weird startup - infection ???

[Chercat]

I had powered off the power strip to my computer last night which I never do / Today when I started the computer , instead of bringing me directly to Windows, something started running - I think it was ckdisk - it looked like DOS files and said something like Volume is dirty and started doing scans. I don't know if this was the Windows Recovery Console which I do have installed . Anyway , it recovered an oprhan file 74556 and deleted cm-9-p.dat and changed two other entries - I ddi not get to copy them all but one was an avg file .
Maybe I should have just shut off the computer but I didn't.

Anyway , I did scans of SAS , Malwarebytes , etc.- came up clean .
When I ran an AVG virus scan , found no viruses but these files came up LOCKED and so could not be scanned which seems suspicious ( could not copy and paste so wrote them down ) :
hiberfil.sys
pagefile.sys
C Windows \sys32\config
"" """" \DEFAULT
"" "" """ \SAM
"" " "" """ \SECURITY
"" """ """ \SOFTWARE
""" """" """" \SYSTEM

Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3608
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/21/2010 11:05:51 AM
mbam-log-2010-01-21 (11-05-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172559
Time elapsed: 29 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SAS log :

RAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2010 at 09:50 AM

Application Version : 4.32.1000

Core Rules Database Version : 4501
Trace Rules Database Version: 2314

Scan type : Custom Scan
Total Scan Time : 01:31:37

Memory items scanned : 372
Memory threats detected : 0
Registry items scanned : 3995
Registry threats detected : 0
File items scanned : 66070
File threats detected : 37

Adware.Tracking Cookie
C:\Documents and Settings\peaple\Cookies\[email protected][3].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@pointroll[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@realmedia[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@insightexpressai[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@serving-sys[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@revsci[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@tribalfusion[1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@collective-media[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@questionmarket[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][3].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@tacoda[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@media6degrees[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@interclick[1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@specificmedia[1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@2o7[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@adinterax[1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@specificclick[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@247realmedia[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@interclick[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@tribalfusion[2].txt ( all tracking cookes were deleted on reboot )

Hijackthis log : Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:03 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6070615
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229636061953
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {1526d1fb-f62f-455e-817e-1ba8756638f0} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

--
End of file - 4601 bytes

Computer seems to be running fine but I don't trust it now : (

Anyone see anything suspicious and why would these files be locked and is there a way to UNLOCK them ?

Thanks for looking and for your help .

[Broni]

When I ran an AVG virus scan , found no viruses but these files came up LOCKED and so could not be scanned which seems suspicious ( could not copy and paste so wrote them down ) :
hiberfil.sys
pagefile.sys
C Windows \sys32\config

It's all normal. Those are safe Windows files and they're not being scanned, because they're in use.

I don't see any security issues here, so you may want to repost your issue at Windows section.

This would be important to post:

I think it was chkdisk - it looked like DOS files and said something like Volume is dirty

[Chercat]

Thanks, Broni .
I'll post it in the Windows section and see if anyone has any advice .
Good to know that nothing seems amiss regarding security anyway - I appreciate your taking a look . Thanks again !

[Broni]

You're welcome
There is a simple procedure to fix "dirty volume" issue.

[Chercat]

Hi Broni ,
Well, I have REALLY been badly attacked , prob, precipitated by that weird scan .
After browsing awhile, I had gone to microsoft.com a few times for info.
Then I got something coming up pretending to be AVG doing a scan - said I had all kids of viruses and then got a message that my AVG was infected . AVG then said I was being attacked and asked if I wanted to close down .
I cannot get online now - I just keep getting a message that AVG is infected and that fake AV keeps scanning .

I am at the library computer bow - I don;t know what to do and am afraid to make things worse without advice . I was able to start in safe mode and am running SAS and Malwarebytes right now . Malwarebytes detected 3 trojans and is still running - SAS detected 40 (yikes)! reg changes and several trojans so far .

I hve the modem in standy and am not sure if I can get online in safe mode . I plan on letting SAS quarantine /delete everything and I know it will ask for a reboot to clean - should I do that in safe mode ?

I am afraid AVG is infected - should I dl another AV program ?

Thanks for looking .

[Broni]

It's not the best idea to run both scans at the same time. Pause one of them.
When scans are done, post their logs and we'll go from there.

[Chercat]

ok,thanks - I am not sure if I cn do that though since I am at the library now and not sure if I can get online again from home .
SHould I be able to go online in safe mode to post the logs ?

[Broni]

You can use Safe Mode with Networking.

[Chercat]

Ok,thanks , Broni -I 'll go home and try that and will post the logs as soon as I can get back online,either from home in safe mode or here at the library.

[Broni]

No problem

[Chercat]

Broni,
Here are the scans I was able to complete while in safe mode -
I had been unable to log onto the internet until now - had to call Comcast and they spent about 40 mins. reconfiguring my settings, IP address, etc. Looks like the hackers had done something with the proxy settings , but ( hopefully) Comcast was able to fix that as I am finally online -

SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2010 at 03:03 PM

Application Version : 4.32.1000

Core Rules Database Version : 4501
Trace Rules Database Version: 2314

Scan type : Complete Scan
Total Scan Time : 01:32:58

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 4018
Registry threats detected : 40
File items scanned : 66602
File threats detected : 22

Trojan.Agent/Gen-FakeSpy[Broad]
[udegswgu] C:\DOCUMENTS AND SETTINGS\PEAPLE\LOCAL SETTINGS\APPLICATION DATA\BVRHBT\SCXWSYSGUARD.EXE
C:\DOCUMENTS AND SETTINGS\PEAPLE\LOCAL SETTINGS\APPLICATION DATA\BVRHBT\SCXWSYSGUARD.EXE
[udegswgu] C:\DOCUMENTS AND SETTINGS\PEAPLE\LOCAL SETTINGS\APPLICATION DATA\BVRHBT\SCXWSYSGUARD.EXE
C:\WINDOWS\Prefetch\SCXWSYSGUARD.EXE-0FF6534E.pf

Adware.Tracking Cookie
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@serving-sys[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@revsci[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@247realmedia[1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\peaple@tacoda[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@interclick[2].txt
C:\Documents and Settings\peaple\Cookies\[email protected][1].txt
C:\Documents and Settings\peaple\Cookies\[email protected][2].txt
C:\Documents and Settings\peaple\Cookies\peaple@specificmedia[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@2o7[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@adinterax[1].txt
C:\Documents and Settings\peaple\Cookies\peaple@specificclick[2].txt
C:\Documents and Settings\peaple\Cookies\peaple@tribalfusion[1].txt

Rogue.Agent/Gen
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#knkd
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#aazalirt
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#skaaanret
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#jungertab
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#zibaglertz
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#iddqdops
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#ronitfst
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#tobmygers
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#jikglond
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#tobykke
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#klopnidret
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#jiklagka
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#salrtybek
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#seeukluba
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#jrjakdsd
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#krkdkdkee
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#dkekkrkska
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#rkaskssd
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#krujmmwlrra
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#ktknamwerr
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#ienotas
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#krkmahejdk
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#otpeppggq
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#krtawefg
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#oranerkka
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#kitiiwhaas
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#otowjdseww
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#otnnbektre
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#oropbbsee
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#irprokwks
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#ooorjaas
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#id
HKU\S-1-5-21-2279054146-2715818341-675255133-1006\SOFTWARE\AVSCAN#ready

Trojan.Dropper/Gen-C
C:\DOCUMENTS AND SETTINGS\PEAPLE\LOCAL SETTINGS\TEMP\E.EXE

then after cleaning and reboot :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2010 at 05:12 PM

Application Version : 4.32.1000

Core Rules Database Version : 4501
Trace Rules Database Version: 2314

Scan type : Complete Scan
Total Scan Time : 00:50:36

Memory items scanned : 203
Memory threats detected : 0
Registry items scanned : 4015
Registry threats detected : 0
File items scanned : 66606
File threats detected : 0

Malwarebytes log scanned next :
Scan type: Full Scan (C:\|)
Objects scanned: 172559
Time elapsed: 29 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijackthis log :

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6070615
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229636061953
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {1526d1fb-f62f-455e-817e-1ba8756638f0} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

--
End of file - 4689 bytes


Thanks for all the help !

[Broni]

The upper part of HJT log is cut off, so next time, make sure, you post a whole piece.

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Chercat]

Thanks, Broni

I dl'd ComboFix to the desktop - I already have Windows Recovery console installed so if it asks, can I say No , I don't want it ?

How do I disable the AVG temporarily ?

Unfortunately , I have to go to work now ( graveyard worker ) , so I won't be able to run the combofix til sometime tomw. after I wake up

I'll get back to you ASAP and I really appreciate all your help . This forum is a godsend .

[Broni]

Hey, no problem
If you have recovery console installed, Combo will know.
As for AVG, instructions are at "Click on this link" in my manual above.

[Chercat]

Ok, thanks again , Broni .

Just read how to disable AVG 9 in your link and will do that tomw and run combo fixc and post back ,

Have a nice night .