PDA

View Full Version : Problems with yahoo_._com.



joselepiu
2008-02-10, 02:34
Hi I’m trying to get help to fix my comp. I’m trying to do it the right way. If I’m doing something wrong please forgive me and advice as how to do it, the right way, thanks. The problem that I have it’s that every time that I try to open yahoo_._com my comp freezes and I have to turn it off manually. I found some posts with similar problems, but they say not to try to fix other comps with the fixes that they provide, since every comp has different configurations and profiles.
Here is the log of the Kaspersky Online after I scanned my comp.
Thanks.

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:


Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:


When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.





Protect your PC from future infection.
BUY KASPERSKY ANTI-VIRUS NOW





Select: All, None, Suspicious Selected objects: 0




Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.







Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)





Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)





Please wait to update the virus definitions...
Downloading from url:
http://dnl-us6.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: dailyc.avc
Downloading from url:
http://dnl-us8.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: dailyc.avc
Downloading remote file: daily-ec.avc
Downloading remote file: avp.klb
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.



Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file





Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Scan complete.
No malware has been detected. The sections that
have been scanned are CLEAN.



Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:







Total number of scanned objects:37461
Number of viruses found:0
Number of infected objects:0
Number of suspicious objects:0
Duration of the scan process:02:16:01
New Scan








Get a Free Trial


Buy Kaspersky Anti-Virus


Help


Virus Encyclopedia


Kaspersky Lab






Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Saturday, February 09, 2008 and
contains 555870 records.

System Info
Operating System: Microsoft Windows XP
Professional, Service Pack 2 (Build 2600)Please
wait while the Kaspersky Online Scanner is
initializing and updating...








Copyright (C) Kaspersky Lab 1997 - 2007
Portions Copyright (C) Lan Crypto

little eagle
2008-02-15, 14:42
4) HiJackThis log - Trend Micro HijackThis 2.0.2
Click here to download HJTInstall.exe (http://nutnworks.com/downloads/HJTInstall.exe)

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your (Click --> ) own new topic

* DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
* DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a helper will guide you.

joselepiu
2008-02-16, 01:59
Ok, her we again. Last time I thought that I follow the correct procedure.

Here is a link to my previous post. The problem is still the same only this time it getting worse since there is more sites that freeze my computer.

http://forums.spybot.info/showthread.php?t=24059


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 15, 2008 4:43:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/02/2008
Kaspersky Anti-Virus database records: 567998
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 39843
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:09:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\uncletthhoom00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\MSHist012008021520080216\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Temp\tem4C.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\Documents and Settings\Family\Local Settings\Temp\tem4C.tmp.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PlayMP3z\PlayMP3.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010006.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:01 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\1201572665\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7040 bytes

tashi
2008-02-16, 10:04
Ok, her we again. Last time I thought that I follow the correct procedure.

Here is a link to my previous post. The problem is still the same only this time it getting worse since there is more sites that freeze my computer.

Merged two topics, please post all replies to this one, thank you. ;)

little eagle
2008-02-16, 14:44
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Leave it disabled until we are done,

------------------------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

----------------------------------

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on Fix Checked when finished and exit HijackThis.

----------------------------------

Download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

joselepiu
2008-02-16, 20:36
Thanks for your prompt. I'll try that.

joselepiu
2008-02-16, 21:00
Thanks for your prompt answer. I'll try that.

joselepiu
2008-02-17, 09:13
Ok, I opened Spybot-S&D and uncheck the "Resident TeaTimer" box then I restarted my comp when it was on I opened Spybot-S&D again just to check if the "Resident TeaTimer" box was unchecked and it was not, so I unchecked it again and also the "SD Helper" box and restarted.

So I opened Spybot-S&D again to re-check if the "Resident TeaTimer" and the "SD Helper" boxes were unchecked and they were. So I ran ATF Cleaner selected the "select all" box and clicked on the "empty selected" box.

Open and ran HijackThis after it finished I selected the box by "O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)"
and hit the "Fix Checked" and closed it.

Open, updated I ran Malwarebytes it did not find any infected files here is the log:

Malwarebytes' Anti-Malware 1.03
Database version: 367

Scan type: Full Scan (A:\|C:\|D:\|F:\|)
Objects scanned: 57958
Time elapsed: 33 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Then I ran again HijackThis and here is that log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:05 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7203 bytes





Then run the KASPERSKY program again and as you can see it finds that my comp it si still infected, here is the log:

-----------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 9:55:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 569883
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38567
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:24:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\uncletthhoom00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\A0009056.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped

Scan process completed.


