PDA

View Full Version : Search engine Hijacking Plus



Mimo11
2009-03-27, 11:21
Hello. A friend suggested that this was the place to come if I needed help with this problem, and I assuredly do.
I type a search into google window in Mozilla FF and get a search result, but when I click on any of those results I get a new window & some retail search pages.
When I go to google & search from there sometimes I get a reasonable page whose links go off in all directions and sometimes I get just a list of non-hyperlinked urls with "similar pages" links after them. This also happens at Altavista, though not in Googeefree.
And it happens with IE 7 too.

So I did a system restore & it was fine for about 24 hours.

Now it's back, as of about noon today.

My bigger concern is that my C or D partition cannot be opened on click, although I can explore them. On click I get a message that my Recycler cannot be found and the file id listed is different than what is actually on my Recycle Bin. Did it rename my recycle bin?

Did a virus scan with ESET and cleaned 3 infiltrations. No change.

Twice tried a system restore earlier, but it locked up. Simply the "next" button does nothing when I want to confirm the checkpoint. When it freezes, Task Manager just shows it as running.

I seem to have to restart my system 3 times to log in to my account.

Any help would be appreciated.

Did manage to download HiJack This. Here is my log, although I don't know what it all means.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:42 PM, on 3/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\lotus\org6\organize\EASYCLIP6.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetelegram.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\lotus\org6\organize\iehelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [LXDJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9376974706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9400116312
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8274D3-23EA-4AF5-981A-A23CD240FD9C}: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE85660-8A3D-4E75-A882-6D180E26EDD2}: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E8274D3-23EA-4AF5-981A-A23CD240FD9C}: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E8274D3-23EA-4AF5-981A-A23CD240FD9C}: NameServer = 85.255.112.191,85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.191,85.255.112.78
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8508 bytes

pskelley
2009-03-28, 12:59
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

You are hacked by criminals from the Ukraine at the least: 85.255.112.191
http://whois.domaintools.com/85.255.112.191
We will start like this:

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html


3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

Mimo11
2009-03-31, 00:50
Sorry to be a little slow here. Unfortunately work commitments have kept me from dealing with this. I will follow your instructions. and report back.

Mimo

Mimo11
2009-03-31, 03:41
I have installed Malwarebytes 3 times, from two different downloads, however, the program will not launch, either automatically, or by selecting the program from the start menu.

Your suggestions are appreciated.

pskelley
2009-03-31, 12:55
Would you check first for the Conflicker worm like this:
http://www.pchell.com/virus/malicioussoftwareremovaltool.shtml <<< tutorial

1) Click on Start, Run
2) Type MRT and Press Enter
3) You'll be presented with the following screen, click on the Next button

Scan results: If anything is found.

Follow the instructions below to open it.

1) Click on Start, Run
2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log

copy/paste the contents

If you are clean of Conflicker, then try this:

1) Delete any MBAM download on the Desktop

2) http://www.besttechie.net/mbam/mbam-setup.exe <<< click to download

3) Save this files now >> click OK

4) Save in >>> Desktop

5) BEFORE you click Save change the File name from mbam-setup.exe to Mimo11-setup.exe then click Save.

6) Double click the installer on the Desktop and run as instructed earlier.

Thanks

Mimo11
2009-04-01, 04:47
Sigh:sad:

When I follow your instructions nothing happens.
No screens open.
I've even downloaded the MSRT manually, even though I know it came down automatically a while back.
There are no results.

pskelley
2009-04-01, 17:16
Let's start with some information, IF you have Conflicker, you should know the enemy:
http://www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

If you followed these directions and nothing happened, likely MSRT is not installed. Keep it mind it is installed with Windows Critical Updates. Are you installing those when prompted but Windows Updates?
1) Click on Start, Run
2) Type MRT and Press Enter
3) You'll be presented with the following screen, click on the Next button

If that does not open MSRT, then view this information:
http://www.microsoft.com/security/malwareremove/default.mspx
Download that tool and run it, let me know the results.

If you are infected with Conflicker, it should have been removed, if you are not infected then there is other malware to deal with. Please follow the instructions in my post #5 and run MBAM.

I usually post this information, in your case, these problems are ususual:
The junk can be tough to remove, so do not expect fast or easy.

Pleae understand that it is a lot harder to remove the junk then it is to get it, and that the options are a reformat or local technician.

Thanks...Phil:)

Mimo11
2009-04-01, 20:54
Hi Phil,
I checked out the Conficker entry and popped some of the "blocked" terms into my address bar. They brought up relevant sites with the strings that the worm is supposed to block.

