LandzDown Forum

GardenWeb Link:  http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4

Hi, Daisy.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know. 

Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2

• Double-Click dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

It asks Do you want to run or save dds.scr (611KB) from download.bleepingcomputer.com?   So I should click "Save" and put on desktop, right?
(not "Run")

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Susan at 17:04:44.01 on Mon 05/16/2011
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1740 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\iWonIE\bar\1.bin\idbarsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iWonIE\bar\1.bin\idbrmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Susan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {70bd8aab-ad49-42f5-b1bd-240f078c1a11} - c:\program files\iwonie\bar\1.bin\idSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Toolbar BHO: {fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - c:\progra~1\iwonie\bar\1.bin\idbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: iWon Toolbar: {44843b6e-d44a-4b4f-bca4-559c86633dc6} - c:\program files\iwonie\bar\1.bin\idbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
uRun: [Pgilevetecofiruj] rundll32.exe  "c:\users\susan\appdata\local\APreChli.dll",Startup
uRun: [Ovaguhakucadic] rundll32.exe "c:\users\susan\appdata\local\upiluyet.dll",Startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729)" -"http://www.shockwave.com/gamelanding/metalmayhem.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iWonIE Browser Plugin Loader] c:\progra~1\iwonie\bar\1.bin\idbrmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc0Nzk5MDA3LUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzI"&"prod=90"&"ver=10.0.1187
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0ab21ec8;MpKsl0ab21ec8;c:\programdata\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys [2011-5-16 28752]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 iWonIEService;iWon Toolbar Service;c:\progra~1\iwonie\bar\1.bin\idbarsvc.exe [2010-9-23 28766]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-17 21744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-16 20:45:35   28752   ----a-w-   c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys
2011-05-16 20:45:18   7071056   ----a-w-   c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\mpengine.dll
2011-05-16 01:57:18   --------   d-----w-   c:\users\susan\appdata\roaming\Sammsoft
2011-05-16 01:56:49   --------   d-----w-   c:\program files\ARO 2011
2011-05-14 22:17:05   0   ----a-w-   c:\users\susan\appdata\local\Tsapexijokiqov.bin
2011-05-14 22:17:04   --------   d-----w-   c:\users\susan\appdata\local\{08DB7A2B-FD07-4E59-9DDF-7CC4FB6D1E65}
2011-05-11 00:14:58   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
2011-05-01 21:02:21   4199768   ----a-w-   c:\windows\system32\cdintf400.dll
2011-04-27 21:01:42   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01:42   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01:36   876032   ----a-w-   c:\windows\system32\XpsPrint.dll
2011-04-20 14:28:00   --------   d-----w-   c:\program files\iPod
2011-04-20 14:27:58   --------   d-----w-   c:\program files\iTunes
2011-04-20 14:26:16   --------   d-----w-   c:\program files\Bonjour
.
==================== Find3M  ====================
.
2011-04-16 17:51:00   161792   ----a-w-   c:\windows\system32\msls31.dll
2011-04-16 17:51:00   1126912   ----a-w-   c:\windows\system32\wininet.dll
2011-04-13 22:40:10   4284416   ----a-w-   c:\windows\system32\GPhotos.scr
2011-04-06 23:20:16   91424   ----a-w-   c:\windows\system32\dnssd.dll
2011-04-06 23:20:16   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2011-03-10 17:03:51   1162240   ----a-w-   c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51   1136640   ----a-w-   c:\windows\system32\mfc42.dll
2011-03-03 15:42:03   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11   2041856   ----a-w-   c:\windows\system32\win32k.sys
2011-03-02 15:44:27   86528   ----a-w-   c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01   288768   ----a-w-   c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12   1068544   ----a-w-   c:\windows\system32\DWrite.dll
2011-02-22 13:33:09   797696   ----a-w-   c:\windows\system32\FntCache.dll
2011-02-19 00:36:58   4184352   ----a-w-   c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37   34304   ----a-w-   c:\windows\system32\atmlib.dll
2011-02-16 14:02:23   292864   ----a-w-   c:\windows\system32\atmfd.dll
.
============= FINISH: 17:05:09.57 ===============

Hi, Daisy.

Did you get the error:  "Error loading C:/users etc. etc. The specified module could not be found." before or after running ARO 2011?  If it was after running ARO 2011, does it have a restore option for the registry edits it performed?  Unless someone is extremely knowledgeable about the registry, I recommend never using registry cleaners/optimizers.  They do more damage than good.

We'll deal with the outdated Adobe Flash Player and Reader later.  First, I want you to take care of Sun Java.  Please go to add/remove programs and uninstall Java(TM) 6 Update 11.

Please download JavaRa and unzip it to your desktop.

• Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  
• Click on Remove Older Versions to remove older versions of Java.
  
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment (JRE) 6 Update 25.  

Download the Windows x86 Offline version from: Java SE Runtime Environment 6u25

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.  

While you're in add/remove programs, see if the uninstaller for iWon Toolbar works.

Following all of that, please do the following:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications - Tech Support Forum.

Now, please run ComboFix:

• Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
• Double-click ComboFix.exe on your desktop and follow the prompts.
• As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
• After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click "Yes" to continue scanning for malware.
• When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Hi, Susan.

Something happened (again) to the formatting of the link to Tech Support Forum.  I've fixed it in the instructions above but also copied the instructions for MSE here:

Microsoft Security Essentials

    * Right click on the system tray icon, and select "Open"
    * Click on the "Settings" tab
    * On the left side of the screen, click on "Real-time protection"
    * Uncheck "Turn on Real-time protection"
    * Click on "Save Changes"

After running ComboFix your computer will restart.  At that time, you can reverse the steps to reactivate MSE.

Yes, you need to extract all of the files. 

If you want to keep things all neat and tidy, create a new folder, JavaRa.
Next, right-click the downloaded zip file.
Select "Extract all"
Follow the instructions to navigate to the folder you created.

No, you do not want to create a self-extracting file.  I'd never heard of IZArc but found the instructions, copied below from http://www.izarc.org/tutorials.html#extract

How to extract files

Step 1: Select an archived file and double-click on it. If IZArc is configured correctly, it will be launched
            and open your archive otherwise first open IZarc and then open the desired archived file.
Step 2: If you want to extract only few files from the archive you can select them in the file list
            (Hold CTRL key to select more than one file).
Step 3: Select "Extract" from the Actions Menu or click on the Extract button.
Step 4: After Extract dialog appeared you can select the folder where your files will be extracted.
Step 5: Click Extract button.
Step 6: Close IZArc.
 
Tips: You can easily extract the content of an archive by right click on it and from the IZArc context menu
        select "Extract Here".