So now what is next? Any advice?
Thanks.

little eagle
2008-02-17, 15:45
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

joselepiu
2008-02-17, 20:00
If yours is not listed and you don't know how to disable it, please ask.

Can you tell me how to turn off "script blocking ".
Please.

little eagle
2008-02-18, 01:53
Can you tell me how to turn off "script blocking ".
Please.For which program?


We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

joselepiu
2008-02-18, 04:07
For which program?
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.

For the one that you mention after the anti-virus, I know how to turn off the other ones.
Thanks.

And just a question, would it be better to do it on safe mode?

little eagle
2008-02-18, 04:11
And just a question, would it be better to do it on safe mode?
No :cool:

joselepiu
2008-02-18, 04:32
So how do I turn off "script blocking ".

little eagle
2008-02-18, 04:34
Just disable your AV.

joselepiu
2008-02-18, 04:39
So I'm gonna disable AV anti-virus, Tea Timer and windows fire-wall. Thanks.

little eagle
2008-02-18, 04:43
Post back when done :santa:

joselepiu
2008-02-19, 21:31
Ok, I'm done with the combo fix.


Please advice next step.
Thanks.

Here is the combofix log and the new hijackthis log:

ComboFix 08-02-20.1 - Family 2008-02-20 11:53:42.2 - NTFSx86
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-14 00:53 . 2008-02-15 18:59 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-02-14 00:37 . 2008-02-14 00:37 268 --ah----- C:\sqmdata00.sqm
2008-02-14 00:37 . 2008-02-14 00:37 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 00:24 . 2008-02-14 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 00:23 . 2008-02-14 00:24 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-13 23:55 . 2008-02-13 23:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\PlayFirst
2008-02-13 23:04 . 2008-02-13 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-02-12 23:19 . 2008-02-12 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-02-12 22:58 . 2008-02-12 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-02-09 01:50 . 2008-02-09 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 23:28 . 2008-02-08 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:52 . 2008-02-08 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-08 18:52 . 2008-02-08 19:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 18:51 . 2008-02-08 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-06 02:27 . 2008-02-06 12:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-02-06 00:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 00:46 . 2008-02-06 00:49 <DIR> d-------- C:\Program Files\Java
2008-02-06 00:06 . 2008-02-06 00:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-05 23:00 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\LimeWire 4.16.4
2008-02-05 17:35 . 2008-02-05 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 17:35 . 2008-02-05 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 18:41 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Sonic
2008-02-04 18:09 . 2008-02-04 18:09 <DIR> d-------- C:\Program Files\RecordNow!
2008-02-04 18:05 . 2008-02-04 18:05 <DIR> d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-04 18:01 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\PowerDVD
2008-02-04 17:53 . 2008-02-04 17:53 <DIR> d-------- C:\Program Files\MUSICMATCH Update
2008-02-04 17:53 . 2008-02-04 17:54 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-04 17:51 . 2008-02-07 17:41 <DIR> d-------- C:\Program Files\MUSICMATCH Jukebox
2008-02-04 17:42 . 2008-02-04 17:43 <DIR> d-------- C:\Program Files\MediaFACE
2008-02-04 17:36 . 2008-02-04 17:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\DivX
2008-02-04 17:25 . 1999-04-23 21:22 26,768 --a------ C:\WINDOWS\system\ctl3d.dll
2008-02-04 17:22 . 2008-02-04 17:25 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-02-04 17:22 . 2008-02-04 17:22 <DIR> d-------- C:\Program Files\Printscape
2008-02-04 16:57 . 2008-02-04 16:57 <DIR> d-------- C:\Program Files\DivX
2008-02-04 16:21 . 2008-02-04 16:22 <DIR> d-------- C:\Program Files\DivX 4 Windows
2008-02-04 16:21 . 2007-12-04 11:38 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-04 16:21 . 2007-12-04 11:38 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-04 16:14 . 2008-02-04 16:14 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-04 16:13 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iTunes
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iPod
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 16:09 . 2008-02-04 16:10 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Vso
2008-02-04 15:38 . 2008-02-04 15:41 <DIR> d-------- C:\Program Files\Winamp 5 52
