PDA

View Full Version : Smitfraud, Virtumonde, WinAntiVirusPro infection



T-guy
2008-07-17, 22:50
My computer has been infected by several programs recently including: Smitfraud, Virtumonde, several versions of WinAntiVirusPro as well as other malware threats. I have run Spybot multiple times daily to try to clean out some programs and their entrenched tendrils, but several seem to be rooted too deep. I am unable to use my computer with the incessant pop-ups from these programs telling me to download some fake anti-virus software to deal with the problems these viruses have created themselves.

Any help would be greatly appreciated, as I am at a loss of what to do next.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39: VIRUS ALERT!, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\Sys359.exe
C:\Windows\Sys35B.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\Sys5.exe
C:\Windows\Sys6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: qndsfmao - {3C0FFA71-2DBF-491D-84CD-C48738B44FB2} - C:\WINDOWS\qndsfmao.dll (file missing)
O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ContraVirus] C:\Program Files\ContraVirus\ContraVirusPro.exe /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [Sys35E.exe] C:\Windows\Sys35E.exe
O4 - HKLM\..\Run: [Sys35F.exe] C:\Windows\Sys35F.exe
O4 - HKLM\..\Run: [dc39dcb9] rundll32.exe "C:\WINDOWS\system32\ftbxcfno.dll",b
O4 - HKLM\..\Run: [Sys359.exe] C:\Windows\Sys359.exe
O4 - HKLM\..\Run: [Sys35B.exe] C:\Windows\Sys35B.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sys4.exe] C:\Windows\Sys4.exe
O4 - HKCU\..\Run: [Sys6.exe] C:\Windows\Sys6.exe
O4 - HKCU\..\Run: [Sys5.exe] C:\Windows\Sys5.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://Www.Wintergreensys.com
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.27/harvest/harvest-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119804909281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb12.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: kvxqmtre - {D8376AC3-15BA-479F-B71F-DE1965705ED5} - C:\WINDOWS\kvxqmtre.dll (file missing)
O21 - SSODL: evgratsm - {847B09A2-52B4-42F2-8F66-9DB53AD22184} - C:\WINDOWS\evgratsm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11727 bytes

km2357
2008-07-18, 05:29
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!

km2357
2008-07-18, 05:49
Looking over your log, it seems you don't have any evidence of ananti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)


Download and install only one!



Step # 1 Download CCleaner

Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click Install then finish to complete installation.


Step # 2 Retrieve the Installed Programs List from CCleaner

Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.



Step # 3: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

CCleaner Install List
C:\ComboFix.txt
New HijackThis log.


Use multiple posts if you can't fit everything into one post.

km2357
2008-07-20, 22:37
T-Guy? Do you still need help?

T-guy
2008-07-21, 08:43
Sorry for the delay, km2357. I followed your prescribed steps and the difference is remarkable. The only problem I encountered was when trying to run the ComboFix program. The program never prompted me to install a recovery console as you specified, and I am unsure as how this affected the end results. Here are the CCleaner and ComboFix logs and I will post the HijackThis log in the next post.


CCleaner log:

Adobe Acrobat 4.0
Adobe AIR
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
AOL Instant Messenger
AOL Toolbar 2.0
Apple Mobile Device Support
Apple Software Update
AT&T Self Support Tool
Avira AntiVir Personal – Free Antivirus
Bonjour
BroadJump Client Foundation
CCleaner (remove only)
Coupon Printer for Windows
CyberDefender Early Detection Center
Diner Dash
DING!
Dr. Seuss(TM) Kindergarten
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
hp deskjet 3320 series
hp deskjet 3320 series (Remove only)
HSP56 MR Drivers
iPod for Windows 2005-09-23
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
Kodak EasyShare software
LimeWire 4.18.3
Medieval - Total War (TM) - Viking Invasion (TM)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyIdentityDefender Toolbar (CyberDefender Corporation)
Mystery Case Files - Prime Suspects
Nero - Burning Rom
QuickTime
Realtek AC'97 Audio
Robots
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Spybot - Search & Destroy
TurboTax Deluxe 2004
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
upapp
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Visual IP InSight(SBC)
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
XoftSpy


