Problems with yahoo_._com.

[little eagle]

Download ComboFix from Here or Here to your Desktop.

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

[joselepiu]

Ok, I already did that. But I'll do it again. I'll download it and let it run overnight.
And let's see what happens.
Thanks.

[joselepiu]

Here the logs:

Note the log are too long I 'll post them in two parts.


ComboFix 08-02-22.2 - Family 2008-02-23 1:39:49.3 - NTFSx86
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 00:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-21 21:49 . 2008-02-22 01:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-21 21:49 . 2008-02-21 21:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-21 21:49 . 2008-02-21 21:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-21 21:49 . 2008-02-21 21:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-14 00:53 . 2008-02-22 15:31 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-02-14 00:37 . 2008-02-14 00:37 268 --ah----- C:\sqmdata00.sqm
2008-02-14 00:37 . 2008-02-14 00:37 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 00:24 . 2008-02-14 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 00:23 . 2008-02-14 00:24 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-13 23:55 . 2008-02-13 23:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\PlayFirst
2008-02-13 23:04 . 2008-02-13 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-02-12 23:19 . 2008-02-12 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-02-12 22:58 . 2008-02-12 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-02-09 01:50 . 2008-02-09 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 23:28 . 2008-02-08 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:52 . 2008-02-08 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-08 18:52 . 2008-02-08 19:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 18:51 . 2008-02-08 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-06 02:27 . 2008-02-06 12:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-02-06 00:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 00:46 . 2008-02-06 00:49 <DIR> d-------- C:\Program Files\Java
2008-02-06 00:06 . 2008-02-06 00:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-05 23:00 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\LimeWire 4.16.4
2008-02-05 17:35 . 2008-02-22 01:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 17:35 . 2008-02-05 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 18:41 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Sonic
2008-02-04 18:09 . 2008-02-04 18:09 <DIR> d-------- C:\Program Files\RecordNow!
2008-02-04 18:05 . 2008-02-04 18:05 <DIR> d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-04 18:01 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\PowerDVD
2008-02-04 17:53 . 2008-02-04 17:53 <DIR> d-------- C:\Program Files\MUSICMATCH Update
2008-02-04 17:53 . 2008-02-04 17:54 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-04 17:51 . 2008-02-07 17:41 <DIR> d-------- C:\Program Files\MUSICMATCH Jukebox
2008-02-04 17:42 . 2008-02-04 17:43 <DIR> d-------- C:\Program Files\MediaFACE
2008-02-04 17:36 . 2008-02-04 17:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\DivX
2008-02-04 17:25 . 1999-04-23 21:22 26,768 --a------ C:\WINDOWS\system\ctl3d.dll
2008-02-04 17:22 . 2008-02-04 17:25 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-02-04 17:22 . 2008-02-04 17:22 <DIR> d-------- C:\Program Files\Printscape
2008-02-04 16:57 . 2008-02-04 16:57 <DIR> d-------- C:\Program Files\DivX
2008-02-04 16:21 . 2008-02-04 16:22 <DIR> d-------- C:\Program Files\DivX 4 Windows
2008-02-04 16:21 . 2007-12-04 11:38 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-04 16:21 . 2007-12-04 11:38 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-04 16:14 . 2008-02-04 16:14 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-04 16:13 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iTunes
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iPod
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 16:09 . 2008-02-04 16:10 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Vso
2008-02-04 15:38 . 2008-02-04 15:41 <DIR> d-------- C:\Program Files\Winamp 5 52
2008-02-04 15:38 . 2008-02-04 15:49 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Winamp 5 52
2008-02-04 15:31 . 2008-02-04 15:36 <DIR> d-------- C:\Program Files\RipIt 4 Me
2008-02-04 15:31 . 2008-02-04 15:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-04 15:27 . 2008-02-22 00:53 <DIR> d-------- C:\Program Files\FLV Downloader
2008-02-04 15:27 . 2008-02-04 15:27 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Moyea
2008-02-04 14:51 . 2008-02-04 15:32 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-02-04 14:50 . 2008-02-04 14:50 <DIR> d-------- C:\Program Files\DVDFab FreeDVD
2008-02-04 14:49 . 2008-02-04 14:49 <DIR> d-------- C:\Program Files\FixVTS
2008-02-04 14:45 . 2008-02-04 14:45 <DIR> d-------- C:\Program Files\DVD Shrink
2008-02-04 14:45 . 2008-02-07 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-04 14:42 . 2008-02-04 14:42 <DIR> d-------- C:\Program Files\CCleaner 2 03
2008-02-04 14:07 . 2008-02-04 14:41 <DIR> d-------- C:\Downloads
2008-02-04 14:07 . 2008-02-04 14:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-04 14:06 . 2008-02-04 14:41 <DIR> d-------- C:\Program Files\BitComet 0 98
2008-02-04 14:01 . 2008-02-04 14:01 <DIR> d-------- C:\Program Files\Belarc
2008-02-04 14:01 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-04 13:54 . 2008-02-04 13:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 13:54 . 2008-02-04 13:54 <DIR> d-------- C:\Program Files\Adobe Reader 8.0
2008-01-30 17:09 . 2008-01-30 17:09 <DIR> d-------- C:\Documents and Settings\Family\Application Data\COWON
2008-01-30 17:07 . 2008-01-30 17:07 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-30 17:06 . 2008-02-04 18:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 17:05 . 2008-02-04 08:18 <DIR> d-------- C:\Program Files\Jet Audio
2008-01-30 17:03 . 2008-02-04 17:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-30 07:36 . 2008-01-30 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 15:22 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 13:08 . 2008-01-29 13:08 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-28 23:50 . 2008-02-04 07:47 <DIR> d-------- C:\Documents and Settings\Family\Application Data\FaxCtr
2008-01-28 23:46 . 2008-02-22 19:17 <DIR> d-------- C:\Program Files\lx_cats
2008-01-28 23:45 . 2007-02-22 15:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-28 23:45 . 2006-03-23 01:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-28 23:44 . 2006-08-08 12:58 692,224 --a------ C:\WINDOWS\system32\lxcydrs.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-28 23:44 . 2006-08-14 14:07 65,536 --a------ C:\WINDOWS\system32\lxcycaps.dll
2008-01-28 23:44 . 2006-01-25 15:11 61,440 --a------ C:\WINDOWS\system32\lxcycnv4.dll
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-28 23:43 . 2006-04-28 02:16 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-01-28 23:43 . 2006-04-28 02:16 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:59 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 18:38 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-04 18:38 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-04 18:35 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntkrnlpa.exe
----a-w 2,056,832 2004-08-04 05:59:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\system32\ntkrnlpa.exe
-c----w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntoskrnl.exe
----a-w 2,180,992 2004-08-04 06:20:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\system32\ntoskrnl.exe
-c----w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 23:48 50736]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [2008-01-28 21:05 579072]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\AVG7\avgw.exe" [2008-01-28 21:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 07:34 82608 C:\Program Files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 07:35 295600 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 07:34 291504 C:\Program Files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 01:43:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-23 1:46:27
.
2008-01-31 02:47:13 --- E O F ---

[joselepiu]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:45 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/l...&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/def...s.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7622 bytes

[little eagle]

Sorry for the delay
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) is part of Windows Live Call HoverToCall.

We will need to disable TeaTimer of let teatimer allow the change
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After doing this fix O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
with hijackthis.

[joselepiu]

I already did that, but I'll do it again.
Please advice next step.
Thanks.

[little eagle]

If it doesn't remove it we may need to remove spybot then delete it. But it is not spyware just a reg key that you do not need.

[joselepiu]

It's gone, but the last time it was gone too. And after some days (2 or 3) it reappeared again.
What should I do now.
Thanks.

[little eagle]

Download the OTMoveIt.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

Let me know if you have anymore trouble.

[joselepiu]

Ok, I'll do it. I did this also, but I'll do it again.
Thanks.