2008-02-04 15:38 . 2008-02-04 15:49 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Winamp 5 52
2008-02-04 15:31 . 2008-02-04 15:36 <DIR> d-------- C:\Program Files\RipIt 4 Me
2008-02-04 15:31 . 2008-02-04 15:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-04 15:27 . 2008-02-04 15:31 <DIR> d-------- C:\Program Files\FLV Downloader
2008-02-04 15:27 . 2008-02-04 15:27 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Moyea
2008-02-04 14:51 . 2008-02-04 15:32 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-02-04 14:50 . 2008-02-04 14:50 <DIR> d-------- C:\Program Files\DVDFab FreeDVD
2008-02-04 14:49 . 2008-02-04 14:49 <DIR> d-------- C:\Program Files\FixVTS
2008-02-04 14:45 . 2008-02-04 14:45 <DIR> d-------- C:\Program Files\DVD Shrink
2008-02-04 14:45 . 2008-02-07 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-04 14:42 . 2008-02-04 14:42 <DIR> d-------- C:\Program Files\CCleaner 2 03
2008-02-04 14:07 . 2008-02-04 14:41 <DIR> d-------- C:\Downloads
2008-02-04 14:07 . 2008-02-04 14:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-04 14:06 . 2008-02-04 14:41 <DIR> d-------- C:\Program Files\BitComet 0 98
2008-02-04 14:01 . 2008-02-04 14:01 <DIR> d-------- C:\Program Files\Belarc
2008-02-04 14:01 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-04 13:54 . 2008-02-04 13:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 13:54 . 2008-02-04 13:54 <DIR> d-------- C:\Program Files\Adobe Reader 8.0
2008-01-30 17:09 . 2008-01-30 17:09 <DIR> d-------- C:\Documents and Settings\Family\Application Data\COWON
2008-01-30 17:07 . 2008-01-30 17:07 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-30 17:06 . 2008-02-04 18:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 17:05 . 2008-02-04 08:18 <DIR> d-------- C:\Program Files\Jet Audio
2008-01-30 17:03 . 2008-02-04 17:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-30 07:36 . 2008-01-30 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 15:22 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 13:08 . 2008-01-29 13:08 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-28 23:50 . 2008-02-04 07:47 <DIR> d-------- C:\Documents and Settings\Family\Application Data\FaxCtr
2008-01-28 23:46 . 2008-02-20 10:51 <DIR> d-------- C:\Program Files\lx_cats
2008-01-28 23:45 . 2007-02-22 15:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-28 23:45 . 2006-03-23 01:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-28 23:44 . 2006-08-08 12:58 692,224 --a------ C:\WINDOWS\system32\lxcydrs.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-28 23:44 . 2006-08-14 14:07 65,536 --a------ C:\WINDOWS\system32\lxcycaps.dll
2008-01-28 23:44 . 2006-01-25 15:11 61,440 --a------ C:\WINDOWS\system32\lxcycnv4.dll
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-28 23:43 . 2006-04-28 02:16 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-01-28 23:43 . 2006-04-28 02:16 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-01-28 23:43 . 2006-04-28 02:16 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-01-28 23:43 . 2006-11-22 06:51 45,056 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2008-01-28 23:43 . 2006-11-22 06:50 32,768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2008-01-28 23:43 . 2006-11-22 07:08 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2008-01-28 23:42 . 2008-01-28 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:59 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 18:38 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-04 18:38 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-04 18:35 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntkrnlpa.exe
----a-w 2,056,832 2004-08-04 05:59:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\system32\ntkrnlpa.exe
-c----w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntoskrnl.exe
----a-w 2,180,992 2004-08-04 06:20:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\system32\ntoskrnl.exe
-c----w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 23:48 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [2008-01-28 21:05 579072]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\AVG7\avgw.exe" [2008-01-28 21:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 07:34 82608 C:\Program Files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 07:35 295600 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 07:34 291504 C:\Program Files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

S2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 11:57:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-20 12:00:39
ComboFix2.txt 2008-02-20 17:45:07
.
2008-01-31 02:47:13 --- E O F ---


Note:The hijackthis log is too long I'll post another message to post it.