ComboFix log:

ComboFix 08-07-20.5 - Marilyn Kane 2008-07-20 23:54:46.1 - NTFSx86
Running from: C:\Documents and Settings\Marilyn Kane\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Marilyn Kane\Application Data\winantiviruspro2007freeinstall[1].exe
C:\Documents and Settings\Marilyn Kane\Desktop\Privacy Protector.url
C:\Documents and Settings\Marilyn Kane\err.log
C:\Documents and Settings\Marilyn Kane\ResErrors.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\SpyShredder
C:\Program Files\SpyShredder\SpyShredder.lic
C:\Program Files\SpyShredder\SpyShredder0.ss
C:\Program Files\SpyShredder\SpyShredder1.dll
C:\Program Files\SpyShredder\SpyShredder1.ss
C:\Program Files\SpyShredder\SpyShredder2.dll
C:\Program Files\SpyShredder\SpyShredder3.dll
C:\Program Files\SpyShredder\Uninstall.exe
C:\start.bat
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\etqk.exe
C:\WINDOWS\kgxmotapnwo.dll
C:\WINDOWS\Sys2.exe
C:\WINDOWS\Sys3.exe
C:\WINDOWS\Sys359.exe
C:\WINDOWS\Sys35B.exe
C:\WINDOWS\Sys4.exe
C:\WINDOWS\Sys6.exe
C:\WINDOWS\Sys7.exe
C:\WINDOWS\system32\dpconadk.ini
C:\WINDOWS\system32\exmivm.dll
C:\WINDOWS\system32\hduhzx.dll
C:\WINDOWS\system32\itqxkj.dll
C:\WINDOWS\system32\kdanocpd.dll
C:\WINDOWS\system32\kqstfluo.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnlLFYP.dll
C:\WINDOWS\system32\PYFLlnpo.ini
C:\WINDOWS\system32\PYFLlnpo.ini2
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\shiuqu.dll
C:\WINDOWS\system32\slyhrj.dll
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tmcoimdl.dll
C:\WINDOWS\system32\uijtjlpj.ini
C:\WINDOWS\system32\vagfhiix.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\vodwhluq.dll
C:\WINDOWS\system32\wgfsonls.ini
C:\WINDOWS\system32\wipcptxw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 23:23 . 2008-07-20 23:23 <DIR> d-------- C:\Program Files\CCleaner
2008-07-20 22:50 . 2008-07-20 22:50 <DIR> d-------- C:\Program Files\Avira
2008-07-20 22:50 . 2008-07-20 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-20 08:50 . 2008-07-20 08:50 71 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-19 16:09 . 2008-07-19 16:09 61 --a------ C:\WINDOWS\av_affiliate.ini
2008-07-19 16:09 . 2008-07-19 16:09 61 --a------ C:\WINDOWS\as_affiliate.ini
2008-07-19 16:02 . 2008-07-19 21:18 <DIR> d-------- C:\Program Files\CyberDefender
2008-07-19 16:02 . 2008-07-19 15:52 67,424 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2008-07-19 11:35 . 2008-07-19 11:35 0 --a------ C:\SpyShredder.lnk
2008-07-19 11:34 . 2008-07-19 11:34 30,672 --a------ C:\a
2008-07-19 06:26 . 2008-07-19 15:05 646 --ahs---- C:\WINDOWS\system32\kxlqxcoy.ini
2008-07-17 14:37 . 2008-07-17 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 01:20 . 2008-07-17 01:22 704 --a------ C:\WINDOWS\wininit.ini
2008-07-17 00:39 . 2008-07-17 00:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-17 00:39 . 2008-07-17 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 00:20 . 2008-07-17 08:53 474 --ahs---- C:\WINDOWS\system32\onfcxbtf.ini
2008-07-17 00:04 . 2008-07-16 23:24 176,128 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-16 22:06 . 2008-07-16 22:06 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 06:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-17 05:29 --------- d-----w C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire
2008-07-17 03:03 --------- d-----w C:\Program Files\QuickTime
2008-07-16 04:30 --------- d-----w C:\Program Files\LimeWire
2008-06-21 22:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 20:40 --------- d-----w C:\Program Files\Oberon Media
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-10 17:06 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-06-10 17:06 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-31 21:57 --------- d-----w C:\Documents and Settings\Marilyn Kane\Application Data\Skinux
2008-05-31 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-31 21:32 --------- d-----w C:\Program Files\Kodak
2008-05-31 21:29 --------- d-----w C:\Program Files\Common Files\Kodak
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2005-06-25 03:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2003-12-05 03:36 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 05:15 106496]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 05:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56 188416]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52 380928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-12 09:48 1838592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 04:41 57344 C:\WINDOWS\SOUNDMAN.EXE]
"PCTVOICE"="pctspk.exe" [2002-07-09 21:49 167936 C:\WINDOWS\system32\pctspk.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]

