Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to update AVG & browser redirect


  • This topic is locked This topic is locked
9 replies to this topic

#1 Corine

Corine

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 30 April 2009 - 11:47 AM

I've tried to update AVG, but am unable to do so. I followed the instructions posted on this website to remove the Conficker virus, but that didn't help. i cannot run StopZilla. There is an internet browser redirect that sends us all over the place when trying to search online. I can actually see the word "redirect" flash in the address line of the web browser!

Not sure what to do at this point. Below is the DDS scan:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Valued Customer at 9:42:30.76 on Thu 04/30/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.225 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Valued Customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://goto.pacificsource.com/CitrixLogonPoint/PacSource/EPAClient/EPAClient.exe
TCP: NameServer = 85.255.112.70,85.255.112.127
TCP: {408A80A6-7A35-40DB-AD9D-23AB34A4ED51} = 85.255.112.70,85.255.112.127
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2009-1-2 149376]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-12 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-12 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-12 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-12 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2007-9-25 281856]

=============== Created Last 30 ================

2009-04-25 10:33 35,050 a------- c:\windows\DIIUnin.dat
2009-04-25 10:33 94,208 a------- c:\windows\DIIUnin.exe
2009-04-25 10:33 2,829 a------- c:\windows\DIIUnin.pif
2009-04-25 10:19 <DIR> --d----- c:\program files\Diablo II
2009-04-19 16:52 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-04-19 16:52 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-04-16 13:46 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-12 10:35 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-12 10:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-12 10:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-12 10:24 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-12 10:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-12 10:23 <DIR> --d----- c:\program files\AVG
2009-04-12 09:45 <DIR> --d----- c:\program files\AVG (D)
2009-04-08 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-01 22:22 15,688 a------- c:\windows\system32\lsdelete.exe

==================== Find3M ====================

2008-07-14 11:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080715\index.dat

============= FINISH: 9:42:47.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:43 PM

Posted 13 May 2009 - 08:49 AM

Greetings Corine and Welcome to the forums,

You have a dns hijacker. The logs indicate you are being redirected through a server located in the Ukraine...
Let's first uninstall some software that may cause you a security risk...these are all out dated and possibly exploited:

Java™ 6 Update 11
Java™ 6 Update 7
Java™ SE Runtime Environment 6


Click start-->Control Panel-->Add/Remove Software...scroll down the list to locate those names and click Remove for each. Reboot when finished uninstalling. We will install the latest version of Java when we are convinced your system is cleaned.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Corine

Corine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 13 May 2009 - 09:03 PM

Hi,

Thanks for the help. I really appreciate it (and so do my husband & kids :thumbup2: ).

Below is the ComboFix log. The scan seemed to run fairly well without any issues, and the internet came back up easily.

ComboFix 09-05-13.02 - Valued Customer 05/13/2009 18:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.289 [GMT -7:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxkorplguu.sys
c:\windows\system32\drivers\gaopdxpmluocuf.sys
c:\windows\system32\drivers\gaopdxvdktqwwq.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxppbavmxm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-08 02:12 . 2009-05-08 02:12 -------- d-----w c:\documents and settings\Valued Customer\Local Settings\Application Data\SCE
2009-05-08 02:04 . 2009-05-09 00:26 -------- d-----w c:\program files\Sony Online Entertainment
2009-05-06 21:57 . 2009-05-09 19:20 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-05-06 21:57 . 2009-05-09 19:20 17212 ----atw c:\windows\system32\SIntf32.dll
2009-05-06 21:57 . 2009-05-09 19:20 12067 ----atw c:\windows\system32\SIntf16.dll
2009-04-25 17:33 . 2009-04-25 17:55 35050 ----a-w c:\windows\DIIUnin.dat
2009-04-25 17:33 . 2009-04-25 17:33 2829 ----a-w c:\windows\DIIUnin.pif
2009-04-25 17:33 . 2009-04-25 17:33 94208 ----a-w c:\windows\DIIUnin.exe
2009-04-25 17:19 . 2009-05-09 01:58 -------- d-----w c:\program files\Diablo II
2009-04-19 23:52 . 2007-07-20 01:14 3727720 ----a-w c:\windows\system32\d3dx9_35.dll
2009-04-19 23:52 . 2006-09-28 23:05 2414360 ----a-w c:\windows\system32\d3dx9_31.dll
2009-04-16 20:46 . 2009-04-16 20:46 -------- d-----w c:\program files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 17:24 . 2009-04-12 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-12 17:24 . 2009-04-12 17:24 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-12 17:24 . 2009-04-12 17:24 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-12 17:23 . 2009-04-12 17:23 -------- d-----w c:\program files\AVG
2009-04-12 16:47 . 2009-04-12 16:45 -------- d-----w c:\program files\AVG (D)
2009-02-28 03:21 . 2007-09-26 01:07 18272 ----a-w c:\documents and settings\Valued Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-12 1932568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-12 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\patchget.dat"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 12:03 PM 64160]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [1/2/2009 7:16 PM 149376]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 10:24 AM 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 10:24 AM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/12/2009 10:23 AM 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 921936]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [9/25/2007 9:41 AM 281856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb196d79-6b84-11dc-a276-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://goto.pacificsource.com/CitrixLogonPoint/PacSource/EPAClient/EPAClient.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 18:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-14 18:40
ComboFix-quarantined-files.txt 2009-05-14 01:40

Pre-Run: 24,478,433,280 bytes free
Post-Run: 25,060,798,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

112 --- E O F --- 2009-02-26 11:01

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:43 PM

Posted 13 May 2009 - 10:07 PM

That looks much better. Let's remove this harmless but superfluous entry now...
Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Also, please try to update your on board antivirus now and let us know your results. Thanks!
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



File::
D:\Setup.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb196d79-6b84-11dc-a276-806d6172696f}]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Corine

Corine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 14 May 2009 - 09:52 PM

Hi,

I was able to update AVG, and it did a full scan - no threats found! So far, the computer is running so much better. I was also able to get a bunch of Windows updates last night (about 8 security updates).

Once we get the system cleaned, what would you recommend for security for kid's gaming? My youngest son loves going to the kids' websites, and both my husband and older son also use the machine for gaming online. I'm thinking of setting up an alternate browser for them to use while online at the game sites.

Thank you so much for your help!

Here's the new ComboFix log.

ComboFix 09-05-13.02 - Valued Customer 05/14/2009 17:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.254 [GMT -7:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valued Customer\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
D:\Setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Setup.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 05:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-14 05:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-14 05:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-14 05:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-14 05:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-14 05:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-14 05:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-14 05:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-14 05:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-14 05:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-14 05:31 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-08 02:12 . 2009-05-08 02:12 -------- d-----w c:\documents and settings\Valued Customer\Local Settings\Application Data\SCE
2009-05-08 02:04 . 2009-05-09 00:26 -------- d-----w c:\program files\Sony Online Entertainment
2009-05-06 21:57 . 2009-05-09 19:20 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-05-06 21:57 . 2009-05-09 19:20 17212 ----atw c:\windows\system32\SIntf32.dll
2009-05-06 21:57 . 2009-05-09 19:20 12067 ----atw c:\windows\system32\SIntf16.dll
2009-04-25 17:33 . 2009-04-25 17:55 35050 ----a-w c:\windows\DIIUnin.dat
2009-04-25 17:33 . 2009-04-25 17:33 2829 ----a-w c:\windows\DIIUnin.pif
2009-04-25 17:33 . 2009-04-25 17:33 94208 ----a-w c:\windows\DIIUnin.exe
2009-04-25 17:19 . 2009-05-09 01:58 -------- d-----w c:\program files\Diablo II
2009-04-19 23:52 . 2007-07-20 01:14 3727720 ----a-w c:\windows\system32\d3dx9_35.dll
2009-04-19 23:52 . 2006-09-28 23:05 2414360 ----a-w c:\windows\system32\d3dx9_31.dll
2009-04-16 20:46 . 2009-04-16 20:46 -------- d-----w c:\program files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 17:24 . 2009-04-12 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-12 17:24 . 2009-04-12 17:24 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-12 17:24 . 2009-04-12 17:24 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-12 17:23 . 2009-04-12 17:23 -------- d-----w c:\program files\AVG
2009-04-12 16:47 . 2009-04-12 16:45 -------- d-----w c:\program files\AVG (D)
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 03:21 . 2007-09-26 01:07 18272 ----a-w c:\documents and settings\Valued Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2007-09-26 00:48 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_01.39.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-26 00:40 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2007-09-26 00:40 . 2007-08-11 03:46 26488 c:\windows\system32\spupdsvc.exe
+ 2009-01-12 01:51 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2009-01-12 01:51 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2001-08-18 12:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2001-08-18 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2001-08-18 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2001-08-18 12:00 . 2009-03-09 18:34 39992 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2009-05-14 10:14 39992 c:\windows\system32\perfc009.dat
+ 2007-09-26 00:21 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2007-09-26 00:21 . 2008-04-14 12:42 91648 c:\windows\system32\mtxoci.dll
- 2001-08-18 12:00 . 2008-04-14 12:42 66560 c:\windows\system32\mtxclu.dll
+ 2001-08-18 12:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2007-09-26 00:21 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2007-09-26 00:21 . 2008-04-14 12:42 58880 c:\windows\system32\msdtclog.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 10:26 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 10:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2001-08-18 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2001-08-18 12:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
- 2001-08-18 12:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 18:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2006-10-17 18:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2001-08-18 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
+ 2006-10-17 18:58 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-17 18:58 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2007-06-27 14:34 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-06-27 14:34 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-06-27 08:27 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-06-27 08:27 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2006-11-07 10:26 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 10:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2006-11-07 10:26 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-07 10:26 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-07-14 18:07 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-07-14 18:07 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-05-14 10:03 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-05-14 10:03 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-05-14 10:03 . 2008-04-14 12:41 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-05-14 10:03 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-05-14 10:03 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
+ 2007-09-26 00:48 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2007-09-26 00:48 . 2008-04-14 12:42 354304 c:\windows\system32\winhttp.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2007-09-26 00:21 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2007-09-26 00:21 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2007-09-26 00:21 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2001-08-18 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2001-08-18 12:00 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2001-08-18 12:00 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
- 2001-08-18 12:00 . 2009-03-09 18:34 311604 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2009-05-14 10:14 311604 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2001-08-18 12:00 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2007-09-26 00:21 . 2008-04-14 12:42 161792 c:\windows\system32\msdtcuiu.dll
+ 2007-09-26 00:21 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2007-09-26 00:21 . 2008-04-14 12:42 956928 c:\windows\system32\msdtctm.dll
+ 2007-09-26 00:21 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2007-09-26 00:21 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2001-08-18 12:00 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
- 2001-08-18 12:00 . 2008-04-14 12:41 989696 c:\windows\system32\kernel32.dll
+ 2001-08-18 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2006-10-17 18:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
- 2006-10-17 18:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 18:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
+ 2001-08-18 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2001-08-18 12:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2007-09-25 16:39 . 2009-05-14 10:10 116560 c:\windows\system32\FNTCACHE.DAT
- 2007-09-25 16:39 . 2008-12-30 22:43 116560 c:\windows\system32\FNTCACHE.DAT
+ 2007-09-26 00:49 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2007-09-26 00:49 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
+ 2006-11-08 04:03 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 19:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 19:05 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2008-12-05 06:54 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2006-10-17 19:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-10-17 19:04 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-10-17 19:05 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-10-17 19:05 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-06-27 14:34 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2006-10-17 19:04 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2007-06-27 14:34 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 10:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-06-27 14:34 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-06-27 14:34 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2001-08-18 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2001-08-18 12:00 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-11-07 10:27 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 10:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 10:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-07 10:26 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-08 04:03 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-10-17 18:57 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-17 18:57 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-10-17 18:58 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-17 18:58 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-11-07 10:26 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-11-07 10:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2001-08-18 12:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2001-08-18 12:00 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2001-08-18 12:00 . 2008-04-14 12:41 617472 c:\windows\system32\advapi32.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-05-14 10:03 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-05-14 10:03 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-05-14 10:03 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-05-14 10:03 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-05-14 10:03 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-05-14 10:03 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2001-08-18 12:00 . 2009-02-09 11:13 1846784 c:\windows\system32\win32k.sys
- 2001-08-18 12:00 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2001-08-18 12:00 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2001-08-18 12:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2001-08-18 12:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
+ 2001-08-18 12:00 . 2009-02-06 11:08 2189056 c:\windows\system32\ntoskrnl.exe
+ 2001-08-18 12:00 . 2009-02-08 02:02 2066048 c:\windows\system32\ntkrnlpa.exe
- 2001-08-18 12:00 . 2008-08-14 09:33 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2001-08-18 12:00 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2006-09-06 06:01 . 2007-04-17 09:32 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-09-06 06:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2008-12-04 00:34 . 2009-02-09 11:13 1846784 c:\windows\system32\dllcache\win32k.sys
- 2006-11-08 04:03 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2006-11-08 04:03 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-12-04 00:29 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-12-04 00:29 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-12-04 00:29 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-12-04 00:29 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-12-04 00:29 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-12-04 00:29 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-12-04 00:29 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-11-08 04:03 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-06-27 14:34 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-04-17 09:32 . 2007-04-17 09:32 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2007-04-17 09:32 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-05-14 10:03 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-05-14 10:03 . 2009-01-17 05:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-05-14 10:03 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-05-14 10:03 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-12-04 00:29 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-12-04 00:29 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-12-04 00:29 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-12-04 00:29 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-12-04 00:29 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-12-04 00:29 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-12-04 00:29 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-09-26 00:48 . 2008-11-12 01:34 10838016 c:\windows\system32\wmp.dll
+ 2007-09-26 17:31 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
+ 2008-07-14 18:19 . 2008-11-12 01:34 10838016 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-12 1932568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-12 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\patchget.dat"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 12:03 PM 64160]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [1/2/2009 7:16 PM 149376]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 10:24 AM 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 10:24 AM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/12/2009 10:23 AM 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 921936]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [9/25/2007 9:41 AM 281856]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://goto.pacificsource.com/CitrixLogonPoint/PacSource/EPAClient/EPAClient.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 17:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3956)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-05-15 17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 00:25
ComboFix2.txt 2009-05-14 01:40

Pre-Run: 24,998,572,032 bytes free
Post-Run: 25,050,095,616 bytes free

350 --- E O F --- 2009-05-14 10:04

Edited by Corine, 14 May 2009 - 10:09 PM.


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:43 PM

Posted 15 May 2009 - 06:36 PM

Good work! We'll get to the security recommendations later, I still want to make sure there was no presence of conficker or some variant...

Please open a command prompt. Click start--->run...then in the run box, type CMD and click "OK".

At the command prompt, copy and paste the following, then press the enter key:
REG Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcs

Copy the text returned and paste it back here on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Corine

Corine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 15 May 2009 - 08:34 PM

HI,

Here's the result of the comand run:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Valued Customer>REG Query "HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcs

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMSe
rver\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Ip
rip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NW
CWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SEN
S\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmP
mSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0w
scsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0


Thanks again!
Corine

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:43 PM

Posted 15 May 2009 - 10:12 PM

Great, I'm satisfied. To answer your concern about security while gaming, I'd have to say that the security setup you have seems sufficient. However, I should point out that you should create user accounts with limited permissions to use on line.

The AVG8 software should be just fine. By the way, you can install the latest version of Java Here.

Next, click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall
Zone Alarm
Outpost Free
Comodo Beware of the "Ask" tool bar that's now included. If you don't want it, remove the check from the box during installation

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.
***Note***
The licensed version provides real time protection and other automatic features otherwise not available.


Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 Corine

Corine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 16 May 2009 - 08:11 AM

Thank you so much for your help! The computer is running so much better now.

Have a great weekend!

#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:43 PM

Posted 16 May 2009 - 10:12 AM

Thank you so much for your help! The computer is running so much better now....

You're quite welcome...glad we could help.

This issue appears resolved and the thread is closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users