PDA

View Full Version : Virtumonde on family computer



LIZBOZ
2007-12-11, 07:02
We have been having problems for over a week now on our family computer with pop-ups and balloons coming up saying we have a virus and trying to sell us the "bestselling antivirus" program. After running Housecall and Adaware, we were told to try bitdefender and spybot. We ran those last week and thought the problem was solved, but this weekend, the problems have returned. I have read other posts regarding Virtumonde, but also read that it is not safe to follow other posts as this case could be different. After reading the "BEFORE you POST" thread, we have these results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:41 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Upromise__RemindU\up.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stevequayle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\Program Files\SOS\Search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
N4 - Mozilla: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/ns8/download/default.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29496165.s");
user_pref("timebomb.first_launch_time", "1129495318390000");
user_pref("wallet.SchemaValueFileName", "29500332.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\5iefumof.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uprom] "C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [fc93c6b6] rundll32.exe "C:\WINDOWS\system32\cxatwjbw.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572INUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156607090218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14433 bytes



and Kaspersky gave us a log that is too long for this post.

Thank you in advance!!

Blade81
2007-12-12, 08:29
Hi

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> LIZBOZ.exe. Post a fresh hjt log after that.

LIZBOZ
2007-12-12, 21:22
here is the new log and I think I renamed the file correctly!
Thank you
I will be away for a couple of hours, and I appreciate your help



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:42 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\awismgra.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Upromise__RemindU\up.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\LIZBOZ.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stevequayle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\Program Files\SOS\Search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
N4 - Mozilla: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/ns8/download/default.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29496165.s");
user_pref("timebomb.first_launch_time", "1129495318390000");
user_pref("wallet.SchemaValueFileName", "29500332.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\5iefumof.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: {e0c49abc-0da9-a279-06f4-fd560c768633} - {336867c0-65df-4f60-972a-9ad0cba94c0e} - C:\WINDOWS\system32\yrgscjgk.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {8FD18E5B-56B6-48CB-86CE-9363FA37FEA8} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\urqppnm.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uprom] "C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [fc93c6b6] rundll32.exe "C:\WINDOWS\system32\ucerwqtx.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572INUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156607090218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\awismgra.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15874 bytes

Blade81
2007-12-13, 08:58
Hi

Yes, you did it right. Let's continue :)

1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply along with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

LIZBOZ
2007-12-13, 17:54
Hello!
I ran combofix and it was running for over 20 minutes, then I walked away for a minute and came back and the computer was restarting. Was it supposed to do that? When Windows started, there was a message like "This system has recovered from a serious error" and I sent that to Microsoft and the page that came up said "Problem caused by Device Driver". I don't see a report anywhere yet. I'll wait till I hear from you to repost the HJT log. Also, since we have other computers (school-issued) on our home network, should we do anything to keep them from getting this problem?
Many, many thanks!!:santa:

Blade81
2007-12-13, 18:12
Hi

Restart belongs to ComboFix phases. Try looking for ComboFix.txt file on your C drive. ComboFix log is in that file.


Also, since we have other computers (school-issued) on our home network, should we do anything to keep them from getting this problem?
Yes, it's recommended to isolate infected computer from other home network.

LIZBOZ
2007-12-13, 18:25
Found the combofix log

ComboFix 07-12-12.3 - user 2007-12-13 8:05:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

and a new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:24, on 2007-12-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Upromise__RemindU\up.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\LIZBOZ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stevequayle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\Program Files\SOS\Search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
N4 - Mozilla: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/ns8/download/default.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29496165.s");
user_pref("timebomb.first_launch_time", "1129495318390000");
user_pref("wallet.SchemaValueFileName", "29500332.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\5iefumof.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {690E059D-CE1C-4DE3-887E-52ED69953DE9} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uprom] "C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572INUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156607090218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14975 bytes

Blade81
2007-12-13, 18:35
You need to run ComboFix again.

Go to Start→ Run → paste in the single line command (the one bolded below) & click OK

"%userprofile%\desktop\combofix.exe" /killall

Then wait for Combo to finish (let it restart when it comes to that phase of the process). After all this there should be new ComboFix log ready. If it doesn't open up automatically then you'll find it in that ComboFix.txt file.

LIZBOZ
2007-12-13, 18:59
here is the combofix again--it doesn't look like the others I've seen on here!?!



ComboFix 07-12-12.3 - user 2007-12-13 8:05:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

LIZBOZ
2007-12-13, 19:03
sorry!! that was the old one, here is the new one--it still looks strange to me:scratch:

ComboFix 07-12-12.3 - user 2007-12-13 9:39:27.2 - NTFSx86
Running from: C:\Documents and Settings\user\desktop\combofix.exe
Command switches used :: /killall
.

Blade81
2007-12-13, 19:46
Yes, that certainly looks odd to me. Let's try with this (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) one. Download it to your desktop (overwrite previous one) and run.

LIZBOZ
2007-12-13, 20:03
c:\...combofix.exe is not a valid Win32 application

Blade81
2007-12-13, 20:12
Did you try to run it by double-clicking the file? It should work that way. If it doesn't then re-download the file and try again.

LIZBOZ
2007-12-13, 23:34
I did put it on the desktop and double-click, two more times now, each time using the link and starting over, and I am still getting the same message :(

LIZBOZ
2007-12-14, 00:09
WOOHOO!!! I used the first link you gave me and ran combofix again and this time it gave this log and did NOT restart. I think maybe Norton was causing problems before??:alien:

ComboFix 07-12-12.3 - user 2007-12-13 14:48:21.4 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Ben\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Ben\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Ben\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Steven\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Steven\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Steven\Favorites\Online Security Guide.lnk
C:\Documents and Settings\user\Application Data\SMBOLS~1
C:\Documents and Settings\user\Desktop\Live Safety Center.lnk
C:\Documents and Settings\user\Desktop\Online Security Guide.lnk
C:\Documents and Settings\user\Favorites\Online Security Guide.lnk
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\accimnac.dll
C:\WINDOWS\system32\awismgra.exe
C:\WINDOWS\system32\cqrtdhef.dll
C:\WINDOWS\system32\igueturo.dll
C:\WINDOWS\system32\ihrtyunp.ini
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\kitmehwg.dll
C:\WINDOWS\system32\pnuytrhi.dll
C:\WINDOWS\system32\rjpgcqav.exe
C:\WINDOWS\system32\vrcuhmgf.dll
C:\WINDOWS\system32\xtjryjnd.dll
C:\WINDOWS\system32\yrgscjgk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService








((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 16:33 . 2007-09-24 22:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 13:28 . 2007-12-12 12:04 654 ---hs---- C:\WINDOWS\system32\xtqwrecu.ini
2007-12-10 21:26 . 2007-12-10 21:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 13:27 . 2007-12-11 13:27 534 ---hs---- C:\WINDOWS\system32\wbjwtaxc.ini
2007-12-09 13:28 . 2007-12-10 10:26 414 ---hs---- C:\WINDOWS\system32\lcdgksdm.ini
2007-12-08 17:41 . 2007-12-08 17:42 414 ---hs---- C:\WINDOWS\system32\kinotdpr.ini
2007-12-07 17:38 . 2007-12-08 17:39 354 ---hs---- C:\WINDOWS\system32\vfpbtpax.ini
2007-12-06 17:45 . 2007-12-06 17:45 294 ---hs---- C:\WINDOWS\system32\tsfayaug.ini
2007-12-06 11:24 . 2007-12-06 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 20:23 . 2007-12-05 20:23 1,475,424 ---hs---- C:\WINDOWS\system32\qjxxeoth.ini
2007-12-05 17:44 . 2007-12-08 21:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-04 16:15 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 16:15 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 16:15 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-04 10:22 . 2007-12-04 10:44 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\HouseCall 6.6
2007-12-03 20:55 . 2007-12-03 21:07 <DIR> d-------- C:\Documents and Settings\Steven\.housecall6.6
2007-12-03 20:34 . 2007-12-03 20:34 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Upromise__RemindU
2007-12-03 19:44 . 2007-12-05 20:23 1,474,776 ---hs---- C:\WINDOWS\system32\luupbppu.ini
2007-12-02 20:46 . 2007-12-03 20:56 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-02 20:44 . 2007-12-03 20:13 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2007-12-02 20:23 . 2007-12-03 19:34 793,743 ---hs---- C:\WINDOWS\system32\tmogtwiu.ini
2007-12-02 14:14 . 2007-12-04 16:21 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Upromise__RemindU
2007-12-02 14:12 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Steven\WINDOWS
2007-12-02 14:12 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Symantec
2007-12-02 14:12 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\user\Application Data\Upromise__RemindU
2007-12-13 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 00:10 --------- d-----w C:\Program Files\Microsoft Works
2007-12-12 23:37 --------- d-----w C:\Program Files\Java
2007-12-12 19:05 --------- d-----w C:\Documents and Settings\user\Application Data\WeatherBug
2007-12-09 02:23 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2007-12-04 06:20 --------- d-----w C:\Program Files\Image-Line
2007-12-04 03:35 --------- d-----w C:\Program Files\Upromise__RemindU
2007-11-23 05:11 --------- d-----w C:\Documents and Settings\Tina\Application Data\WeatherBug
2007-11-22 17:08 --------- d-----w C:\Documents and Settings\Tina\Application Data\Upromise__RemindU
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 07:49 --------- d-----w C:\Program Files\Lavasoft
2007-11-05 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 06:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 17:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-19 02:54 --------- d-----w C:\Program Files\DivX
2007-02-15 18:12 76,576 ----a-w C:\Program Files\Uninstall.exe
2006-05-10 23:52 4,942,418 ----a-w C:\Program Files\Start.wrs
2006-05-10 23:52 1,396,736 ----a-w C:\Program Files\StartTAF.exe
2006-05-10 21:56 174,141 ----a-w C:\Program Files\acknex.wdf
2006-05-10 20:55 2,772 ----a-w C:\Program Files\ServerInstructions.txt
2005-10-12 21:31 69,632 ----a-w C:\Program Files\TimezAttackFree.exe
2005-06-13 22:24 1,218 ----a-w C:\Documents and Settings\user\POOLOPT.DAT
2005-05-28 03:22 41 ----a-w C:\Program Files\GoToMicrosoft.bat
2005-05-26 19:59 25,214 ----a-w C:\Program Files\ScratchHead.ico
2005-05-21 14:28 768 ----a-w C:\Program Files\PALETTE.RAW
2005-04-19 20:25 1,218 ----a-w C:\Documents and Settings\Tina\POOLOPT.DAT
2004-10-04 21:58 30 ----a-w C:\Program Files\GoToWebsite.bat
2004-03-31 19:50 45,056 ----a-w C:\Program Files\buynow.dll
2004-02-23 00:19 364,544 ----a-w C:\Program Files\newton.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 21:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 10:05]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 14:30]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 11:04]
"uprom"="C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe" [2007-05-22 10:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-12-24 21:43:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-01 21:43:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqppnm]
urqppnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R2 MSSQL$SOSHOME;MSSQL$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe -sSOSHOME
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 SQLAgent$SOSHOME;SQLAgent$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlagent.EXE -i SOSHOME
S3 wltwo51b;2Wire Wireless USB adapter Driver;C:\WINDOWS\system32\DRIVERS\wltwo51b.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 05:54:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Steven.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2007-12-11 06:27:37 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 14:53:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 15:01:25
.
2007-12-13 06:39:44 --- E O F ---

LIZBOZ
2007-12-14, 00:34
and another HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:03 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Upromise__RemindU\up.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\LIZBOZ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safer-networking.org/en/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\Program Files\SOS\Search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
N4 - Mozilla: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/ns8/download/default.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29496165.s");
user_pref("timebomb.first_launch_time", "1129495318390000");
user_pref("wallet.SchemaValueFileName", "29500332.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\5iefumof.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uprom] "C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572INUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156607090218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14841 bytes

Blade81
2007-12-14, 08:45
Yeah, probably it was Norton causing the trouble. Let's continue :)


Disable Norton temporarily so that it won't interfere following steps.


Start hjt, click do a system scan only, check:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)

Close browsers and other windows. Click fix checked.


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\xtqwrecu.ini
C:\WINDOWS\system32\wbjwtaxc.ini
C:\WINDOWS\system32\lcdgksdm.ini
C:\WINDOWS\system32\kinotdpr.ini
C:\WINDOWS\system32\vfpbtpax.ini
C:\WINDOWS\system32\tsfayaug.ini
C:\WINDOWS\system32\qjxxeoth.ini
C:\WINDOWS\system32\luupbppu.ini
C:\WINDOWS\system32\tmogtwiu.ini



Save this as
CFScript


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe


* Go here ( http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with Combofix log, a new HijackThis log & a description of any remaining problems

LIZBOZ
2007-12-15, 01:20
eset log

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2723 (20071214)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2d85de57f8b80445a9134011ef8372b3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-14 05:09:43
# local_time=2007-12-14 10:09:43 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=430763
# found=11
# scan_time=6749
C:\qoobox\Quarantine\C\WINDOWS\system32\awismgra.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\cqrtdhef.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\pnuytrhi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\rjpgcqav.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\WINDOWS\Temporary Internet Files\Content.IE5\SHAFG1MZ\stc[1].htm HTML/Exploit.ObjCode trojan (unable to clean - deleted) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000



and combofix

ComboFix 07-12-12.3 - user 2007-12-14 7:34:31.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.108 [GMT -7:00]Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\kinotdpr.ini
C:\WINDOWS\system32\lcdgksdm.ini
C:\WINDOWS\system32\luupbppu.ini
C:\WINDOWS\system32\qjxxeoth.ini
C:\WINDOWS\system32\tmogtwiu.ini
C:\WINDOWS\system32\tsfayaug.ini
C:\WINDOWS\system32\vfpbtpax.ini
C:\WINDOWS\system32\wbjwtaxc.ini
C:\WINDOWS\system32\xtqwrecu.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kinotdpr.ini
C:\WINDOWS\system32\lcdgksdm.ini
C:\WINDOWS\system32\luupbppu.ini
C:\WINDOWS\system32\qjxxeoth.ini
C:\WINDOWS\system32\tmogtwiu.ini
C:\WINDOWS\system32\tsfayaug.ini
C:\WINDOWS\system32\vfpbtpax.ini
C:\WINDOWS\system32\wbjwtaxc.ini
C:\WINDOWS\system32\xtqwrecu.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-12 16:33 . 2007-09-24 22:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-10 21:26 . 2007-12-10 21:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-06 11:24 . 2007-12-06 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 17:44 . 2007-12-08 21:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-04 16:15 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 16:15 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 16:15 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-04 10:22 . 2007-12-04 10:44 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\HouseCall 6.6
2007-12-03 20:55 . 2007-12-03 21:07 <DIR> d-------- C:\Documents and Settings\Steven\.housecall6.6
2007-12-03 20:34 . 2007-12-03 20:34 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Upromise__RemindU
2007-12-02 20:46 . 2007-12-03 20:56 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-02 20:44 . 2007-12-03 20:13 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2007-12-02 14:14 . 2007-12-04 16:21 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Upromise__RemindU
2007-12-02 14:12 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Steven\WINDOWS
2007-12-02 14:12 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Symantec
2007-12-02 14:12 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\user\Application Data\Upromise__RemindU
2007-12-13 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 00:10 --------- d-----w C:\Program Files\Microsoft Works
2007-12-12 23:37 --------- d-----w C:\Program Files\Java
2007-12-12 19:05 --------- d-----w C:\Documents and Settings\user\Application Data\WeatherBug
2007-12-09 02:23 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2007-12-04 06:20 --------- d-----w C:\Program Files\Image-Line
2007-12-04 03:35 --------- d-----w C:\Program Files\Upromise__RemindU
2007-11-23 05:11 --------- d-----w C:\Documents and Settings\Tina\Application Data\WeatherBug
2007-11-22 17:08 --------- d-----w C:\Documents and Settings\Tina\Application Data\Upromise__RemindU
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 07:49 --------- d-----w C:\Program Files\Lavasoft
2007-11-05 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 06:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 17:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-19 02:54 --------- d-----w C:\Program Files\DivX
2007-02-15 18:12 76,576 ----a-w C:\Program Files\Uninstall.exe
2006-05-10 23:52 4,942,418 ----a-w C:\Program Files\Start.wrs
2006-05-10 23:52 1,396,736 ----a-w C:\Program Files\StartTAF.exe
2006-05-10 21:56 174,141 ----a-w C:\Program Files\acknex.wdf
2006-05-10 20:55 2,772 ----a-w C:\Program Files\ServerInstructions.txt
2005-10-12 21:31 69,632 ----a-w C:\Program Files\TimezAttackFree.exe
2005-06-13 22:24 1,218 ----a-w C:\Documents and Settings\user\POOLOPT.DAT
2005-05-28 03:22 41 ----a-w C:\Program Files\GoToMicrosoft.bat
2005-05-26 19:59 25,214 ----a-w C:\Program Files\ScratchHead.ico
2005-05-21 14:28 768 ----a-w C:\Program Files\PALETTE.RAW
2005-04-19 20:25 1,218 ----a-w C:\Documents and Settings\Tina\POOLOPT.DAT
2004-10-04 21:58 30 ----a-w C:\Program Files\GoToWebsite.bat
2004-03-31 19:50 45,056 ----a-w C:\Program Files\buynow.dll
2004-02-23 00:19 364,544 ----a-w C:\Program Files\newton.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 21:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 10:05]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 14:30]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 11:04]
"uprom"="C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe" [2007-05-22 10:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-12-24 21:43:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-01 21:43:14]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R2 MSSQL$SOSHOME;MSSQL$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe -sSOSHOME
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 SQLAgent$SOSHOME;SQLAgent$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlagent.EXE -i SOSHOME
S3 wltwo51b;2Wire Wireless USB adapter Driver;C:\WINDOWS\system32\DRIVERS\wltwo51b.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 05:54:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Steven.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2007-12-11 06:27:37 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 07:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-14 7:40:56
C:\ComboFix2.txt ... 2007-12-13 15:01
.
2007-12-13 06:39:44 --- E O F ---