I have followed the steps to run MSRT without success. I am set to be advised of updates and download & install, but on my selection, not automatically. I did download/install the MSRT from March a couple of weeks ago.

I had already been to the website you posted (default.mspx), downloaded and installed MSRT. Again Start>Run>MSRT>Enter had no effect.

I realize how easy it is to get a virus and this is my first infection of anything other than spyware in 15 years. If I can avoid a format, I would like to.

And I promise I'll take direction well.

Mimo

pskelley
2009-04-01, 21:46
Please move on to the instructions for renaming and running MBAM.

Thanks

Mimo11
2009-04-02, 01:33
Hello Phil,
Renaming and saving done. No result. Malware bytes will not load or open. However, after removal of Malware bytes and restart my computer now cannot find C:\Program. Doesn't seem to affect performance though.

I did go to McAfee and run the Free scan which identified a threat, autorun.inf in my C drive as well as a numbered tmp downloader in my \temp. I removed both manually, and now I can open my C drive with a double click from My Computer again as the RECYCLER volume can be found again. No improvement on the browser hijack though.

I again scanned with ESET with no results. And MRT still does not run.

Mimo

pskelley
2009-04-02, 01:36
Let's see if you can get combofix to run:

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Mimo11
2009-04-02, 03:29
Yahoo! This time we got a hit. Rootkit activity detected. Here is the Combofix file

ComboFix 09-04-01.01 - Monika 2009-04-01 21:50:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1639 [GMT -2.5:30]
Running from: c:\documents and settings\Monika\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Resident AV is active

