Expert: Brian Benosky - 6/18/2008

Question
QUESTION: I've try your last answer twice and it doesn't work.
after the SDFix.exe finished in safe mode and it's prompt me to press any key to restart the pc,and When the PC restarts the Fixtool won't run again.
this is the catchme.txt that appears in my desktop.

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 09:36:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 0









and this is the log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:51 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Documents and Settings\WindowsXP\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\WindowsXP\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Downloads\My Completed Downloads\AllExpert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uusee.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SDFix] E:\DOWNLO~1\MYCOMP~1\SDFix\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\WindowsXP\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\WindowsXP\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZK
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F92E8CF-EC7E-482B-89A7-7AF3A90A1699}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS6\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS7\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS8\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS9\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS10\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS11\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS12\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS13\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS14\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS15\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS16\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS17\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS18\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS19\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS20\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS21\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS22\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS23\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS24\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10365 bytes

Thanks for your help.

ky0


ANSWER: Hi Kyo

Some suggestions for completing the SDFix scan:

1. When using this tool, you must use the Administrator's account or an account with "Administrative rights"
2. Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

Please also do the following:

Download Malwarebytes Anti-Malware and save it to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe   
   * Make sure you are connected to the Internet.
   * Double-click on Download_mbam-setup.exe to install the application.
   * When the installation begins, follow the prompts and do not make any changes to default settings.
   * When installation has finished, make sure you leave both of these checked:
         o Update Malwarebytes' Anti-Malware
         o Launch Malwarebytes' Anti-Malware
   * Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

   * If an update is found, the program will automatically update itself.
   * Press the OK button to close that box and continue.
   * If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

   * Make sure the "Perform Quick Acan" option is selected.
   * Then click on the Scan button.
   * If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
   * The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
   * When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
   * Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

   * Click on the Show Results button to see a list of any malware that was found.
   * Make sure that everything is checked, and click Remove Selected.
   * When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
   * The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
   * Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Finally, post me the MBAM log and a new HJT log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hei Brian,

I've try the FDFix Scan again in safe mode and uninstall my anti-virus but it doesn't work.and then I try to use MBAM. but when it finished the computer keep restarting it's self.

This is the log from MBAM:
Malwarebytes' Anti-Malware 1.17
Database version: 867

5:55:49 PM 6/18/2008
mbam-log-6-18-2008 (17-55-49).txt

Scan type: Quick Scan
Objects scanned: 40385
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imapdc.vxd (Spyware.ActMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Delete on reboot.
C:\WINDOWS\system32\imapde.dll (Spyware.ActMon) -> Quarantined and deleted successfully.

And this is from HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:11 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exea
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\WindowsXP\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Documents and Settings\WindowsXP\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Babylon\Babylon.exe
E:\Downloads\My Completed Downloads\AllExpert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uusee.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SDFix] E:\DOWNLO~1\MYCOMP~1\SDFix\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\WindowsXP\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\WindowsXP\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F92E8CF-EC7E-482B-89A7-7AF3A90A1699}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS6\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS7\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS8\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS9\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS10\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS11\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS12\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS13\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS14\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS15\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS16\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS17\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS18\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS19\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS20\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS21\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS22\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS23\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS24\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O17 - HKLM\System\CS25\Services\Tcpip\..\{1F181273-4453-4F4A-8D2D-F2949546A655}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9531 bytes


Answer
Hi Kyo

My apologies for not getting back to you sooner, as I have had some personal issues to deal with and have not had time to be online in the past few days.  If you are still having the restarting problems, let me know so that we can troubleshoot.  I am thinking that this may be a hardware related problem, but I would like to make sure that all the malware is gone first.  Post me a new HJT log to doublecheck.

Brian