checked under Firewall settings and it is ON as it had always shown - when I look under Exceptions listed this is what is says : avgnsx.exe., avgupd.exe, avgemc.exe, Explorer, Network Diagnostics XP, Remote Assistance and Winlogon. I unchecked winlogon -figured I could always add it later .
Anyway here is the FIRST SAS scan that I was able to copy to a flash drive - I am at a library now .
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/18/2010 at 01:00 PM

Application Version : 4.33.1000

Core Rules Database Version : 4695
Trace Rules Database Version: 2507

Scan type : Complete Scan
Total Scan Time : 01:01:39

Memory items scanned : 406
Memory threats detected : 3
Registry items scanned : 4326
Registry threats detected : 5
File items scanned : 71935
File threats detected : 14

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\NOLOMIPU.DLL
C:\WINDOWS\SYSTEM32\NOLOMIPU.DLL
C:\WINDOWS\SYSTEM32\WOGIPUTE.DLL
C:\WINDOWS\SYSTEM32\WOGIPUTE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{6c72f9e9-1602-42ef-91ce-cc719f503a66}
HKCR\CLSID\{6C72F9E9-1602-42EF-91CE-CC719F503A66}
HKCR\CLSID\{6c72f9e9-1602-42ef-91ce-cc719f503a66}\InprocServer32
HKCR\CLSID\{6c72f9e9-1602-42ef-91ce-cc719f503a66}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#yawidovoj
C:\WINDOWS\SYSTEM32\HAJI***U.DLL

Adware.Vundo/Variant-SR
C:\WINDOWS\SYSTEM32\NOTABAGE.DLL
C:\WINDOWS\SYSTEM32\NOTABAGE.DLL

Adware.Tracking Cookie
C:\Documents and Settings\peaple\Cookies\peaple@pointroll[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@insightexpressai[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@serving-sys[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@revsci[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@tacoda[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt

Trojan.Dropper/Gen-PHP
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\402L7NO7\LOAD[1].PHP

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\TIKUTOVE.DLL
After I rebooted in safe mode , there were still different issues and when I attempted to delete them , I got a blue scree that said Fatal System Error 0000 and some other stuff so I guess the hacker now has control of both Malwarebytes and SAS and maybe the firewall .
Here is the second scan results for SAS :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/18/2010 at 01:56 PM

Application Version : 4.33.1000

Core Rules Database Version : 4695
Trace Rules Database Version: 2507

Scan type : Complete Scan
Total Scan Time : 00:48:36

Memory items scanned : 250
Memory threats detected : 2
Registry items scanned : 4344
Registry threats detected : 0
File items scanned : 71973
File threats detected : 3

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\NOLOMIPU.DLL
C:\WINDOWS\SYSTEM32\NOLOMIPU.DLL
C:\WINDOWS\SYSTEM32\WOGIPUTE.DLL
C:\WINDOWS\SYSTEM32\WOGIPUTE.DLL

Adware.Vundo/Variant-[Fixed]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0039745.DLL

And here is what is now showing in Hijackthis logs after the second SAS scan :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:55 PM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6070615
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [yalehakun] Rundll32.exe "c:\windows\system32\wogipute.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229636061953
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: nolomipu.dll c:\windows\system32\wogipute.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4985 bytes


I did notice that the initial issue ( a few days ago ) seemed to be when a message appeared that Acro32 encountered and error and needed to close but I had no pdf files open and then another box - I think this is possibly the initial source of attack . I also saw Acro Reader running in Processes and when I closed that , then I was able to update SAS and run a new scan -maybe a coincidence .
The woman at Comcast told me that I was the second person today whp was getting disconnected from the Internet due to some Acrobat Reader issues so maybe a new virus .

Anyway , thanks for looking . I imagine my computer is " theirs " now : (

[Broni]

I imagine my computer is " theirs " now : (

Not for long

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Chercat]

Hi Broni,
I was able to DL ComboFix to a disc from the library computer . Prior to that , I did sign on as an administrator and was able to update SAS and run a scan and more trojans were found. I will try to save them to a flash drive &E post them when I can get to a library computer - I am now posting from work . Supposedly SAS cleaned the files but the same files show in HJT so they are there lurking.

I tried to run ComboFix from the disc in safe mode but could not figure out how to disable AVG in safe mode - tried again in regular startup but could not figure out how to disable AVG . I already have the Recovery Console installed from an old incident when I used ComboFix.

I'll check this post when I can to see if there are any further instructions -thanks for all the help.

[Broni]

If you tried all you can regarding AVG, simply run Combofix.

[Chercat]

Hi Broni - thanks for sticking with me . I appreciate your tolerance .


I just tried running the ComboFix as you suggested with AVG running only to discover that it is no longer on my CDRW to which I had downloaded it nor is the Malwarebytes I had Dl'd to the disc . So weird !
When I start the computer I still get a Rundll.exe error message saying that Rundll.exe C:\WINDOWS\SYSTEM32\WOGIPUTE.DLL or to that effect cannot be found and it stays on the desktop - I am even afraid to click on it to say ok . Rundll.exe is now running in task mgr though so ..... : (

tried to run combofix from your link here and then put the modem in standby mode ( I know it disconnects me from the Internet ) - I saved to my desktop and got the AVG warning and ran it anyway in normal. Said preparing to run , etc. Then a box appeared separately that said Combofix has encountered a rootkit on your computer and needs to reboot . There was absolutely nothing in the ComboFix scan box - I was not sure if that msg/ was from Combo fix or not so just shut down the computer manually to get advice .
I also no longer have the new copy of Malwarebytes I dl'd to the CDRW yesterday on the disc so I guess they erased that - I never even tried to load it ! I did uninstall the old version of Malwarebytes I had because they had totally diabled it anyway and it would not run - just a flash when I clicked on it .