.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Monika\Application Data\inst.exe
c:\windows\Downloaded Program Files\Hotfix
c:\windows\Downloaded Program Files\Hotfix\WindowsXP-KB923293-v4-x86-ENU.exe
c:\windows\system32\AVSredirect.dll
c:\windows\system32\drivers\gaopdxeupeysrmkepklgpbcrnrnkkruphphutj.sys
c:\windows\system32\drivers\gaopdxwxwhpylnosdivbepxmecxdwwtvdkrilt.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxiqjpwsoedibsmputfugoyxlmawwyqtmx.dll
c:\windows\system32\gaopdxshhrxvglalagtenmtqxukrgirttoamkx.dll
c:\windows\system32\x64
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-01 17:16 . 2009-04-01 17:16 <DIR> d-------- c:\windows\McAfee.com
2009-03-30 21:44 . 2009-03-30 21:44 <DIR> d-------- c:\program files\ERUNT
2009-03-26 22:10 . 2009-03-09 16:36 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-26 21:53 . 2009-03-26 21:53 <DIR> d-------- c:\program files\Lavasoft
2009-03-26 21:53 . 2009-03-26 21:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-26 21:53 . 2009-03-26 21:53 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 21:53 . 2009-03-09 16:36 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-26 20:52 . 2009-03-26 20:52 <DIR> d-------- c:\program files\BillP Studios
2009-03-26 20:33 . 2009-03-26 20:33 <DIR> d-------- c:\documents and settings\Monika\Application Data\WinPatrol
2009-03-26 15:18 . 2009-03-26 15:18 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 20:45 . 2009-03-25 20:45 <DIR> d-------- c:\documents and settings\Monika\Application Data\Apple Computer
2009-03-25 20:41 . 2009-03-25 20:42 <DIR> d-------- c:\program files\QuickTime
2009-03-25 20:41 . 2009-03-25 20:41 <DIR> d-------- c:\program files\Apple Software Update
2009-03-25 20:41 . 2009-03-25 20:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-25 20:41 . 2009-03-25 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-24 18:57 . 2009-03-24 20:50 <DIR> d-------- c:\program files\Hellmansoft
2009-03-24 18:57 . 2009-03-25 23:12 <DIR> d-------- c:\documents and settings\Monika\Application Data\Hellmansoft
2009-03-20 15:04 . 2009-03-20 15:04 <DIR> d-------- c:\program files\MSBuild
2009-03-20 15:02 . 2009-03-23 06:58 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-20 15:01 . 2009-03-20 15:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-20 15:01 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-03-19 22:56 . 2009-03-19 22:56 <DIR> d-------- c:\program files\CoffeeCup Software
2009-03-19 22:56 . 2006-01-26 21:26 831,776 --a------ c:\windows\system32\wodFtpDLX.dll
2009-03-19 22:56 . 2003-10-09 16:40 274,976 --a------ c:\windows\system32\XceedFtp.dll
2009-03-19 22:56 . 2002-07-31 19:55 108 ---hs---- c:\windows\WSYS049.SYS
2009-03-19 22:56 . 2001-09-05 12:28 41 ---h----- c:\windows\trfntw32.cfg
2009-03-11 07:04 . 2008-04-14 00:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-09 18:48 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-09 18:48 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-09 18:48 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-09 18:48 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-04 00:06 . 2009-03-04 00:11 106 --a------ c:\windows\ti2kinst.ini
2009-03-04 00:06 . 2009-03-04 00:06 0 --a------ c:\windows\PROTOCOL.INI
2009-03-04 00:05 . 2009-03-04 00:06 <DIR> d-------- c:\windows\A5W_DATA
2009-03-04 00:05 . 2009-03-04 00:05 <DIR> d-------- c:\program files\TIMES Education
2009-03-04 00:05 . 2009-03-04 00:05 <DIR> d-------- c:\documents and settings\Monika\WINDOWS
2009-03-04 00:05 . 1998-02-06 23:37 299,520 --a------ c:\windows\uninst.exe
2009-03-04 00:05 . 2009-03-04 00:11 75,981 --a------ c:\windows\Run32A50.mch
2009-03-04 00:05 . 2009-03-04 00:06 35 --a------ c:\windows\A5W.INI
2009-03-04 00:00 . 2009-03-04 00:00 <DIR> d-------- c:\program files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 22:50 --------- d-----w c:\documents and settings\Monika\Application Data\OpenOffice.org2
2009-04-01 15:21 --------- d-----w c:\program files\Lx_cats
2009-03-26 23:12 354,560 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-03-26 23:12 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-26 22:55 --------- d-----w c:\program files\GetSmile
2009-03-23 10:41 76,256 ----a-w c:\documents and settings\Monika\Application Data\GDIPFONTCACHEV1.DAT
2009-03-13 10:25 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-02 02:13 --------- d-----w c:\documents and settings\Monika\Application Data\Archibald's Adventures
2009-02-25 02:29 --------- d-----w c:\documents and settings\All Users\Application Data\HoverBee Studios
2009-02-25 02:28 --------- d-----w c:\program files\Games
2009-02-22 12:13 --------- d-----w c:\program files\AviSynth 2.5
2009-02-22 12:10 --------- d-----w c:\program files\eRightSoft
2009-02-21 16:35 --------- d-----w c:\documents and settings\Monika\Application Data\Vso
2009-02-21 15:39 --------- d-----w c:\documents and settings\Monika\Application Data\COWON
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 12:37 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-14 21:13 93,352 ----a-w c:\windows\system32\ElbyCDIO.dll
2008-11-16 03:17 47,360 ----a-w c:\documents and settings\Monika\Application Data\pcouffin.sys
2006-06-15 23:03 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 21:13 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 17:11 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 15:40 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 14:49 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 21:05 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 13:40 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 14:12 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 13:52 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 13:51 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2008-08-25 12:11 76 --sh--r c:\windows\CT4CET.bin
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}]
2003-06-02 17:26 65536 --a------ c:\lotus\org6\organize\iehelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-16 154368]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-21 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-21 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-21 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"lxdjamon"="c:\program files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-06 20480]
"LXDJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll" [2007-02-09 102400]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-08 337216]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Lotus Organizer EasyClip.lnk - c:\lotus\org6\organize\EASYCLIP6.EXE [2003-06-02 229433]
SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-08-12 9618728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\lxdjcoms.exe"=
"c:\\WINDOWS\\system32\\lxdjcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjwbgw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjtime.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-26 64160]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-08-21 108032]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-08-22 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-08-22 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-08-22 7424]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [2008-07-31 1037608]
S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [2008-07-31 1205544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd24e542-bc2b-11dd-94cd-001fe1c6919a}]
\Shell\AutoRun\command - F:\podcastready.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5b6d0-6ff2-11dd-9453-00219bdd91cd}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7cebb30-94b3-11dd-9494-001fe1c6919a}]
\Shell\AutoRun\command - H:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 09:59]

2009-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:36]

2009-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetelegram.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\org6\organize\bandobjs.dll
FF - ProfilePath - c:\documents and settings\Monika\Application Data\Mozilla\Firefox\Profiles\cewy63fx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thetelegram.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 21:53:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-01 21:54:36
ComboFix-quarantined-files.txt 2009-04-02 00:24:34

Pre-Run: 200,970,858,496 bytes free
Post-Run: 201,454,034,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

223 --- E O F --- 2009-03-17 18:26:24


Here is the Hijack This Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:34 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetelegram.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\lotus\org6\organize\iehelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [LXDJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219376974706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219400116312
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5567/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7354 bytes

pskelley
2009-04-02, 11:30
That's a good start, you can see the nasty junk combofix removed. Please follow the directions carefully.