Thanks.

joselepiu
2008-02-19, 21:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:48 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 6321 bytes






Please advice next step.
Thanks.

little eagle
2008-02-19, 22:17
Lets run an F-Secure online scan.
Click HERE (http://support.f-secure.com/enu/home/ols.shtml)
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.

joselepiu
2008-02-20, 22:54
Hi, I have bad news; I tried to run the F-Secure online scan 5 times and after the download process, an error message appeared every time that says "An error occurred! Please close the scanner and your browser, then try again. (Id: 24)" here is an image of it:

http://s218.photobucket.com/albums/cc145/joselepiu/th_fsecureerror.jpg .

Any idea on what to do next?

little eagle
2008-02-20, 23:00
I would like to see a copy of the img file
email it here (little_eagle@security-central.us)

Please include a link to this thread.

joselepiu
2008-02-20, 23:51
I just sent it.
Let me know what's next.
Thanks.

little eagle
2008-02-21, 04:12
Sorry I didn't get it can you resend it.

little eagle
2008-02-21, 04:42
Lets try this scan Click HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

joselepiu
2008-02-21, 06:15
I'll do it tonight, and let runng.
Thanks.

joselepiu
2008-02-21, 16:47
OK, I ran the Panda's ActiveScan scan overnight and here is the log for it:


Incident Status Location
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Family\Cookies\family@atwola[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Family\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Family\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Possible Virus. Not disinfected C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe


And I also took some screenprint images of the screen before I saved the report and here is the text that they have, if you want me to e-mail you a copy of them let me know.


Spyware:Cookie/Atwola C:\Documents and Settings\Family\Cookies]family@atwola[2].txt Not Disinfected

Potentially unwanted tool:Applcation/NirCmd.A C:\Documents and Settings\Family\Desktop\Combofix.exe[327882R2FWJFW\nircmd.com] Not Disinfected

Potentially unwanted tool:Applcation/NirCmd.A C:\Documents and Settings\Family\Desktop\Combofix.exe[327882R2FWJFW\nircmd.cfexe] Not Disinfected

Possible Virous. C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Not Disinfected

Virus:Trj/Downloader.MDW C:\WINDOWS\Downloaded Program Files\ppcaploader.dll Disinfected

Potentially unwanted tool:Applcation/NirCmd.A C:\WINDOWS\Nircmd.exe Not Disinfected

What's the next step?
Thanks.

little eagle
2008-02-22, 00:50
Well looks Good.

Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

-----------------------------------------

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

joselepiu
2008-02-22, 01:46
I'll do that.
Thanks.

joselepiu
2008-02-22, 02:39
Ok, I just ran... OTMoveIt. I'm sorry that I have bad news. My comp is doing the same thing. Every time that I try to open the yahoo site and some others (Aol, Netscape, etc.) my comp freezes and I have to manually turn it of and reboot. Before login in here I tried to open the yahoo site and it happen the same thing.
And run the HijackThis program and as you can see the entry that you toll me too delete is there again "O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)" again.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:36 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7116 bytes


Waiting for more ideas. Thanks.

little eagle
2008-02-22, 03:40
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

joselepiu
2008-02-22, 07:20
Ok, I already did that. But I'll do it again. I'll download it and let it run overnight.
And let's see what happens.
Thanks.

joselepiu
2008-02-22, 16:30
Here the logs:

Note the log are too long I 'll post them in two parts.


ComboFix 08-02-22.2 - Family 2008-02-23 1:39:49.3 - NTFSx86
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 00:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-21 21:49 . 2008-02-22 01:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-21 21:49 . 2008-02-21 21:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-21 21:49 . 2008-02-21 21:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-21 21:49 . 2008-02-21 21:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-14 00:53 . 2008-02-22 15:31 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-02-14 00:37 . 2008-02-14 00:37 268 --ah----- C:\sqmdata00.sqm
2008-02-14 00:37 . 2008-02-14 00:37 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 00:24 . 2008-02-14 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 00:23 . 2008-02-14 00:24 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-13 23:55 . 2008-02-13 23:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\PlayFirst
2008-02-13 23:04 . 2008-02-13 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-02-12 23:19 . 2008-02-12 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-02-12 22:58 . 2008-02-12 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-02-09 01:50 . 2008-02-09 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 23:28 . 2008-02-08 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:52 . 2008-02-08 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-08 18:52 . 2008-02-08 19:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 18:51 . 2008-02-08 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-06 02:27 . 2008-02-06 12:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-02-06 00:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 00:46 . 2008-02-06 00:49 <DIR> d-------- C:\Program Files\Java
2008-02-06 00:06 . 2008-02-06 00:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-05 23:00 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\LimeWire 4.16.4
2008-02-05 17:35 . 2008-02-22 01:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 17:35 . 2008-02-05 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 18:41 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Sonic
2008-02-04 18:09 . 2008-02-04 18:09 <DIR> d-------- C:\Program Files\RecordNow!
2008-02-04 18:05 . 2008-02-04 18:05 <DIR> d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-04 18:01 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\PowerDVD
2008-02-04 17:53 . 2008-02-04 17:53 <DIR> d-------- C:\Program Files\MUSICMATCH Update
2008-02-04 17:53 . 2008-02-04 17:54 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-04 17:51 . 2008-02-07 17:41 <DIR> d-------- C:\Program Files\MUSICMATCH Jukebox
2008-02-04 17:42 . 2008-02-04 17:43 <DIR> d-------- C:\Program Files\MediaFACE
2008-02-04 17:36 . 2008-02-04 17:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\DivX
2008-02-04 17:25 . 1999-04-23 21:22 26,768 --a------ C:\WINDOWS\system\ctl3d.dll
2008-02-04 17:22 . 2008-02-04 17:25 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-02-04 17:22 . 2008-02-04 17:22 <DIR> d-------- C:\Program Files\Printscape
2008-02-04 16:57 . 2008-02-04 16:57 <DIR> d-------- C:\Program Files\DivX
2008-02-04 16:21 . 2008-02-04 16:22 <DIR> d-------- C:\Program Files\DivX 4 Windows
2008-02-04 16:21 . 2007-12-04 11:38 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-04 16:21 . 2007-12-04 11:38 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-04 16:14 . 2008-02-04 16:14 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-04 16:13 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iTunes
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iPod
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 16:09 . 2008-02-04 16:10 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Vso
2008-02-04 15:38 . 2008-02-04 15:41 <DIR> d-------- C:\Program Files\Winamp 5 52
2008-02-04 15:38 . 2008-02-04 15:49 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Winamp 5 52
2008-02-04 15:31 . 2008-02-04 15:36 <DIR> d-------- C:\Program Files\RipIt 4 Me
2008-02-04 15:31 . 2008-02-04 15:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-04 15:27 . 2008-02-22 00:53 <DIR> d-------- C:\Program Files\FLV Downloader
2008-02-04 15:27 . 2008-02-04 15:27 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Moyea
2008-02-04 14:51 . 2008-02-04 15:32 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-02-04 14:50 . 2008-02-04 14:50 <DIR> d-------- C:\Program Files\DVDFab FreeDVD
2008-02-04 14:49 . 2008-02-04 14:49 <DIR> d-------- C:\Program Files\FixVTS
2008-02-04 14:45 . 2008-02-04 14:45 <DIR> d-------- C:\Program Files\DVD Shrink
2008-02-04 14:45 . 2008-02-07 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-04 14:42 . 2008-02-04 14:42 <DIR> d-------- C:\Program Files\CCleaner 2 03
2008-02-04 14:07 . 2008-02-04 14:41 <DIR> d-------- C:\Downloads
2008-02-04 14:07 . 2008-02-04 14:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-04 14:06 . 2008-02-04 14:41 <DIR> d-------- C:\Program Files\BitComet 0 98
2008-02-04 14:01 . 2008-02-04 14:01 <DIR> d-------- C:\Program Files\Belarc
2008-02-04 14:01 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-04 13:54 . 2008-02-04 13:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 13:54 . 2008-02-04 13:54 <DIR> d-------- C:\Program Files\Adobe Reader 8.0
2008-01-30 17:09 . 2008-01-30 17:09 <DIR> d-------- C:\Documents and Settings\Family\Application Data\COWON
2008-01-30 17:07 . 2008-01-30 17:07 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-30 17:06 . 2008-02-04 18:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 17:05 . 2008-02-04 08:18 <DIR> d-------- C:\Program Files\Jet Audio
2008-01-30 17:03 . 2008-02-04 17:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-30 07:36 . 2008-01-30 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 15:22 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 13:08 . 2008-01-29 13:08 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-28 23:50 . 2008-02-04 07:47 <DIR> d-------- C:\Documents and Settings\Family\Application Data\FaxCtr
2008-01-28 23:46 . 2008-02-22 19:17 <DIR> d-------- C:\Program Files\lx_cats
2008-01-28 23:45 . 2007-02-22 15:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-28 23:45 . 2006-03-23 01:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-28 23:44 . 2006-08-08 12:58 692,224 --a------ C:\WINDOWS\system32\lxcydrs.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-28 23:44 . 2006-08-14 14:07 65,536 --a------ C:\WINDOWS\system32\lxcycaps.dll
2008-01-28 23:44 . 2006-01-25 15:11 61,440 --a------ C:\WINDOWS\system32\lxcycnv4.dll
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-28 23:43 . 2006-04-28 02:16 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-01-28 23:43 . 2006-04-28 02:16 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:59 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 18:38 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-04 18:38 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-04 18:35 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntkrnlpa.exe
----a-w 2,056,832 2004-08-04 05:59:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\system32\ntkrnlpa.exe
-c----w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntoskrnl.exe
----a-w 2,180,992 2004-08-04 06:20:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\system32\ntoskrnl.exe
-c----w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 23:48 50736]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [2008-01-28 21:05 579072]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\AVG7\avgw.exe" [2008-01-28 21:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 07:34 82608 C:\Program Files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 07:35 295600 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 07:34 291504 C:\Program Files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 01:43:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-23 1:46:27
.
2008-01-31 02:47:13 --- E O F ---

joselepiu
2008-02-22, 16:33
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:45 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7622 bytes

little eagle
2008-02-23, 06:50
Sorry for the delay
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) is part of Windows Live Call HoverToCall.

We will need to disable TeaTimer of let teatimer allow the change
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After doing this fix O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
with hijackthis.

joselepiu
2008-02-23, 12:46
I already did that, but I'll do it again.
Please advice next step.
Thanks.

little eagle
2008-02-23, 14:24
If it doesn't remove it we may need to remove spybot then delete it. But it is not spyware just a reg key that you do not need.

joselepiu
2008-02-23, 21:17
It's gone, but the last time it was gone too. And after some days (2 or 3) it reappeared again.
What should I do now.
Thanks.

little eagle
2008-02-23, 23:10
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

Let me know if you have anymore trouble.

joselepiu
2008-02-23, 23:21
Ok, I'll do it. I did this also, but I'll do it again.
Thanks.

joselepiu
2008-02-27, 21:41
Ok, done that and everything it is still the same. The compu still freezes on those same sites (yahoo, aol, cnet etc.) Any knew ideas?.

little eagle
2008-02-28, 02:48
Download the HostsXpert 3.8 (http://www.funkytoad.com/download/HostsXpert.zip)- Hosts File Manager.

* Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert
* Click HostsXpert.exe to Run HostsXpert 3.8 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper right corner (If available).
* Click Restore Microsoft's Hosts file and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Let me know if that helps.

joselepiu
2008-02-29, 07:08
ok, I'll do that and I'll report tomorrow.
Thanks.

joselepiu
2008-02-29, 22:06
Ok, done that and everything it is still the same. The compu still freezes on those same sites (yahoo, aol, cnet etc.) Any knew ideas?.

joselepiu
2008-02-29, 22:53
I do not know if this helps, but I just discover that if I go to www.yahoo.com/games and from there to mail, the compu does not get stock. Also that if right click on the task bar on the stock page icon repeatedly about 20 times or more it start to load the pages where it freezes.

little eagle
2008-03-01, 00:46
Flush any DNS caches you have control over.
Two examples are routers that act as proxy nameservers,

The way to fix the router cache is to power cycle the router.
The way to fix XP

Click start > all programs >accessories >command prompt and type in

ipconfig /flushdns <<<there is a space between the g and /

joselepiu
2008-03-01, 01:28
I have a question do I have to be offline (not connect to the internet) or can I do it while I'm online?

joselepiu
2008-03-01, 01:35
Also do i have to restart the compu?
Thanks.

little eagle
2008-03-01, 05:23
Yes to all.

joselepiu
2008-03-02, 06:26
Flush any DNS caches you have control over.
Two examples are routers that act as proxy nameservers,

The way to fix the router cache is to power cycle the router.
The way to fix XP

Click start > all programs >accessories >command prompt and type in

ipconfig /flushdns <<<there is a space between the g and /


Nothing changed still the same problem.

:scratch: And now what?
Thanks.

little eagle
2008-03-03, 14:08
Reboot and rescan with HiJackThis and post a new log here again.

joselepiu
2008-03-03, 18:16
Here is the knew hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:23 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\1201572665\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 6266 bytes

little eagle
2008-03-04, 04:32
I'd like to see an Uninstall List.
Please open up HijackThis.
Click on Open the Misc Tools section button
Click on Open Uninstall Manager
Click on Save
A notepad document will open with a list of your installed programs.
Please copy that into your reply.

joselepiu
2008-03-04, 16:46
Here you have the uninstall list.

3M Printscape(tm) Products
ABBYY FineReader 6.0 Sprint
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
AVG 7.5
Belarc Advisor 7.2
BitComet 0.98
CCleaner (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
DVDFab HD Decrypter 4.0.5.5
Fellowes/NEATO MediaFACE
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 3
Lexmark 3400 Series
Lexmark Fax Solutions
LimeWire 4.16.4
Microsoft Office Professional Edition 2003
Moyea FLV Downloader version 1.11.0.9
MUSICMATCH® Jukebox
PowerDVD
QuickTime
RipIt4Me
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
SnoopFree Privacy Shield
Sonic RecordNow!
Spybot - Search & Destroy
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Winamp
Windows Live installer
Windows Live Messenger
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB891781
WinRAR archiver

little eagle
2008-03-06, 13:30
Sorry not seeing anything that would cause the trouble that you are describing. Is it still freezing up on you?

joselepiu
2008-03-06, 16:53
Yes it is, still freezing up on those same web sites.
Any new ideas?
Thanks.

joselepiu
2008-03-07, 02:35
Hi I just scenned my comp With the KASPERSKY ONLINE SCANNER . It says that is still infected, just in case that you want to take another look at the report here it is.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 5:19:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 605235
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 40994
Number of viruses found: 2
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 02:17:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\uncletthhoom00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP32\A0011930.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP32\A0011943.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP32\A0011943.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP32\A0011943.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP33\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\roberto's\tools\set-up files\installed\SmitFraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\roberto's\tools\set-up files\installed\SmitFraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\roberto's\tools\set-up files\installed\SmitFraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\roberto's\tools\set-up files\Stand Alone Working Programs\SmitFraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\roberto's\tools\set-up files\Stand Alone Working Programs\SmitFraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\roberto's\tools\set-up files\Stand Alone Working Programs\SmitFraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Let me now what to do next.
Thanks.

little eagle
2008-03-07, 02:47
D: drive is what? CD player?

-------------------------------

To reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

joselepiu
2008-03-07, 07:28
I have my hard drive with 2 partitions I use C: for all my programs and drive D: for all my files. I'll reset the restore points tonight. What should I do after that?
Thanks.

little eagle
2008-03-07, 14:27
Delete SmitFraudFix that should get rid of all the reported infections.

joselepiu
2008-03-07, 20:11
Is that program infected? I do not see a uninstall icon for it on the Add or Remove Programs list. How should I do it?
Thanks.

little eagle
2008-03-08, 01:26
No but if you ever need it again it will be out of date.
Delete these two folders in bold.
D:\roberto's\tools\set-up files\installed\SmitFraudFix
D:\roberto's\tools\set-up files\Stand Alone Working Programs\SmitFraudFix

joselepiu
2008-03-08, 02:35
Ok, done.
What's next.
Thanks.

little eagle
2008-03-08, 03:55
If you cleaned out your restore points that should do it.

joselepiu
2008-03-09, 05:44
I did clean the restore points, but nothing happened, still the same. It still freezes on the same web pages. I really don't know what to do next. I am thinking to do a full reformat of the hard drive. If you have any more ideas let me know.

Thanks.

little eagle
2008-03-09, 05:53
Sorry I'm really at a lose as to why.

You may wish to do a repair install.

joselepiu
2008-03-10, 19:39
Ok, I'll try that before a do a full reformat of the hard drive.
Thanks.

little eagle
2008-03-11, 02:24
Sorry we could not get it cleaned. :oops:

joselepiu
2008-03-11, 03:40
If I have to do a full reformat, what programs do I need to install as a minimum to be protected against virus, mal-ware, trojans, spy-ware, etc?

little eagle
2008-03-11, 13:06
A list of programs that I have used and trust are listed here. (http://www.nutnworks.com/forums/showthread.php?t=98)