C:\Documents and Settings\Marilyn Kane\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-02-07 21:53:47 217088]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdas1c.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 SiSPort;SIS PORT Driver;C:\WINDOWS\SiSPort.sys [2001-12-06 21:11]
S3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-07-19 15:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 22:03:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 14:49:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-07-12 21:14:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.8.30.2.sxt _RegistrationOffer@16
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
BHO-{401086F0-209B-4E07-B4ED-9FB774E3132D} - (no file)
BHO-{A82B165E-F9EF-417B-8B77-670E5207622B} - (no file)
BHO-{B0F7BF8C-F5E5-4921-BFA4-56AA635DA682} - (no file)
BHO-{CC8F9C89-5120-4181-B167-9F7A238F5DF2} - (no file)
BHO-{D3BB9CAE-8B65-4D4C-9DF0-CC7A9B348E42} - (no file)
BHO-{EA357019-D721-41C5-9B96-8CA18B7DA02C} - (no file)
Toolbar-{3C0FFA71-2DBF-491D-84CD-C48738B44FB2} - C:\WINDOWS\qndsfmao.dll
Toolbar-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
HKCU-Run-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe
HKCU-Run-Sys4.exe - C:\Windows\Sys4.exe
HKCU-Run-Sys5.exe - C:\Windows\Sys5.exe
HKCU-Run-Sys6.exe - C:\Windows\Sys6.exe
HKLM-Run-BJCFD - C:\Program Files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-eTrustPPAP - C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
HKLM-Run-ContraVirus - C:\Program Files\ContraVirus\ContraVirusPro.exe
HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe
HKLM-Run-Sys35E.exe - C:\Windows\Sys35E.exe
HKLM-Run-Sys35F.exe - C:\Windows\Sys35F.exe
HKLM-Run-dc39dcb9 - C:\WINDOWS\system32\ftbxcfno.dll
HKLM-Run-Sys359.exe - C:\Windows\Sys359.exe
HKLM-Run-Sys35B.exe - C:\Windows\Sys35B.exe
HKLM-Run-Salestart - C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe
ShellExecuteHooks-{D8D7A115-9A18-4574-B537-CF13AB6645DB} - C:\WINDOWS\system32\khfCUkhi.dll
SSODL-kvxqmtre-{D8376AC3-15BA-479F-B71F-DE1965705ED5} - C:\WINDOWS\kvxqmtre.dll
SSODL-evgratsm-{847B09A2-52B4-42F2-8F66-9DB53AD22184} - C:\WINDOWS\evgratsm.dll
Notify-khfCUkhi - khfCUkhi.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O8 -: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 -: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 -: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O16 -: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.1.27/harvest/harvest-ob-assets.cab
C:\WINDOWS\Downloaded Program Files\Harvest Mania by pogo.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

O16 -: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab
C:\WINDOWS\Downloaded Program Files\PTGameLauncher.inf
C:\WINDOWS\Downloaded Program Files\PTGameLauncher.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 00:08:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-07-21 0:23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 05:22:12

Pre-Run: 26,373,681,152 bytes free
Post-Run: 26,556,473,344 bytes free

254 --- E O F --- 2008-07-10 08:01:01

T-guy
2008-07-21, 08:47
Again, I can not begin to say how thankful I am for your help on fixing this computer.

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:45, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Sys35E.exe] C:\Windows\Sys35E.exe
O4 - HKLM\..\Run: [Sys35F.exe] C:\Windows\Sys35F.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [dc39dcb9] rundll32.exe "C:\WINDOWS\system32\ftbxcfno.dll",b
O4 - HKLM\..\Run: [Sys359.exe] C:\Windows\Sys359.exe
O4 - HKLM\..\Run: [Sys35B.exe] C:\Windows\Sys35B.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sys4.exe] C:\Windows\Sys4.exe
O4 - HKCU\..\Run: [Sys5.exe] C:\Windows\Sys5.exe
O4 - HKCU\..\Run: [Sys6.exe] C:\Windows\Sys6.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://Www.Wintergreensys.com
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.27/harvest/harvest-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119804909281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11188 bytes

km2357
2008-07-21, 21:56
Here's how to install the Recovery Console:

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


http://img.photobucket.com/albums/v666/sUBs/KB310994.gif


Download the file & save it as it's originally named, next to ComboFix.exe.



http://i266.photobucket.com/albums/ii277/sUBs_/rc1.gif


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Drag the setup package onto ComboFix.exe and drop it.


Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


At the next prompt, click 'No'.

http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif


When the tool is finished, it will produce a report for you.

I'll need to see that report in your next post.


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire 4.18.3

I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.

Also available here (http://forum.malwareremoval.com/viewtopic.php?t=23812&sid=a609c56441d8a2e5dc8d24e3e96420cc).

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).




Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.




Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.



Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

File::

C:\SpyShredder.lnk
C:\a
C:\WINDOWS\system32\kxlqxcoy.ini
C:\WINDOWS\system32\onfcxbtf.ini
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\ftbxcfno.dll

Folder::

C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire
C:\Program Files\LimeWire
C:\Program Files\Common Files\WinAntiVirus Pro 2007

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif


Note: This CFScript is for use on T-Guy's computer only! Do not use it on your computer.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step # 3: Remove Hijackthis Entries


Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Sys35E.exe] C:\Windows\Sys35E.exe

O4 - HKLM\..\Run: [Sys35F.exe] C:\Windows\Sys35F.exe

O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"

O4 - HKLM\..\Run: [dc39dcb9] rundll32.exe "C:\WINDOWS\system32\ftbxcfno.dll",b

O4 - HKLM\..\Run: [Sys359.exe] C:\Windows\Sys359.exe

O4 - HKLM\..\Run: [Sys35B.exe] C:\Windows\Sys35B.exe

O4 - HKCU\..\Run: [Sys4.exe] C:\Windows\Sys4.exe

O4 - HKCU\..\Run: [Sys5.exe] C:\Windows\Sys5.exe

O4 - HKCU\..\Run: [Sys6.exe] C:\Windows\Sys6.exe


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.


In your next post/reply, I need to see the following:

1. Recovery Console Report
2. ComboFix Log that appears after Step 2 has been completed
3. A fresh HiJackThis Log taken after all steps have been completed

Use multiple posts if you can't fit everything into one post.

T-guy
2008-07-22, 07:53
Recovery Console Report:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


ComboFix Report:

ComboFix 08-07-21.1 - Marilyn Kane 2008-07-21 23:15:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -5:00]
Running from: C:\Documents and Settings\Marilyn Kane\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marilyn Kane\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\a
C:\SpyShredder.lnk
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\ftbxcfno.dll
C:\WINDOWS\system32\kxlqxcoy.ini
C:\WINDOWS\system32\onfcxbtf.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\active.mojito
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\downloads.dat
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\filters.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\installation.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\library.dat
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\promotion\promodb.backup
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\promotion\promodb.data
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\promotion\promodb.properties
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\promotion\promodb.script
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\questions.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\tables.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\version.xml
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\versions.props
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\data\audio.sxml2
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\data\video.sxml2
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Marilyn Kane\Application Data\LimeWire\xml\schemas\video.xsd
C:\SpyShredder.lnk
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\kxlqxcoy.ini
C:\WINDOWS\system32\onfcxbtf.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-20 23:23 . 2008-07-20 23:23 <DIR> d-------- C:\Program Files\CCleaner
2008-07-20 22:50 . 2008-07-20 22:50 <DIR> d-------- C:\Program Files\Avira
2008-07-20 22:50 . 2008-07-20 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-20 08:50 . 2008-07-20 08:50 71 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-19 16:09 . 2008-07-19 16:09 61 --a------ C:\WINDOWS\av_affiliate.ini
2008-07-19 16:09 . 2008-07-19 16:09 61 --a------ C:\WINDOWS\as_affiliate.ini
2008-07-19 16:02 . 2008-07-19 21:18 <DIR> d-------- C:\Program Files\CyberDefender
2008-07-19 16:02 . 2008-07-19 15:52 67,424 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2008-07-17 14:37 . 2008-07-17 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 01:20 . 2008-07-17 01:22 704 --a------ C:\WINDOWS\wininit.ini
2008-07-17 00:39 . 2008-07-17 00:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-17 00:39 . 2008-07-17 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 22:06 . 2008-07-16 22:06 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 06:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-17 03:03 --------- d-----w C:\Program Files\QuickTime
2008-06-21 22:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 20:40 --------- d-----w C:\Program Files\Oberon Media
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-10 17:06 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-06-10 17:06 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-31 21:57 --------- d-----w C:\Documents and Settings\Marilyn Kane\Application Data\Skinux
2008-05-31 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-31 21:32 --------- d-----w C:\Program Files\Kodak
2008-05-31 21:29 --------- d-----w C:\Program Files\Common Files\Kodak
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2005-06-25 03:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Sys4.exe"="C:\Windows\Sys4.exe" [BU]
"Sys5.exe"="C:\Windows\Sys5.exe" [BU]
"Sys6.exe"="C:\Windows\Sys6.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2003-12-05 03:36 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 05:15 106496]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 05:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56 188416]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52 380928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-12 09:48 1838592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"Sys35E.exe"="C:\Windows\Sys35E.exe" [BU]
"Sys35F.exe"="C:\Windows\Sys35F.exe" [BU]
"dc39dcb9"="C:\WINDOWS\system32\ftbxcfno.dll" [BU]
"Sys359.exe"="C:\Windows\Sys359.exe" [BU]
"Sys35B.exe"="C:\Windows\Sys35B.exe" [BU]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 04:41 57344 C:\WINDOWS\SOUNDMAN.EXE]
"PCTVOICE"="pctspk.exe" [2002-07-09 21:49 167936 C:\WINDOWS\system32\pctspk.exe]

C:\Documents and Settings\Marilyn Kane\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-02-07 21:53:47 217088]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdas1c.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 SiSPort;SIS PORT Driver;C:\WINDOWS\SiSPort.sys [2001-12-06 21:11]
S3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-07-19 15:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 22:03:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 14:49:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-07-12 21:14:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.8.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 23:22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-07-21 23:33:34 - machine was rebooted [Marilyn Kane]
ComboFix-quarantined-files.txt 2008-07-22 04:32:22
ComboFix2.txt 2008-07-21 05:23:27

Pre-Run: 25,063,215,104 bytes free
Post-Run: 25,215,950,848 bytes free

219 --- E O F --- 2008-07-10 08:01:01


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://Www.Wintergreensys.com
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.27/harvest/harvest-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119804909281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9573 bytes

km2357
2008-07-22, 09:26
Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Select your Version of Windows, then click Continue
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:


J2SE Runtime Environment 5.0 Update 3

J2SE Runtime Environment 5.0 Update 10


Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.

From your desktop double-click on the download to install the newest version.


Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!


Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose

Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO


Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log

km2357
2008-07-26, 21:45
This topic has been archived due to inactivity.

As it has been five days or more since your last post, and I have posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.