MS-MVP Windows Security 2006,2007,2008 & 2009
ASAP member since 2004
So how do I turn off "script blocking ".
Just disable your AV.
MS-MVP Windows Security 2006,2007,2008 & 2009
ASAP member since 2004
So I'm gonna disable AV anti-virus, Tea Timer and windows fire-wall. Thanks.
Post back when done
MS-MVP Windows Security 2006,2007,2008 & 2009
ASAP member since 2004
Ok, I'm done with the combo fix.
Please advice next step.
Thanks.
Here is the combofix log and the new hijackthis log:
ComboFix 08-02-20.1 - Family 2008-02-20 11:53:42.2 - NTFSx86
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-14 00:53 . 2008-02-15 18:59 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-02-14 00:37 . 2008-02-14 00:37 268 --ah----- C:\sqmdata00.sqm
2008-02-14 00:37 . 2008-02-14 00:37 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 00:24 . 2008-02-14 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 00:23 . 2008-02-14 00:24 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-13 23:55 . 2008-02-13 23:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\PlayFirst
2008-02-13 23:04 . 2008-02-13 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-02-12 23:19 . 2008-02-12 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-02-12 22:58 . 2008-02-12 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-02-09 01:50 . 2008-02-09 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 23:28 . 2008-02-08 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:52 . 2008-02-08 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-08 18:52 . 2008-02-08 19:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 18:51 . 2008-02-08 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-06 02:27 . 2008-02-06 12:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-02-06 00:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 00:46 . 2008-02-06 00:49 <DIR> d-------- C:\Program Files\Java
2008-02-06 00:06 . 2008-02-06 00:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-05 23:00 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\LimeWire 4.16.4
2008-02-05 17:35 . 2008-02-05 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 17:35 . 2008-02-05 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 18:41 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Sonic
2008-02-04 18:09 . 2008-02-04 18:09 <DIR> d-------- C:\Program Files\RecordNow!
2008-02-04 18:05 . 2008-02-04 18:05 <DIR> d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-04 18:01 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\PowerDVD
2008-02-04 17:53 . 2008-02-04 17:53 <DIR> d-------- C:\Program Files\MUSICMATCH Update
2008-02-04 17:53 . 2008-02-04 17:54 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-04 17:51 . 2008-02-07 17:41 <DIR> d-------- C:\Program Files\MUSICMATCH Jukebox
2008-02-04 17:42 . 2008-02-04 17:43 <DIR> d-------- C:\Program Files\MediaFACE
2008-02-04 17:36 . 2008-02-04 17:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\DivX
2008-02-04 17:25 . 1999-04-23 21:22 26,768 --a------ C:\WINDOWS\system\ctl3d.dll
2008-02-04 17:22 . 2008-02-04 17:25 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-02-04 17:22 . 2008-02-04 17:22 <DIR> d-------- C:\Program Files\Printscape
2008-02-04 16:57 . 2008-02-04 16:57 <DIR> d-------- C:\Program Files\DivX
2008-02-04 16:21 . 2008-02-04 16:22 <DIR> d-------- C:\Program Files\DivX 4 Windows
2008-02-04 16:21 . 2007-12-04 11:38 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-04 16:21 . 2007-12-04 11:38 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-04 16:14 . 2008-02-04 16:14 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-04 16:13 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iTunes
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iPod
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 16:09 . 2008-02-04 16:10 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Vso
2008-02-04 15:38 . 2008-02-04 15:41 <DIR> d-------- C:\Program Files\Winamp 5 52
2008-02-04 15:38 . 2008-02-04 15:49 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Winamp 5 52
2008-02-04 15:31 . 2008-02-04 15:36 <DIR> d-------- C:\Program Files\RipIt 4 Me
2008-02-04 15:31 . 2008-02-04 15:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-04 15:27 . 2008-02-04 15:31 <DIR> d-------- C:\Program Files\FLV Downloader
2008-02-04 15:27 . 2008-02-04 15:27 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Moyea
2008-02-04 14:51 . 2008-02-04 15:32 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-02-04 14:50 . 2008-02-04 14:50 <DIR> d-------- C:\Program Files\DVDFab FreeDVD
2008-02-04 14:49 . 2008-02-04 14:49 <DIR> d-------- C:\Program Files\FixVTS
2008-02-04 14:45 . 2008-02-04 14:45 <DIR> d-------- C:\Program Files\DVD Shrink
2008-02-04 14:45 . 2008-02-07 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-04 14:42 . 2008-02-04 14:42 <DIR> d-------- C:\Program Files\CCleaner 2 03
2008-02-04 14:07 . 2008-02-04 14:41 <DIR> d-------- C:\Downloads
2008-02-04 14:07 . 2008-02-04 14:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-04 14:06 . 2008-02-04 14:41 <DIR> d-------- C:\Program Files\BitComet 0 98
2008-02-04 14:01 . 2008-02-04 14:01 <DIR> d-------- C:\Program Files\Belarc
2008-02-04 14:01 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-04 13:54 . 2008-02-04 13:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 13:54 . 2008-02-04 13:54 <DIR> d-------- C:\Program Files\Adobe Reader 8.0
2008-01-30 17:09 . 2008-01-30 17:09 <DIR> d-------- C:\Documents and Settings\Family\Application Data\COWON
2008-01-30 17:07 . 2008-01-30 17:07 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-30 17:06 . 2008-02-04 18:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 17:05 . 2008-02-04 08:18 <DIR> d-------- C:\Program Files\Jet Audio
2008-01-30 17:03 . 2008-02-04 17:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-30 07:36 . 2008-01-30 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 15:22 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 13:08 . 2008-01-29 13:08 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-28 23:50 . 2008-02-04 07:47 <DIR> d-------- C:\Documents and Settings\Family\Application Data\FaxCtr
2008-01-28 23:46 . 2008-02-20 10:51 <DIR> d-------- C:\Program Files\lx_cats
2008-01-28 23:45 . 2007-02-22 15:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-28 23:45 . 2006-03-23 01:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-28 23:44 . 2006-08-08 12:58 692,224 --a------ C:\WINDOWS\system32\lxcydrs.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-28 23:44 . 2006-08-14 14:07 65,536 --a------ C:\WINDOWS\system32\lxcycaps.dll
2008-01-28 23:44 . 2006-01-25 15:11 61,440 --a------ C:\WINDOWS\system32\lxcycnv4.dll
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-28 23:43 . 2006-04-28 02:16 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-01-28 23:43 . 2006-04-28 02:16 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-01-28 23:43 . 2006-04-28 02:16 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-01-28 23:43 . 2006-11-22 06:51 45,056 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2008-01-28 23:43 . 2006-11-22 06:50 32,768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2008-01-28 23:43 . 2006-11-22 07:08 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2008-01-28 23:42 . 2008-01-28 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:59 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 18:38 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-04 18:38 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-04 18:35 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.
------- Sigcheck -------
"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\svchost.exe
"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ws2_32.dll
"C:\WINDOWS\system32\wininet.dll"
----a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wininet.dll
"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\winlogon.exe
"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ndis.sys
"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys
"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntkrnlpa.exe
----a-w 2,056,832 2004-08-04 05:59:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\system32\ntkrnlpa.exe
-c----w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntoskrnl.exe
----a-w 2,180,992 2004-08-04 06:20:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\system32\ntoskrnl.exe
-c----w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 23:48 50736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [2008-01-28 21:05 579072]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\AVG7\avgw.exe" [2008-01-28 21:05 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 07:34 82608 C:\Program Files\Lexmark 3400 Series\ezprint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 07:35 295600 C:\Program Files\Lexmark Fax Solutions\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 07:34 291504 C:\Program Files\Lexmark 3400 Series\lxcymon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
S2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 11:57:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-02-20 12:00:39
ComboFix2.txt 2008-02-20 17:45:07
.
2008-01-31 02:47:13 --- E O F ---
Note:The hijackthis log is too long I'll post another message to post it.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:48 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/l...&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/def...s.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
--
End of file - 6321 bytes
Please advice next step.
Thanks.
Lets run an F-Secure online scan.
- Click HERE
- Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
- Allow the Active X control to be installed on your computer, then click the Accept button
- Click Full System Scan and allow the components to download and the scan to complete.
- If malware is found, check Submit samples to F-Secure then select Automatic cleaning
- When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
- Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
- When the cleaning option is presented, Uncheck Submit samples to F-Secure
- Click Automatic cleaning
- When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
- Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.
MS-MVP Windows Security 2006,2007,2008 & 2009
ASAP member since 2004