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html


Now I would like you to return to my post #2 and follow the instructions.
1) Make sure you have not enabled TeaTimer
2) Follow the instructions to download and run MBAM (should run now with no issues)
3) Follow the instructions to post an uninstall list.

Tell me how the computer is running now.

Thanks...Phil

Mimo11
2009-04-03, 04:44
Hi Phil,
Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1935
Windows 5.1.2600 Service Pack 3

4/2/2009 11:00:27 PM
mbam-log-2009-04-02 (23-00-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 176514
Time elapsed: 39 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\lotus\org6\organize\iehelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.

The only thing that strikes me oddly is the lotus file. But the Organizer seems to work fine without it.

Here is the Uninstall log:

7-Zip 4.42
Acces 4
Ad-Aware
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
Amazing Astrology
Amazing Biorhythms
Amazing Numerology
Anniversary Almanac
AnyDVD
Apple Software Update
Ashampoo Burning Studio 7.10
CoffeeCup Visual Site Designer
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
DjVuLibre+DjView
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.1.0
eClass Grades
ERUNT 1.1j
ESET Smart Security
Fabulous Finds
Family Tree Maker 2008
First Name Almanac
Foxit PDF Creator
Foxit PDF Editor
Foxit Reader
Foxit Reader
GenoPro 2.0.1.4
GetSmile v1.901
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 3740
HP Update
IBM Lotus Organizer 6 - English
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 12
Java(TM) 6 Update 4
Java(TM) 6 Update 7
jetAudio Basic VX
K-Lite Mega Codec Pack 3.8.0
Laptop Integrated Webcam Driver (1.03.02.0719)
Lexmark 1400 Series
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
Masterra PostSmile 6.5
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Primary Interoperability Assemblies 2005
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
Notebook Software
OpenOffice.org 2.4
Organizer Conversion Utility
Planbook
PowerISO
Proud Pedigrees Version 2.70
QuickTime
ScanSoft OmniPage 16
ScanSoft PDF Create! 4
Schoolhouse Test 2
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SigmaTel Audio
Skype™ 3.8
SMART Board Drivers
SUPER © Version 2009.bld.35 (Jan 5, 2009)
The Birthday Chronicle
TIMES Education - A Level Biology
TuneUp Utilities 2008
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6i
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Communication Foundation
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinPatrol 2009
WinRAR archiver

Mimo11
2009-04-03, 04:48
Sorry, I forgot to tell you how the computer's running.

The searches work fine - no more highjacks. Obviously Malwarebytes will open again. I haven't tried MRT. My System Restore is allowing me to create restore points (between installations/scans/uninstalls).

In terms of speed, it seems to be zipping along, less hesitation on opening of programs.

Thank you, Phil. You have been very patient, and a great help. Do you think I'm out of the woods?

pskelley
2009-04-03, 14:23
C:\lotus\org6\organize\iehelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
Any malware removal program can make an error, they are called "false positives". The MBAM database thinks that item is a trojan. MBAM places the item in quarantine where it will stay until you take some action. If you want to find out if the file is safe, do this.

1) To make sure you can see the file, show all files and folders for your Operating System, see this:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

2) Though it should readily available in that quarantine folder.
Open the MBAM interface and click the Quarantine folder so you can see the file.

3) Use one or more of these free online scans to find out if it is a trojan.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
If it is a valid file, you can highlite and retsore the item to the computer. (careful not to restore any bad files in quarantine)

4) You can also, if it is valid, add it to the Ignore List so it does not get removed when you scan again, and you can also report it as a False Positive under More Tools tab.

This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Java(TM) 6 Update 12
Java(TM) 6 Update 4
Java(TM) 6 Update 7
All out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

I haven't tried MRT.
You can check it if you wish, should be OK now. At least you know how to run the tool if you wish to.

Do you think I'm out of the woods?
I think we are getting close

Here is some information to look over and it may help you help the computer run even better.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx

Let see if we can wrap up like this:

(complete the check for C:\lotus\org6\organize\iehelper.dll before you do this, if you returned it to the lotus folder and have not told MBAM to ignore it, MBAM will remove it again)

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update ESET Smart Security 3.0 and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx