Results 1 to 7 of 7

Thread: zlob.dnschanger

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Cool zlob.dnschanger

    Hi! Is this the HJT forum? Please advise....I don't want to post in the wrong forum.

    Ok, right forum. Here it is. Oh, I ran this a few weeks ago, and tried "fixing" things. R0 or R1's (2) probably microsoft; 04 BHO "unknown" author; and I thought 10 INTERNATIONAL, but that's there under 11, maybe I didn't touch that.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:13:05 PM, on 12/25/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
    C:\Documents and Settings\Mona\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
    O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatieControl Object) - http://zone.msn.com/bingame/choc/def...b.1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1202225674654
    O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dre...b.1.0.0.10.cab
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab79352.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zen...b.1.0.0.10.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
    O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate1c95c32ff115ffe) (gupdate1c95c32ff115ffe) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    Alrighty, then!

    I see you are swamped daily. This is just in case I haven't given enough info. I've learned that what I have is: Also Known As: W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Assoc, W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]; also DROPPER-7556 [WinClam]. I was actually reading about Mydoom.B...

    OK, SOME problems are: cannot update Windows; cannot download anything from Microsoft, F-Secure, etc...; cannot access various anti-spyware sites; computer thinks I have IE5 (I have IE7); and I cannot get into "Internet Options" through the Tools menu. (I forget how to access it, but I have...)
    My last windows update was 10/15/08.

    As soon as this thing realizes who you are, I won't be able to read this forum, either.
    Last edited by tashi; 2009-01-01 at 20:27. Reason: Merged three posts

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Smile blade81

    Thank you so much for responding!
    I'm trying to do as instructed, but I cannot find Recovery Console on my disk. I found a file named Recover.EX_-Filealyser in i386... I also don't know how to boot from the CD. It doesn't happen automatically when I boot with the disk inserted. Also, it tells me that what's on the computer is more recent than what's on the disk and the (do it anyway) button is not highlighted.
    I also need to learn how to do a backup. I have a flash drive, but I assumed that would take forever...and I don't want to infect it.
    I did update hjt and combofix...

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    I merged your topics. Please don't create new thread for every reply. Use "post reply" -button to reply

    Run ComboFix and it should ask if you want to install recovery console. Allow it do so. No need to play with os media here
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Default Logs:

    G'day, mates!

    OK, first, to PM you, can I reply to your e-mail?

    I just got this used computer in August '08. At some point, I must have ran Alter Ego-I'd sure like to undo that. I was using free version of ThreatFire. I noticed mid-November that when I press WindowsUpdate button, IE opens instead. Malwarebytes points Trojan.dnschanger to my satellite ISP (Dec. 08, 08.)
    I uninstalled ThreatFire and installed Avast! free version. Since then, about 1/3 of the webpages I load do not completely load, and I have to reload them.

    I disabled Avast! and ran ComboFix. It said ThreatFire was still running. (That explains the wwwpages not loading.) It's not in my tray or in TaskManager processes, so bewildered, I told CF to continue. It quarantined some files right away, but never said anything about the RecoveryConsole (that I saw.) If that links to Microsoft, downloading it probably wouldn't work, anyway. After reboot, it mentioned both (what are TF and Avast!, firewalls? Same thing as anti-spyware, right?) So I proceeded to delete all TF files except the main dll-which won't-then resumed CF. The log isn't in said path, but here it is:

    ComboFix 09-01-02.01 - Bruce 2009-01-04 20:12:25.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.239.50 [GMT -6:00]
    Running from: c:\documents and settings\Mona\Desktop\ComboFix.exe
    AV: ThreatFire *On-access scanning enabled* (Updated)
    AV: avast! antivirus 4.8.1296 [VPS 090104-0] *On-access scanning disabled* (Updated)
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\test.txt
    c:\windows\system32\dumphive.exe
    c:\windows\system32\IEDFix.exe
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WS2Fix.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
    .

    2009-01-04 00:39 . 2009-01-04 00:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Alawar Stargaze
    2008-12-28 20:57 . 2008-12-28 20:57 <DIR> d-------- c:\documents and settings\Mona\Application Data\Foxit
    2008-12-28 20:29 . 2008-12-28 20:29 <DIR> d-------- c:\program files\Defraggler
    2008-12-28 20:19 . 2008-12-28 20:24 <DIR> d-------- c:\program files\Piriform
    2008-12-28 19:35 . 2008-12-28 19:35 <DIR> d-------- c:\program files\NASA
    2008-12-27 05:29 . 2008-12-27 05:29 <DIR> d-------- c:\program files\HotHotSoftware
    2008-12-27 05:29 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\mscomctl.ocx
    2008-12-27 05:29 . 2000-07-16 16:20 185,856 --a------ c:\windows\system32\Bmp2Jpeg.dll
    2008-12-27 05:29 . 2004-03-09 00:00 152,848 --a------ c:\windows\system32\Comdlg32.ocx
    2008-12-27 05:29 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
    2008-12-18 09:25 . 2008-12-18 09:25 <DIR> d-------- c:\program files\Geekbench 2
    2008-12-17 07:10 . 2009-01-04 19:40 4,195,527 --a------ c:\windows\pfirewall.log.old
    2008-12-16 09:59 . 2008-12-16 10:14 <DIR> d-------- c:\program files\Safer Networking
    2008-12-16 09:18 . 2008-12-16 09:18 <DIR> d-------- c:\program files\Secunia
    2008-12-14 16:36 . 2008-12-14 16:51 <DIR> d-------- c:\program files\Security Task Manager
    2008-12-14 16:36 . 2008-12-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
    2008-12-14 07:30 . 2008-12-20 06:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-14 07:30 . 2008-12-16 02:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-13 23:21 . 2008-12-13 23:22 5,242,934 --a------ c:\windows\BGInfo.bmp
    2008-12-13 23:09 . 2008-12-13 23:10 4,826,994 --a------ c:\windows\system32\CAEJCFEVIB
    2008-12-13 02:10 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
    2008-12-13 01:45 . 2008-12-13 01:45 <DIR> d-------- c:\documents and settings\Mona\Application Data\Simply Super Software
    2008-12-13 01:45 . 2008-12-13 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
    2008-12-13 01:45 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
    2008-12-13 01:45 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\unrar3.dll
    2008-12-13 01:45 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
    2008-12-13 01:45 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
    2008-12-13 01:45 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
    2008-12-12 05:28 . 2008-12-12 05:28 23,040 --a------ c:\windows\system32\drivers\fsbts.sys
    2008-12-11 22:08 . 2008-12-11 22:08 <DIR> d-------- c:\program files\Common Files\Apple
    2008-12-11 22:07 . 2008-12-11 22:08 <DIR> d-------- c:\program files\QuickTime
    2008-12-10 08:17 . 2008-12-10 08:17 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
    2008-12-09 19:30 . 2008-12-09 19:33 8,628 --ah----- c:\windows\system32\JAVAPERM.GID
    2008-12-09 15:51 . 2008-12-09 15:51 <DIR> d-------- c:\program files\Alwil Software
    2008-12-09 15:51 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
    2008-12-09 01:11 . 2008-12-09 01:11 <DIR> d-------- c:\program files\Smart Projects
    2008-12-08 16:17 . 2008-12-08 16:20 <DIR> d-------- c:\program files\Apple zips
    2008-12-08 14:54 . 2008-12-08 14:54 <DIR> d-------- c:\windows\Freecorder Toolbar
    2008-12-08 14:54 . 2008-12-08 14:54 <DIR> d-------- c:\program files\Conduit
    2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\windows\Replay Converter 3
    2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\windows\Applian FLV Player
    2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\program files\JC Software
    2008-12-08 14:53 . 2008-12-15 09:46 <DIR> d-------- c:\documents and settings\Mona\dwhelper
    2008-12-08 14:52 . 2008-12-08 14:52 <DIR> d-------- c:\program files\CCleaner
    2008-12-08 14:52 . 2008-12-08 14:53 <DIR> d-------- C:\Inetpub
    2008-12-08 14:52 . 2008-12-08 14:52 <DIR> d-------- c:\documents and settings\Mona\Application Data\InstallShield
    2008-12-08 10:21 . 2008-12-09 07:53 <DIR> d-------- c:\program files\Replay Media Catcher
    2008-12-08 05:11 . 2008-12-10 16:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-12-08 05:11 . 2008-12-08 05:11 <DIR> d-------- c:\documents and settings\Mona\Application Data\Malwarebytes
    2008-12-08 05:11 . 2008-12-08 05:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-08 05:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-08 05:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-12-08 04:31 . 2008-12-08 04:31 1,888,682 --a------ c:\program files\instantmemorycleaner.zip
    2008-12-07 23:16 . 2008-12-07 23:16 <DIR> d-------- c:\windows\system32\msmq
    2008-12-07 02:01 . 2008-12-07 02:01 <DIR> d-------- c:\documents and settings\Mona\Application Data\Talkback
    2008-12-07 02:00 . 2008-12-08 12:28 <DIR> d-------- c:\documents and settings\Mona\Application Data\Thunderbird
    2008-12-07 01:51 . 2008-12-07 01:51 <DIR> d-------- c:\documents and settings\Mona\Application Data\GrabPro
    2008-12-07 01:50 . 2008-12-09 07:49 <DIR> d-------- c:\documents and settings\Mona\Application Data\Orbit
    2008-12-06 23:24 . 2008-12-08 14:52 <DIR> d-------- c:\program files\IrfanView
    2008-12-06 21:08 . 2008-12-08 15:50 <DIR> d-------- c:\documents and settings\Mona\Application Data\Apple Computer
    2008-12-05 01:49 . 2009-01-04 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-05 02:30 --------- d-----w c:\program files\ThreatFire
    2009-01-04 07:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-03 10:07 --------- d-----w c:\program files\TuneUp Utilities 2008
    2009-01-02 03:51 --------- d-----w c:\program files\Oberon Media
    2009-01-02 03:51 --------- d-----w c:\program files\MSN Games
    2008-12-15 23:38 --------- d-----w c:\program files\Minefield
    2008-12-15 13:33 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-12-15 13:25 --------- d-----w c:\program files\Shockwave.com
    2008-12-15 13:24 --------- d-----w c:\program files\Advanced System Optimizer
    2008-12-12 08:25 --------- d-----w c:\program files\Google
    2008-12-12 04:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
    2008-12-11 20:48 --------- d-----w c:\documents and settings\Mona\Application Data\ErrorSmart
    2008-12-08 10:35 841,728 ----a-w c:\program files\Setup.msi
    2008-12-08 06:33 533 ----a-w c:\program files\Shortcut to Windows Media Player.lnk
    2008-11-29 19:10 --------- d-----w c:\documents and settings\Mona\Application Data\TuneUp Software
    2008-11-29 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
    2008-11-29 19:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2008-11-29 06:26 --------- d-----w c:\documents and settings\Mona\Application Data\GlarySoft
    2008-11-29 03:12 --------- d-----w c:\program files\Selectsoft
    2008-11-25 11:26 --------- d-----w c:\documents and settings\Mona\Application Data\Super-Cow
    2008-11-18 13:20 --------- d-----w c:\documents and settings\Mona\Application Data\Oberon Games
    2008-11-18 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\Oberon Games
    2008-11-17 23:48 --------- d-----w c:\program files\Nick Arcade
    2008-11-17 20:05 12,576 ----a-w c:\windows\system32\drivers\TfKbMon.sys
    2008-11-12 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
    2008-11-11 00:00 --------- d-----w c:\program files\Common Files\AVSMedia
    2008-11-09 15:08 --------- d-----w c:\program files\The Weather Channel FW
    2008-11-09 15:00 --------- d-----w c:\program files\Real
    2008-11-09 15:00 --------- d-----w c:\program files\Common Files\xing shared
    2008-11-09 15:00 --------- d-----w c:\program files\Common Files\Real
    2008-11-05 23:25 --------- d-----w c:\documents and settings\Mona\Application Data\PlayFirst
    2008-11-05 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
    2008-11-05 02:29 --------- d-----w c:\documents and settings\Mona\Application Data\iWin
    2008-10-28 20:28 9,786,348 ----a-w c:\program files\SysinternalsSuite.zip
    2008-10-27 23:00 18,432 ----a-w c:\windows\ss3unstl.exe
    2008-09-18 19:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsNetHood"= 0 (0x0)

    [HKLM\~\startupfolder\C:^Documents and Settings^Mona^Start Menu^Programs^Startup^MemTurbo.lnk]
    backup=c:\windows\pss\MemTurbo.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\mmc.exe"=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-09 111184]
    R3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [2008-09-23 1299520]
    R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-09 20560]
    S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-06 30192]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
    S4 gupdate1c95c32ff115ffe;Google Update Service (gupdate1c95c32ff115ffe);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 119280]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7845e49f-d87b-11dd-ba9f-001ee5fbaa73}]
    \Shell\AutoRun\command - e:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

    2008-12-29 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2008-07-18 10:08]

    2009-01-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 02:23]

    2009-01-04 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

    2008-12-18 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

    c:\windows\Downloaded Program Files\dream.1.0.0.10.dll - O16 -: {775879E2-7309-4619-BB02-AADE41F4B690}
    hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
    c:\windows\Downloaded Program Files\dream.1.0.0.10.inf

    c:\windows\Downloaded Program Files\zenerchi.1.0.0.10.dll - O16 -: {BAC761D3-DFFD-4DB4-A01D-173346E090A7}
    hxxp://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
    c:\windows\Downloaded Program Files\zenerchi.1.0.0.10.inf
    .
    .
    ------- File Associations -------
    .
    VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-04 20:35:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,69,02,00,00,00,00,0e,5b,a4,\
    fe,80,43,c9,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
    61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
    00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,42,00,75,00,\
    72,00,67,00,65,00,72,00,20,00,49,00,73,00,6c,00,61,00,6e,00,64,00,5c,00,70,\
    00,72,00,6f,00,64,00,75,00,63,00,74,00,5c,00,62,00,69,00,2e,00,65,00,78,00,\
    65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00
    "Changed"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\C*NULL*h*NULL*o*NULL*c*NULL*o*NULL*l*NULL*a*NULL*t*NULL*i*NULL*e*NULL*r*NULL*®*NULL* *NULL*2*NULL*:*NULL* *NULL*S*NULL*e*NULL*c*NULL*r*NULL*e*NULL*t*NULL* *NULL*I*NULL*n*NULL*g*NULL*r*NULL*e*NULL*d*NULL*i*NULL*e*NULL*n*NULL*t*NULL*s*NULL*"!]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,d0,92,01,00,00,00,00,68,46,c5,\
    a7,a5,37,c9,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
    61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
    00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,43,00,68,00,\
    6f,00,63,00,6f,00,6c,00,61,00,74,00,69,00,65,00,72,00,20,00,32,00,20,00,2d,\
    00,20,00,53,00,65,00,63,00,72,00,65,00,74,00,20,00,49,00,6e,00,67,00,72,00,\
    65,00,64,00,69,00,65,00,6e,00,74,00,73,00,5c,00,70,00,72,00,6f,00,64,00,75,\
    00,63,00,74,00,5c,00,63,00,68,00,6f,00,63,00,6f,00,74,00,77,00,6f,00,2e,00,\
    65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00
    "Changed"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Z*NULL*e*NULL*n*NULL*e*NULL*r*NULL*c*NULL*h*NULL*i*NULL*"!]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,20,28,01,00,00,00,00,2a,d4,f5,\
    8f,01,0f,c9,01,07,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
    61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
    00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,5a,00,65,00,\
    6e,00,65,00,72,00,63,00,68,00,69,00,5c,00,5a,00,65,00,6e,00,65,00,72,00,63,\
    00,68,00,69,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00
    "Changed"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
    "DisplayName"="Burger Island™"
    "UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~2\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~2\\INSTALL.LOG"
    "DisplayVersion"="32.0.0.0"
    "HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
    "Publisher"="Shockwave.com"
    "URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
    "Contact"="Customer Support"
    "Comments"=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\C*NULL*h*NULL*o*NULL*c*NULL*o*NULL*l*NULL*a*NULL*t*NULL*i*NULL*e*NULL*r*NULL*®*NULL* *NULL*2*NULL*:*NULL* *NULL*S*NULL*e*NULL*c*NULL*r*NULL*e*NULL*t*NULL* *NULL*I*NULL*n*NULL*g*NULL*r*NULL*e*NULL*d*NULL*i*NULL*e*NULL*n*NULL*t*NULL*s*NULL*"!]
    "DisplayName"="Chocolatier® 2: Secret Ingredients™"
    "UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\CHOCOL~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\CHOCOL~1\\INSTALL.LOG"
    "DisplayVersion"="32.0.0.0"
    "HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
    "Publisher"="Shockwave.com"
    "URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
    "Contact"="Customer Support"
    "Comments"=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Z*NULL*e*NULL*n*NULL*e*NULL*r*NULL*c*NULL*h*NULL*i*NULL*"!]
    "DisplayName"="Zenerchi™"
    "UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\Zenerchi\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\Zenerchi\\INSTALL.LOG"
    "DisplayVersion"="32.0.0.0"
    "HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
    "Publisher"="Shockwave.com"
    "URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
    "Contact"="Customer Support"
    "Comments"=""
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-04 20:39:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-05 02:39:25

    Pre-Run: 28,285,603,840 bytes free
    Post-Run: 28,741,492,736 bytes free

    309 --- E O F --- 2008-10-29 06:47:41



    Now, HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:47:45 AM, on 1/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Mona\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
    O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatieControl Object) - http://zone.msn.com/bingame/choc/def...b.1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1202225674654
    O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dre...b.1.0.0.10.cab
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab79352.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zen...b.1.0.0.10.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
    O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate1c95c32ff115ffe) (gupdate1c95c32ff115ffe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    --
    End of file - 6074 bytes


    After running CF, I noticed a huge speed improvement! I'm thankful I don't have (VirtuMunde). Do you know where it comes from, so I can avoid it?

    OK, let's bow our heads....(Thank You)


    (What would I be rating below, my degree of satisfaction? Of results? General reading? Cuteness of emoticons?)

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    I don't do logs or any kind of helping thru email, just at forums

    what are TF and Avast!, firewalls? Same thing as anti-spyware, right?
    Both are antivirus programs.


    Start hjt, do a system scan, check (if found):
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

    Close browsers and fix checked.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    * Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •