Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

slow xp home cpu, trojans, iexplore.exe problems, komidowomu...


  • Please log in to reply
20 replies to this topic

#1 Tha7!

Tha7!

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 05:35 AM

i recently moved to a rural p.o.s. town to be with my grandparents as my grandmother is not doing so well, their computer has been used by probably everyone in the family (we had 40 people just for this last thanksgiving...) and god knows what has gone on to it...anyways i have already removed many issues, but i know there are more...including iexplore.exe running at random times taking up 30-60k...i'm not very well equipped with technical information and know how just what i've learned since getting a nintendo at 3 years old (go go duckhunt!)...ANYWAYS i'm lookin' for some help i've tapped every crappy local joe-blow who thought he was worth his salt and didn't trust any of those jackslaps...so i figured i'd try this here's the htl log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:26 AM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {6351d239-fd47-4b17-a067-1565dcc88c21} - C:\WINDOWS\system32\seladihe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\konovozo.dll",b
O4 - HKLM\..\Run: [CPM231aa6fd] Rundll32.exe "c:\windows\system32\fosutozi.dll",a
O4 - HKLM\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s
O4 - HKUS\S-1-5-19\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Owner\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Owner\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.hp.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: zlglsh.dll C:\WINDOWS\system32\jerawovi.dll avgrsstx.dll c:\windows\system32\fosutozi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosutozi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosutozi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 8002 bytes

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 12 December 2008 - 02:36 PM

Hi Tha7!,

I can see lots of malware infections on your computer.

I can also see entries for Symantec and AVG anti-virus. Which of these do you use? Let me know as running two anti-virus programmes causes conflicts.

Open Hijackthis, take another scan and place a checkmark next to these entries.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {6351d239-fd47-4b17-a067-1565dcc88c21} - C:\WINDOWS\system32\seladihe.dll
O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\konovozo.dll",b
O4 - HKLM\..\Run: [CPM231aa6fd] Rundll32.exe "c:\windows\system32\fosutozi.dll",a
O4 - HKLM\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s
O4 - HKUS\S-1-5-19\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\mesujoke.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Owner\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Owner\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O15 - Trusted Zone: www.hp.com
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O20 - AppInit_DLLs: zlglsh.dll C:\WINDOWS\system32\jerawovi.dll avgrsstx.dll c:\windows\system32\fosutozi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosutozi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosutozi.dll


Close all open Windows except Hijackthis and click on "fix Checked".

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 03:40 PM

ok, thanks for your help sir, I also had run MWBytes and CCleaner between the first post and your reply, jtlyk...currently avg is the av in use, as when i started my attempt to clean up the PC i could not get symantec to work.

ComboFix 08-12-11.06 - Owner 2008-12-12 12:19:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.188 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\qmdispatch.dll
c:\windows\system32\drivers\ati5jmxx.sys
c:\windows\system32\fosutozi.dll
c:\windows\system32\gehakofe.dll
c:\windows\system32\jerawovi.dll
c:\windows\system32\ovupiwur.ini
c:\windows\system32\terivose.dll
c:\windows\system32\yonugese.dll
c:\windows\Tasks\lezafrgw.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI5JMXX
-------\Legacy_FCI
-------\Legacy_NEW_DRV
-------\Service_ati5jmxx
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 15:03 . 2001-05-11 10:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2008-12-12 12:17 . 2008-12-12 12:17 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-12 12:09 . 2008-12-12 12:13 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-12 12:09 . 2008-12-12 12:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-12-12 12:09 . 2008-12-12 12:09 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-12 12:09 . 2008-12-12 12:09 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-12 12:09 . 2008-12-12 12:09 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-12 09:55 . 2008-12-12 09:55 <DIR> d--hs---- c:\windows\system32\config\systemprofile\UserData
2008-12-12 09:37 . 2008-12-12 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-12 02:16 . 2008-12-12 02:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 01:35 . 2008-12-12 01:36 <DIR> d-------- c:\program files\CCleaner
2008-12-11 11:32 . 2008-12-11 16:47 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-11 09:45 . 2008-12-12 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-11 09:34 . 2008-12-12 01:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-10 03:17 . 2008-12-10 03:43 <DIR> d-------- c:\program files\Airport Mania
2008-12-09 21:45 . 2008-12-09 21:45 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-09 19:15 . 2008-12-12 02:39 4,019,316 --a------ c:\windows\firewall.log.old
2008-12-09 16:01 . 2008-12-09 16:01 244 --ah----- C:\sqmnoopt00.sqm
2008-12-09 16:01 . 2008-12-09 16:01 232 --ah----- C:\sqmdata00.sqm
2008-12-09 00:11 . 2008-12-09 00:21 <DIR> d-------- c:\program files\AskBarDis
2008-12-08 15:54 . 2008-12-08 15:54 <DIR> d-------- c:\program files\Common Files\DirectX
2008-12-08 15:53 . 2008-12-09 00:23 <DIR> d-------- c:\program files\Gunner 2
2008-12-08 15:52 . 2008-12-08 15:50 8,813,179 --a------ C:\Gunner2Setup.exe
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sahmon Games
2008-12-08 15:29 . 2008-12-08 15:31 <DIR> d-------- c:\program files\Astro Avenger 2
2008-12-08 15:28 . 2008-12-08 15:28 35,117,670 --a------ C:\AstroAvenger2Setup.exe
2008-12-08 01:12 . 2008-12-08 07:57 <DIR> d-------- C:\David's Stuff
2008-12-07 23:16 . 2008-12-07 23:17 <DIR> d-------- c:\program files\PopCap Games
2008-12-07 16:34 . 2008-12-07 16:34 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Juniper Networks
2008-12-07 16:15 . 2008-12-07 16:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\aAvgApi
2008-12-07 16:00 . 2008-12-07 16:02 2 --a------ C:\539596238
2008-12-07 10:05 . 2008-12-07 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-07 10:05 . 2008-12-07 10:05 4,096 --a------ c:\windows\d3dx.dat
2008-12-07 10:00 . 2008-12-07 17:03 <DIR> d-------- c:\program files\My Tribe
2008-12-07 09:59 . 2008-12-07 12:20 <DIR> d-------- c:\program files\Westward II Heroes Of The Frontier
2008-12-05 18:44 . 2008-12-10 19:33 <DIR> d-------- C:\Pinochle
2008-12-02 21:08 . 2008-12-02 23:35 <DIR> d-------- c:\program files\Incomplete
2008-11-30 16:09 . 2008-11-30 16:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\Image Zone Express
2008-11-25 10:28 . 2008-11-25 10:28 <DIR> d-------- c:\program files\_uninstallation_info
2008-11-24 14:28 . 2008-11-24 14:28 <DIR> d-------- c:\program files\ReflexiveArcade
2008-11-24 03:58 . 2004-08-04 11:00 18,944 --a------ c:\windows\system32\simptcp.dll
2008-11-24 03:58 . 2004-08-04 11:00 18,944 --a--c--- c:\windows\system32\dllcache\simptcp.dll
2008-11-22 19:32 . 2008-11-22 19:32 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-22 05:38 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-22 05:38 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-22 05:38 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-22 01:59 . 2008-11-22 16:03 <DIR> d-------- c:\documents and settings\Owner\Contacts
2008-11-22 01:58 . 2008-11-22 01:58 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-22 01:57 . 2008-11-22 01:58 <DIR> d-------- c:\program files\Windows Live
2008-11-22 01:57 . 2008-11-22 01:58 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-22 01:57 . 2008-11-22 01:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-19 16:55 . 2008-11-19 16:55 0 --a------ c:\windows\UltimateBuddy.INI
2008-11-18 18:16 . 2008-11-25 10:28 <DIR> d-------- c:\program files\UltimateBuddy
2008-11-16 03:37 . 2008-11-16 03:36 720,896 --a------ c:\windows\iun6002.exe
2008-11-15 02:46 . 2008-11-15 02:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-15 02:46 . 2008-11-15 02:46 1,409 --a------ c:\windows\QTFont.for
2008-11-14 19:36 . 2008-11-14 19:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\iWinArcade
2008-11-12 05:29 . 2008-10-24 03:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 05:28 . 2008-09-04 09:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:36 --------- d-----w c:\program files\Google
2008-12-12 09:35 --------- d-----w c:\program files\Yahoo!
2008-12-12 09:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-12 09:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 09:24 --------- d-----w c:\program files\DNA
2008-12-11 16:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-09 23:44 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2008-12-09 23:20 --------- d-----w c:\program files\BFG
2008-12-09 08:11 --------- d-----w c:\program files\BitTorrent
2008-12-07 12:11 --------- d-----w c:\program files\UltimateBet
2008-12-04 23:33 --------- d-----w c:\program files\Microsoft Plus!
2008-12-04 23:27 --------- d-----w c:\program files\Microsoft Works
2008-12-04 02:14 67,584 ----a-w c:\windows\SOUNDMAN.EXE
2008-12-03 07:36 --------- d-----w c:\documents and settings\Owner\Application Data\FrostWire
2008-11-26 10:00 --------- d-----w c:\program files\Railroad Tycoon 3
2008-11-25 00:47 --------- d-----w c:\program files\iWin.com Games
2008-11-25 00:47 --------- d-----w c:\documents and settings\Owner\Application Data\iWin
2008-11-18 09:48 --------- d-----w c:\program files\Lx_cats
2008-11-17 05:22 --------- d-----w c:\program files\HP
2008-11-15 20:46 --------- d-----w c:\program files\Common Files\Adobe
2008-11-15 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-11-15 03:35 --------- d-----w c:\program files\iWin Games
2008-11-11 12:47 --------- d-----w c:\program files\AVG
2008-11-10 21:28 --------- d-----w c:\documents and settings\Owner\Application Data\aAvgApi
2008-11-10 18:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-10 18:52 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-10 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 22:25 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-23 00:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-22 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\{29504223-5D4F-495C-BAC6-1C6DB2EEF1C8}
2008-10-22 15:54 --------- d-----w c:\program files\Sports Mogul
2008-09-28 15:44 47,104 ----a-w c:\program files\RT2Platv156NoCDGSG9.exe
2007-05-18 03:31 140 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2001-07-27 00:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-06-12 22:28 8,154 ----a-w c:\program files\OsloD3069.usb
2001-05-08 23:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 22:22 1,437 ----a-w c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-12 1234712]
"SoundMan"="SOUNDMAN.EXE" [2008-12-03 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--ahs---- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-15 09:04 966656 c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-12-08 20:51 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2008-12-03 18:14 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 02:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 16:33 147456 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\AVG\\AVG8\\aAvgApi.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-12 97928]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-09-20 8576]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-12 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-12 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

BHO-{6351d239-fd47-4b17-a067-1565dcc88c21} - c:\windows\system32\seladihe.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-komidowomu - c:\windows\system32\mesujoke.dll
SafeBoot-ati6fixx.sys
SafeBoot-ati6uyxx.sys
SafeBoot-ati7ruxx.sys
SafeBoot-ati8dfxx.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zj8yicp7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 12:23:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2008-12-12 12:29:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 20:29:08

Pre-Run: 120,427,048,960 bytes free
Post-Run: 120,750,755,840 bytes free

249 --- E O F --- 2008-12-12 20:27:32



----------------------------------------------------------------------------------------------------


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6289 bytes

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.3
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
Astro Avenger 2
AVG Free 8.0
Baseball Mogul 2009
Bejeweled 2 Deluxe
Bejeweled Twist 1.0
CCleaner (remove only)
CSI-Hard Evidence
DoubleDeck Pinochle 4.0
Football Mogul 2008
Gunner 2
HijackThis 2.0.2
HP Driver Diagnostics
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
ImgBurn
iWin Games (remove only)
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
Java™ 6 Update 7
Jewel Quest 2 (remove only)
Jewel Quest III
Jewel Quest Mysteries Curse of the Emerald Tear (remove only)
Lexmark 730 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Tribe
Mystery Case Files - Huntsville (remove only)
Norton Internet Security
PowerDVD
QuickTime
Railroad Tycoon 3
Railroad Tycoon II - Platinum
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
SoftV92 Data Fax Modem with SmartCP
UltimateBet
USB Card Reader
VIA/S3G Display Driver
Westward II Heroes Of The Frontier
Windows Backup Utility
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Toolbar

#4 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 04:11 PM

about 10 minutes after my last post AVGrs picked up a trojan Rootkit-agent.AV in file C:\System Volume Information\_restore{f845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1140\A0049464.sys

#5 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 12 December 2008 - 06:28 PM

Hi Tha7!,

about 10 minutes after my last post AVGrs picked up a trojan Rootkit-agent.AV in file C:\System Volume Information\_restore{f845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1140\A0049464.sys


Please do nothing about this for now as its safe there. However under no circumstances do a system restore unless instructed.

Can you please post the new Hijackthis log following the combofix scan I requested. This is important to enable me to proceed with the next step.

What firewall do you have?

Do you want to remove Symantec?

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#6 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 06:35 PM

i did post the new HJT log but apparently it wasn't completely copied or whatever i see that now haha, currently windows firewall, and ya symantec can go bye bye as far as i'm concerned

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:05 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6289 bytes

Edited by Tha7!, 12 December 2008 - 06:36 PM.


#7 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 07:01 PM

in case it's more relevant here's a current HJT scan log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:54 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6101 bytes

#8 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 12 December 2008 - 07:35 PM

Hi Tha7!,

That was a good cleanup and the computer should now be running much better. I've not forgotton the alert you mentioned.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

Can yo tell me anything about these Directories? Frostwire is a P2P and should go but there may be stuff you wish to keep inside.

C:\program files\PopCap Games
C:\539596238
w c:\documents and settings\Owner\Application Data\FrostWire

Norton/Symantec stuff can be a real pain to remove from your computer. The best approach is to use their own uninstall tool relevant to your particular version of their product. Best to run this to ensure all the remnants are removed.

First go to the scheduled tasks in the control panel and delete this scheduled task:
Symantec NetDetect.job

The removal tool is available from their site here:
http://service1.symantec.com/SUPPORT/tsgen...p;src=symsug_us

Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll


Close all open Windows except Hijackthis and click on "fix Checked".

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad*

Copy and paste all the text in the quotebox below into it:


KillAll::

File::
c:\windows\Tasks\Symantec NetDetect.job
c:\program files\Symantec\LiveUpdate\NDETECT.EXE

Folder::
c:\program files\Symantec

ADS::
C:\windows\system32

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

DirLook::
c:\program files\PopCap Games
C:\539596238
c:\documents and settings\Owner\Application Data\FrostWire


Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Posted Image

If the image isn't visible Click Here to view.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Now run Ccleaner.

Then Malwarebytes and post the report.

Post the following:
  • A new Hijackthis log
  • The Combofix log.
  • Another uninstall list.
  • The malwarebytes report.

This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

Edited by Joe - London, 12 December 2008 - 07:42 PM.

If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#9 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 08:30 PM

about those directories...popcap games is bejeweled twist's directory, the number was a file without an extension that when opened in notepad only said OK (removed), and frostwire wasn't installed at the time and all files and directories that i could find with frostwire have been removed

#10 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 December 2008 - 09:55 PM

ok well first off the computer is running better, still sluggish (although it is much better!)...while running MWBytes AVGrs picked up 3 trojans in the same restore directory as before, other than that no problems were encountered as to yet!

ComboFix Log

ComboFix 08-12-11.06 - Owner 2008-12-12 17:37:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.132 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\program files\Symantec\LiveUpdate\NDETECT.EXE
c:\windows\Tasks\Symantec NetDetect.job
.

((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 15:03 . 2001-05-11 10:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2008-12-12 12:17 . 2008-12-12 12:17 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-12 12:09 . 2008-12-12 12:13 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-12 12:09 . 2008-12-12 12:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-12-12 12:09 . 2008-12-12 12:09 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-12 12:09 . 2008-12-12 12:09 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-12 12:09 . 2008-12-12 12:09 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-12 09:55 . 2008-12-12 09:55 <DIR> d--hs---- c:\windows\system32\config\systemprofile\UserData
2008-12-12 09:37 . 2008-12-12 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-12 02:16 . 2008-12-12 02:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 01:35 . 2008-12-12 01:36 <DIR> d-------- c:\program files\CCleaner
2008-12-11 11:32 . 2008-12-12 12:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-11 09:45 . 2008-12-12 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-11 09:34 . 2008-12-12 01:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-10 03:17 . 2008-12-10 03:43 <DIR> d-------- c:\program files\Airport Mania
2008-12-09 21:45 . 2008-12-09 21:45 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-09 19:15 . 2008-12-12 02:39 4,019,316 --a------ c:\windows\firewall.log.old
2008-12-09 16:01 . 2008-12-09 16:01 244 --ah----- C:\sqmnoopt00.sqm
2008-12-09 16:01 . 2008-12-09 16:01 232 --ah----- C:\sqmdata00.sqm
2008-12-09 00:11 . 2008-12-09 00:21 <DIR> d-------- c:\program files\AskBarDis
2008-12-08 15:54 . 2008-12-08 15:54 <DIR> d-------- c:\program files\Common Files\DirectX
2008-12-08 15:53 . 2008-12-09 00:23 <DIR> d-------- c:\program files\Gunner 2
2008-12-08 15:52 . 2008-12-08 15:50 8,813,179 --a------ C:\Gunner2Setup.exe
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sahmon Games
2008-12-08 15:29 . 2008-12-08 15:31 <DIR> d-------- c:\program files\Astro Avenger 2
2008-12-08 15:28 . 2008-12-08 15:28 35,117,670 --a------ C:\AstroAvenger2Setup.exe
2008-12-08 01:12 . 2008-12-08 07:57 <DIR> d-------- C:\David's Stuff
2008-12-07 23:16 . 2008-12-12 17:28 <DIR> d-------- c:\program files\PopCap Games
2008-12-07 16:34 . 2008-12-07 16:34 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Juniper Networks
2008-12-07 16:15 . 2008-12-07 16:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\aAvgApi
2008-12-07 10:05 . 2008-12-07 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-07 10:05 . 2008-12-07 10:05 4,096 --a------ c:\windows\d3dx.dat
2008-12-07 10:00 . 2008-12-07 17:03 <DIR> d-------- c:\program files\My Tribe
2008-12-07 09:59 . 2008-12-07 12:20 <DIR> d-------- c:\program files\Westward II Heroes Of The Frontier
2008-12-05 18:44 . 2008-12-10 19:33 <DIR> d-------- C:\Pinochle
2008-12-02 21:08 . 2008-12-02 23:35 <DIR> d-------- c:\program files\Incomplete
2008-11-30 16:09 . 2008-11-30 16:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\Image Zone Express
2008-11-25 10:28 . 2008-11-25 10:28 <DIR> d-------- c:\program files\_uninstallation_info
2008-11-24 14:28 . 2008-11-24 14:28 <DIR> d-------- c:\program files\ReflexiveArcade
2008-11-24 03:58 . 2004-08-04 11:00 18,944 --a------ c:\windows\system32\simptcp.dll
2008-11-24 03:58 . 2004-08-04 11:00 18,944 --a--c--- c:\windows\system32\dllcache\simptcp.dll
2008-11-22 19:32 . 2008-11-22 19:32 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-22 05:38 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-22 05:38 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-22 05:38 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-22 01:59 . 2008-11-22 16:03 <DIR> d-------- c:\documents and settings\Owner\Contacts
2008-11-22 01:58 . 2008-11-22 01:58 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-22 01:57 . 2008-11-22 01:58 <DIR> d-------- c:\program files\Windows Live
2008-11-22 01:57 . 2008-11-22 01:58 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-22 01:57 . 2008-11-22 01:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-19 16:55 . 2008-11-19 16:55 0 --a------ c:\windows\UltimateBuddy.INI
2008-11-18 18:16 . 2008-11-25 10:28 <DIR> d-------- c:\program files\UltimateBuddy
2008-11-16 03:37 . 2008-11-16 03:36 720,896 --a------ c:\windows\iun6002.exe
2008-11-15 02:46 . 2008-11-15 02:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-15 02:46 . 2008-11-15 02:46 1,409 --a------ c:\windows\QTFont.for
2008-11-14 19:36 . 2008-11-14 19:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\iWinArcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:36 --------- d-----w c:\program files\Google
2008-12-12 09:35 --------- d-----w c:\program files\Yahoo!
2008-12-12 09:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-12 09:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 09:24 --------- d-----w c:\program files\DNA
2008-12-11 16:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-09 23:44 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2008-12-09 23:20 --------- d-----w c:\program files\BFG
2008-12-09 08:11 --------- d-----w c:\program files\BitTorrent
2008-12-07 12:11 --------- d-----w c:\program files\UltimateBet
2008-12-04 23:33 --------- d-----w c:\program files\Microsoft Plus!
2008-12-04 23:27 --------- d-----w c:\program files\Microsoft Works
2008-12-04 02:14 67,584 ----a-w c:\windows\SOUNDMAN.EXE
2008-11-26 10:00 --------- d-----w c:\program files\Railroad Tycoon 3
2008-11-25 00:47 --------- d-----w c:\program files\iWin.com Games
2008-11-25 00:47 --------- d-----w c:\documents and settings\Owner\Application Data\iWin
2008-11-18 09:48 --------- d-----w c:\program files\Lx_cats
2008-11-17 05:22 --------- d-----w c:\program files\HP
2008-11-15 20:46 --------- d-----w c:\program files\Common Files\Adobe
2008-11-15 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-11-15 03:35 --------- d-----w c:\program files\iWin Games
2008-11-11 12:47 --------- d-----w c:\program files\AVG
2008-11-10 21:28 --------- d-----w c:\documents and settings\Owner\Application Data\aAvgApi
2008-11-10 18:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-10 18:52 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-10 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 22:25 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-23 00:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-22 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\{29504223-5D4F-495C-BAC6-1C6DB2EEF1C8}
2008-10-22 15:54 --------- d-----w c:\program files\Sports Mogul
2008-09-28 15:44 47,104 ----a-w c:\program files\RT2Platv156NoCDGSG9.exe
2007-05-18 03:31 140 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2001-07-27 00:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-06-12 22:28 8,154 ----a-w c:\program files\OsloD3069.usb
2001-05-08 23:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 22:22 1,437 ----a-w c:\program files\gtx73.ini
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\539596238 ----

c:\539596238\

---- Directory of c:\documents and settings\Owner\Application Data\FrostWire ----

c:\documents and settings\Owner\Application Data\FrostWire\

---- Directory of c:\program files\PopCap Games ----

2008-12-12 17:28 3072 --ahs---- c:\program files\PopCap Games\Thumbs.db
2008-12-08 15:28 32 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\users.dat
2008-12-08 15:28 20072 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\Sinnerz\savegame_zen.dat
2008-12-08 15:28 15432 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\Sinnerz\profile.dat
2008-12-08 15:21 15453 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\Gramma\profile.dat
2008-12-08 15:11 20106 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\Gramma\savegame_zen.dat
2008-12-07 23:21 99838 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\wildcard_destroyed.wav
2008-12-07 23:21 76310 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\click_dialog.wav
2008-12-07 23:21 76303 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\click.wav
2008-12-07 23:21 55385 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\badmove.wav
2008-12-07 23:21 52640 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\lightbar_blink.wav
2008-12-07 23:21 442464 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\gem_lock_break.wav
2008-12-07 23:21 42711 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\gem_hit.wav
2008-12-07 23:21 4124 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\select.wav
2008-12-07 23:21 409696 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\electro_start1.wav
2008-12-07 23:21 329934 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\gem_shatters.wav
2008-12-07 23:21 323049 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\multiplier_down.wav
2008-12-07 23:21 306 --a------ c:\program files\PopCap Games\Bejeweled Twist\users\scores.dat
2008-12-07 23:21 27326 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\start_rotate.wav
2008-12-07 23:21 267918 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\tally_zoomin.wav
2008-12-07 23:21 236648 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\menu_slide.wav
2008-12-07 23:21 215135 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\tutorial_snap.wav
2008-12-07 23:21 199779 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\menu_button_click.wav
2008-12-07 23:21 174686 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\bomb_explode.wav
2008-12-07 23:21 163062 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\preblast.wav
2008-12-07 23:21 147533 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\combo_1.wav
2008-12-07 23:21 147074 --a------ c:\program files\PopCap Games\Bejeweled Twist\cached\sounds\transfer.wav
2008-12-07 23:19 7107 --a------ c:\program files\PopCap Games\Bejeweled Twist\Install.log
2008-12-07 23:17 917 --a------ c:\program files\PopCap Games\Bejeweled Twist\cdprops.xml
2008-12-07 23:17 70 --a------ c:\program files\PopCap Games\Bejeweled Twist\hw.dat
2008-10-17 18:32 5388008 --a------ c:\program files\PopCap Games\Bejeweled Twist\BejeweledTwist.exe
2008-10-17 18:32 50764 --a------ c:\program files\PopCap Games\Bejeweled Twist\readme.html
2008-10-17 18:32 263496 --a------ c:\program files\PopCap Games\Bejeweled Twist\PopUninstall.exe
2008-10-17 18:32 24 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\partner.xml.sig
2008-10-17 11:50 245879209 --a------ c:\program files\PopCap Games\Bejeweled Twist\main.pak
2008-10-17 11:48 106070 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\resources.xml
2008-10-14 13:54 8696 --a------ c:\program files\PopCap Games\Bejeweled Twist\compat.cfg
2008-10-13 14:36 29186 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\challenges.xml
2008-10-08 15:19 6092 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\tutorial.txt
2008-10-08 13:12 2107 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config.xml
2008-10-07 11:27 5710 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\tips.txt
2008-10-07 11:27 2043 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\ranks.txt
2008-10-06 17:04 9661 --a------ c:\program files\PopCap Games\Bejeweled Twist\license.txt
2008-10-06 10:27 25214 --a------ c:\program files\PopCap Games\moregames.ico
2008-10-03 13:16 2686 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_survivor1.xml
2008-10-03 13:16 2685 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_survivor2.xml
2008-10-03 13:02 308 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\partner.xml
2008-10-01 16:40 94208 --a------ c:\program files\PopCap Games\Bejeweled Twist\j2k-codec.dll
2008-10-01 16:40 757 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_coalmine.xml
2008-10-01 16:40 707 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_locksmith.xml
2008-10-01 16:40 6090 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_normal.xml
2008-10-01 16:40 5784 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_action.xml
2008-10-01 16:40 4037 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_blitz.xml
2008-10-01 16:40 400497 --a------ c:\program files\PopCap Games\Bejeweled Twist\music\BejeweledTwist24.mo3
2008-10-01 16:40 3533 --a------ c:\program files\PopCap Games\Bejeweled Twist\space.p3d
2008-10-01 16:40 3120 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_casual.xml
2008-10-01 16:40 2773 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\music.xml
2008-10-01 16:40 2459 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_chainreaction1.xml
2008-10-01 16:40 142030 --a------ c:\program files\PopCap Games\Bejeweled Twist\sidebar.p3d
2008-10-01 16:40 12422 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\default.xml
2008-10-01 16:40 121 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\camerastack.txt
2008-10-01 16:40 1054 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\config_zen.xml
2008-10-01 16:40 1039419 --a------ c:\program files\PopCap Games\Bejeweled Twist\music\bejewel twist 06.10.mo3
2008-10-01 16:38 9408 --a------ c:\program files\PopCap Games\Bejeweled Twist\WarpCone.p3d
2008-10-01 16:38 92216 --a------ c:\program files\PopCap Games\Bejeweled Twist\bass.dll
2008-10-01 16:38 6790 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal3.p3d
2008-10-01 16:38 4917 --a------ c:\program files\PopCap Games\Bejeweled Twist\Planet1.p3d
2008-10-01 16:38 4711 --a------ c:\program files\PopCap Games\Bejeweled Twist\Planet2.p3d
2008-10-01 16:38 456095 --a------ c:\program files\PopCap Games\Bejeweled Twist\Stars.p3d
2008-10-01 16:38 39837 --a------ c:\program files\PopCap Games\Bejeweled Twist\Saucer.p3d
2008-10-01 16:38 3601 --a------ c:\program files\PopCap Games\Bejeweled Twist\OuterSpace.p3d
2008-10-01 16:38 3261 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal4.p3d
2008-10-01 16:38 3255 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal5.p3d
2008-10-01 16:38 3090 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal6.p3d
2008-10-01 16:38 2588 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal7.p3d
2008-10-01 16:38 2042 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal1.p3d
2008-10-01 16:38 2004 --a------ c:\program files\PopCap Games\Bejeweled Twist\SaucerLights.p3d
2008-10-01 16:38 15304 --a------ c:\program files\PopCap Games\Bejeweled Twist\PlanetRings.p3d
2008-10-01 16:38 1100 --a------ c:\program files\PopCap Games\Bejeweled Twist\Crystal2.p3d
2008-08-04 15:01 6357 --a------ c:\program files\PopCap Games\Bejeweled Twist\Install_props.xml
2008-06-02 07:15 174 --a------ c:\program files\PopCap Games\Bejeweled Twist\music\BejeweledTwist_offsets.txt
2008-01-09 19:10 2219 --a------ c:\program files\PopCap Games\Bejeweled Twist\properties\ranksold.txt


((((((((((((((((((((((((((((( snapshot@2008-12-12_12.28.02.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-08-26 07:24:28 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-08-26 07:24:28 63,488 -c--a-w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 -c--a-w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 08:37:59 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:24:28 383,488 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 -c--a-w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 -c--a-w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:24:29 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:24:29 267,776 -c--a-w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 -c--a-w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 08:38:00 13,824 -c--a-w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 -c--a-w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 05:56:15 635,848 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-08-26 07:24:30 459,264 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24:30 52,224 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-26 07:24:30 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:24:31 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:37:59 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-12 1261336]
"SoundMan"="SOUNDMAN.EXE" [2008-12-03 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--ahs---- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-15 09:04 966656 c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2008-12-03 18:14 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 02:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 16:33 147456 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\AVG\\AVG8\\aAvgApi.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-12 97928]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-09-20 8576]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-12 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-12 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zj8yicp7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 17:40:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-12 17:44:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 01:44:08
ComboFix2.txt 2008-12-12 20:29:15

Pre-Run: 120,588,107,776 bytes free
Post-Run: 120,574,078,976 bytes free

453 --- E O F --- 2008-12-12 23:25:34


MWBytes Log


Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/12/2008 6:46:39 PM
mbam-log-2008-12-12 (18-46-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 126181
Time elapsed: 48 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HjT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:59 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

--
End of file - 5960 bytes


Uninstall List

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.3
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
Astro Avenger 2
AVG Free 8.0
Baseball Mogul 2009
Bejeweled 2 Deluxe
Bejeweled Twist 1.0
CCleaner (remove only)
CSI-Hard Evidence
DoubleDeck Pinochle 4.0
Football Mogul 2008
Gunner 2
HijackThis 2.0.2
HP Driver Diagnostics
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
ImgBurn
iWin Games (remove only)
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
Java™ 6 Update 7
Jewel Quest 2 (remove only)
Jewel Quest III
Jewel Quest Mysteries Curse of the Emerald Tear (remove only)
Lexmark 730 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Tribe
Mystery Case Files - Huntsville (remove only)
Norton Internet Security
PowerDVD
QuickTime
Railroad Tycoon 3
Railroad Tycoon II - Platinum
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
SoftV92 Data Fax Modem with SmartCP
UltimateBet
USB Card Reader
VIA/S3G Display Driver
Westward II Heroes Of The Frontier
Windows Backup Utility
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Toolbar



THANKS FOR ALL YOUR HELP SO FAR, and any further help you may be able to provide!

#11 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 13 December 2008 - 07:19 AM

Hi Tha7!,

As to those Directories, it looks as though these two are redundant now and could be removed:
c:\documents and settings\Owner\Application Data\FrostWire
C:\539596238

As to c:\program files\PopCap Games

As you rightly say this is connected to Bejeweled and its a personal choice as to whether you want to keep it or not. Let me know what you want done or if you have any problems..

If you wish to remove it uninstall these first:

Bejeweled 2 Deluxe
Bejeweled Twist 1.0

You can then manually delete all those directories via Windows Explorer.

I can see Norton Internet Security still present in your programmes, did you use their uninstaller? I said it was trouble lol.

Take out this service first:

Go to Start->Run and type in notepad and click OK.
Now copy and paste the following bold text into Notepad:

sc stop SNDSrvc
sc delete SNDSrvc
del delete.bat


Change the Save as type to *All Files*
Save the file to your Desktop as "delete.bat".
Make sure to save it with the quotes.
Go to the Desktop and Double click on "delete.bat".

Reboot the Computer.

Open Hijackthis, take another scan and place a checkmark next to these entries.


O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)


Close all open Windows except Hijackthis and click on "fix Checked".
Reboot agai for the changes to take effect.

Now Run the Norton/symantec uninstaller again and if "Norton Internet Security" is still present in your programmes uninstall list try uninstalling normally.

If that fails try this:

Download and run the trial version of Add/remove4Good And uninstall "Norton Internet Security" with that.

Give me a full report back on all this please and include a new HJT log and another uninstall list.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#12 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 13 December 2008 - 05:12 PM

running much smoother, i'm guessing most of the sluggishness is now defragmentation and whatnot...bejeweled is my grandparents favorite game lol can't get rid of it even if I wanted to >.<

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:33 PM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4767 bytes


Add/Remove 4Good
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.3
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
Astro Avenger 2
Baseball Mogul 2009
Bejeweled 2 Deluxe
Bejeweled Twist 1.0
CCleaner (remove only)
CSI-Hard Evidence
DoubleDeck Pinochle 4.0
Football Mogul 2008
Gunner 2
HijackThis 2.0.2
HP Driver Diagnostics
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
ImgBurn
iWin Games (remove only)
Java™ 6 Update 3
Java™ 6 Update 7
Jewel Quest 2 (remove only)
Jewel Quest III
Jewel Quest Mysteries Curse of the Emerald Tear (remove only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.4)
My Tribe
Mystery Case Files - Huntsville (remove only)
QuickTime
Railroad Tycoon 3
Railroad Tycoon II - Platinum
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
UltimateBet
USB Card Reader
VIA/S3G Display Driver
Westward II Heroes Of The Frontier
Windows Backup Utility
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

#13 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 13 December 2008 - 05:51 PM

Hi Tha7!,

I see Norton/Symantec has gone, please let me know how you did that?

Did you remove the redundant folders/Directories? If so how?
c:\documents and settings\Owner\Application Data\FrostWire
C:\539596238
You appear to have removed the Yahoo Companion files, was that deliberate?!
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#14 Tha7!

Tha7!
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 13 December 2008 - 08:14 PM

i got rid of norton by deleting the key that you told me to and using the tool to add/remove permanent or whatever it was called, because there was nothing left behind of the norton program (apparently someone had already tried to remove in another way) i couldn't figure out what version was previously used and the only files taht i saw left related to symantec were drivers that were unnecessary...and the yahoo thing i didn't do that intentionally, it doesn't get used but it could've been part of the issue with avg that i had run into where it would say that the configuration wasn't correct and i had to uninstall/reinstall it, other than that i hadn't removed anything intentionally; however, there is no need for the yahoo tools to be used...the redundant directories have been removed as well...i went thru the hard drive and found lots of folders that had nothing in them that was useful or even complete and removed them, there were probably 15 folders in program files that were useless, containing either no data or only a few files that related to nothing. i also removed prismxl as i guess it's the tool used for mass rollouts of computers by e-machines and gateway. went through and deleted information about msn's internet and aol, just a general cleanout of unneeded files that i didn't want to mess with prior to getting rid of the malware that i was unable to find/remove.

Edited by Tha7!, 13 December 2008 - 08:21 PM.


#15 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 PM

Posted 14 December 2008 - 06:01 AM

Ok Tha7!,

Please uninstall/remove the Norton uninstaller.

Uninstall the trial version of Malwarebytes, unless you wish to keep it in which you will have to pay for it.

Also uninstall:

Java™ 6 Update 3
Java™ 6 Update 7


combofix cleanup.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK ](case insensitive)
  • Posted Image
  • When shown the disclaimer, Select "2"

    The above procedure will

  • Delete ComboFix and its associated files and folders.
Please download the latest Sun java update from here:
http://java.sun.com/javase/downloads/index.jsp

This is the latest version:
Java SE Runtime Environment (JRE) 6 Update 11

Open Hijackthis, take another scan and place a checkmark next to these entries.


R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the computer to allow the changes to take effect.

Now run Ccleaner.

I strongly recommend adding the following additional protections:

MacAffee Site advisor.
http://www.siteadvisor.com/
This is to protect you from bad Internet sites.

SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
This is to protect you from bad active X infections.

You definitely need a good third prty firewall, the Windows firewall is just a stop gap.

I'm currently using Comodo Firewall but please make your own choice. If you do opt for Comodo install it without the anti-virus or the defence + options. It runs well with AVG 8.

Please post a new HJT log and another uninstall list when you've done and let me know if everything is running well.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users