This is so insidious ! I am afraid to do something wrong and make things worse - at the library now trying to get Malwarebytes and ComboFix onto a regular ( not CDRW ) CD .

Thanks so much for your patience .

[Chercat]

I forgot to say I Am at the library now and just copied ComboFix , Hijackthis and Malwarebytes to a new disc in case they compromise my old versions installed .

[Broni]

OK. Keep me posted.

[Chercat]

ComboFix 10-03-18.02 - peaple 03/19/2010 18:06:25.4.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.724 [GMT -4:00]
Running from: c:\documents and settings\peaple\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-17 12:34 . 2010-03-17 12:34 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-17 12:34 . 2010-03-17 12:34 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-17 12:34 . 2010-03-17 12:34 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-17 12:34 . 2010-03-17 12:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 20:19 . 2010-03-13 20:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-11 15:53 . 2010-03-11 15:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 21:22 . 2010-03-18 21:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-18 15:58 . 2009-03-18 14:38 117760 ----a-w- c:\documents and settings\peaple\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-17 12:34 . 2009-11-17 20:29 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 12:34 . 2009-11-17 20:29 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-17 12:32 . 2009-11-17 20:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-13 21:42 . 2007-06-15 11:21 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-13 21:42 . 2007-06-15 11:21 246784 ----a-w- c:\windows\system32\drivers\iaStor.svs
2010-02-17 16:51 . 2008-10-02 15:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-17 13:43 . 2007-07-06 12:04 1955624 ----a-w- c:\documents and settings\peaple\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-26 18:19 . 2010-01-26 18:19 52224 ----a-w- c:\documents and settings\fuzzy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 18:19 . 2010-01-26 18:19 117760 ----a-w- c:\documents and settings\fuzzy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 18:18 . 2010-01-26 18:18 -------- d-----w- c:\documents and settings\fuzzy\Application Data\SUPERAntiSpyware.com
2010-01-23 00:05 . 2010-01-23 00:05 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 00:05 . 2010-01-23 00:05 61440 ----a-w- c:\documents and settings\peaple\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3706b384-n\decora-sse.dll
2010-01-23 00:05 . 2010-01-23 00:05 503808 ----a-w- c:\documents and settings\peaple\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4074121f-n\msvcp71.dll
2010-01-23 00:05 . 2010-01-23 00:05 499712 ----a-w- c:\documents and settings\peaple\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4074121f-n\jmc.dll
2010-01-23 00:05 . 2010-01-23 00:05 348160 ----a-w- c:\documents and settings\peaple\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4074121f-n\msvcr71.dll
2010-01-23 00:05 . 2010-01-23 00:05 12800 ----a-w- c:\documents and settings\peaple\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3706b384-n\decora-d3d.dll
2010-01-23 00:05 . 2010-01-23 00:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 00:05 . 2010-01-23 00:05 -------- d-----w- c:\program files\Java
2010-01-10 23:17 . 2009-12-19 20:13 52224 ----a-w- c:\documents and settings\peaple\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 16:50 . 2004-08-10 16:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 16:51 916480 ----a-w- c:\windows\system32\wininet.dll
2007-07-19 18:45 . 2007-06-28 00:21 7514 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-05 13:18 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 12:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 01:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 09:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 07:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-21 20:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 11:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-17 16:51 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/17/2009 4:29 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/17/2009 4:29 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/17/2010 8:32 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 8:34 AM 308064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\peaple\Application Data\Mozilla\Firefox\Profiles\ftqn0t9j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-yalehakun - c:\windows\system32\wogipute.dll
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\stsystra.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-03-19 18:18:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-19 22:18
ComboFix2.txt 2010-01-22 22:30

Pre-Run: 121,563,729,920 bytes free
Post-Run: 120,788,410,368 bytes free

- - End Of File - - 69491D3141D611F4EABBC722391F0339

[Broni]

The log looks good
How are the issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

[Chercat]

Thanks so much ,Broni - things looking up - wow ,you are a genius !

When I start in normal mode, I no longer get that Rundll error message and things appear ok so far . I uninstalled combofix , but AVG no longer shows up in my task bar near clock and I was unable to update when I started the program so that may have to be reinstalled or maybe uninstalled and then something else since , although I used to like it , it never seemed to catch anything - only SAS and Malwarebytes were very reliable and now , the king of them all , ComboFix : )

I was told the other day that Norton Security Suite was avail for free with my Comcast subscription - used to be McAfee which I passed on so maybe try that instead ?

Thanks so much - shall I do some more scans with SAS ,etc ?

I have to go to work now but will check later at work to see if you have had time to take a look and advise .

Again, thanks SO much for all your help - Can I nominate you for most helpful person of the year award ?

[Train]

You probably will end up using the AVG Remover utility
http://www.avg.com/us-en/download-tools

Well I would pass on Nortons myself.

Free Avira
http://www.avg.com/us-en/download-tools

Avast free version
http://www.avast.com/security-software-home-office

I use avira on my laptops.