LIZBOZ
2007-12-15, 01:21
Eset log

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2723 (20071214)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2d85de57f8b80445a9134011ef8372b3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-14 05:09:43
# local_time=2007-12-14 10:09:43 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=430763
# found=11
# scan_time=6749
C:\qoobox\Quarantine\C\WINDOWS\system32\awismgra.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\cqrtdhef.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\pnuytrhi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\rjpgcqav.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\WINDOWS\Desktop\crystaldream.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\WINDOWS\Temporary Internet Files\Content.IE5\SHAFG1MZ\stc[1].htm HTML/Exploit.ObjCode trojan (unable to clean - deleted) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\System Volume Information\_restore{26CD2BFF-47B6-4AEB-9197-1C8FC9604755}\RP14\A0003313.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000



and combofix

ComboFix 07-12-12.3 - user 2007-12-14 7:34:31.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.108 [GMT -7:00]Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\kinotdpr.ini
C:\WINDOWS\system32\lcdgksdm.ini
C:\WINDOWS\system32\luupbppu.ini
C:\WINDOWS\system32\qjxxeoth.ini
C:\WINDOWS\system32\tmogtwiu.ini
C:\WINDOWS\system32\tsfayaug.ini
C:\WINDOWS\system32\vfpbtpax.ini
C:\WINDOWS\system32\wbjwtaxc.ini
C:\WINDOWS\system32\xtqwrecu.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kinotdpr.ini
C:\WINDOWS\system32\lcdgksdm.ini
C:\WINDOWS\system32\luupbppu.ini
C:\WINDOWS\system32\qjxxeoth.ini
C:\WINDOWS\system32\tmogtwiu.ini
C:\WINDOWS\system32\tsfayaug.ini
C:\WINDOWS\system32\vfpbtpax.ini
C:\WINDOWS\system32\wbjwtaxc.ini
C:\WINDOWS\system32\xtqwrecu.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-12 16:33 . 2007-09-24 22:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-10 21:26 . 2007-12-10 21:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 14:18 . 2007-12-10 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-06 11:24 . 2007-12-06 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 17:44 . 2007-12-08 21:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-04 16:15 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 16:15 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 16:15 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-04 10:22 . 2007-12-04 10:44 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\HouseCall 6.6
2007-12-03 20:55 . 2007-12-03 21:07 <DIR> d-------- C:\Documents and Settings\Steven\.housecall6.6
2007-12-03 20:34 . 2007-12-03 20:34 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Upromise__RemindU
2007-12-02 20:46 . 2007-12-03 20:56 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-02 20:44 . 2007-12-03 20:13 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2007-12-02 14:14 . 2007-12-04 16:21 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Upromise__RemindU
2007-12-02 14:12 . 2003-11-01 15:10 <DIR> d-------- C:\Documents and Settings\Steven\WINDOWS
2007-12-02 14:12 . 2003-11-01 15:19 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Symantec
2007-12-02 14:12 . 2003-11-01 15:00 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\user\Application Data\Upromise__RemindU
2007-12-13 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 00:10 --------- d-----w C:\Program Files\Microsoft Works
2007-12-12 23:37 --------- d-----w C:\Program Files\Java
2007-12-12 19:05 --------- d-----w C:\Documents and Settings\user\Application Data\WeatherBug
2007-12-09 02:23 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2007-12-04 06:20 --------- d-----w C:\Program Files\Image-Line
2007-12-04 03:35 --------- d-----w C:\Program Files\Upromise__RemindU
2007-11-23 05:11 --------- d-----w C:\Documents and Settings\Tina\Application Data\WeatherBug
2007-11-22 17:08 --------- d-----w C:\Documents and Settings\Tina\Application Data\Upromise__RemindU
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 07:49 --------- d-----w C:\Program Files\Lavasoft
2007-11-05 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 06:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 17:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-19 02:54 --------- d-----w C:\Program Files\DivX
2007-02-15 18:12 76,576 ----a-w C:\Program Files\Uninstall.exe
2006-05-10 23:52 4,942,418 ----a-w C:\Program Files\Start.wrs
2006-05-10 23:52 1,396,736 ----a-w C:\Program Files\StartTAF.exe
2006-05-10 21:56 174,141 ----a-w C:\Program Files\acknex.wdf
2006-05-10 20:55 2,772 ----a-w C:\Program Files\ServerInstructions.txt
2005-10-12 21:31 69,632 ----a-w C:\Program Files\TimezAttackFree.exe
2005-06-13 22:24 1,218 ----a-w C:\Documents and Settings\user\POOLOPT.DAT
2005-05-28 03:22 41 ----a-w C:\Program Files\GoToMicrosoft.bat
2005-05-26 19:59 25,214 ----a-w C:\Program Files\ScratchHead.ico
2005-05-21 14:28 768 ----a-w C:\Program Files\PALETTE.RAW
2005-04-19 20:25 1,218 ----a-w C:\Documents and Settings\Tina\POOLOPT.DAT
2004-10-04 21:58 30 ----a-w C:\Program Files\GoToWebsite.bat
2004-03-31 19:50 45,056 ----a-w C:\Program Files\buynow.dll
2004-02-23 00:19 364,544 ----a-w C:\Program Files\newton.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 21:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 10:05]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 14:30]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 11:04]
"uprom"="C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe" [2007-05-22 10:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-12-24 21:43:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-01 21:43:14]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R2 MSSQL$SOSHOME;MSSQL$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe -sSOSHOME
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 SQLAgent$SOSHOME;SQLAgent$SOSHOME;C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlagent.EXE -i SOSHOME
S3 wltwo51b;2Wire Wireless USB adapter Driver;C:\WINDOWS\system32\DRIVERS\wltwo51b.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 05:54:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Steven.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2007-12-11 06:27:37 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 07:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-14 7:40:56
C:\ComboFix2.txt ... 2007-12-13 15:01
.
2007-12-13 06:39:44 --- E O F ---

LIZBOZ
2007-12-15, 01:24
and a new HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:59 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Upromise__RemindU\up.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\LIZBOZ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safer-networking.org/en/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\Program Files\SOS\Search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
N4 - Mozilla: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/ns8/download/default.jsp");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29496165.s");
user_pref("timebomb.first_launch_time", "1129495318390000");
user_pref("wallet.SchemaValueFileName", "29500332.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\5iefumof.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uprom] "C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572INUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Documents and Settings\user\Application Data\Upromise__RemindU\uprot\uproC5.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156607090218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14692 bytes





haven't noticed the popups last 2 days !
sometimes the if the computer gets restarted, the background comes up but the desktop never loads

thank you, again!

LIZBOZ
2007-12-15, 03:41
sorry, :sad: I just noticed that the eset log posted twice, the first time I thought it didn't go through because it had me log in to the forum when I hit submit

Blade81
2007-12-15, 16:04
Hi

Delete c:\qoobox & c:\combofix folders (if found) and Combofix.exe on your desktop.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one unless Norton has a firewall.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

LIZBOZ
2007-12-15, 17:20
Thank you ever soooo much for all of your help!! You are the best:crowned: I deleted the c:\qoobox and the Combofix.exe on the desktop, but when I tried to delete the c:\combofix folder I got this message
"Cannot delete Combofix: It is being used by another person or program. Close any programs that might be using the file and try again."

Blade81
2007-12-15, 17:38
You're welcome :santa:

Try deleting the folder in safe mode (press F8 before Windows' loading screen and select safe mode).

Blade81
2007-12-17, 17:35
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.