HiJackThis Log

pskelley · Dec 9, 2008

SoundMovieServer <<< can you tell me this item is safe and that you know it?

Limewire will be removed, if you do not agree, we can not continue.

Please read and follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\TDSSqxgx.dll

Folder::
c:\program files\mypoints
c:\program files\PremierOpinion
C:\Documents and Settings\Susan Chew\My Documents\LimeWire

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [PremierOpinion] C:\Program Files\PremierOpinion\pmropn.exe -boot
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Susan Chew\My Documents\LimeWire\LimeWire.exe
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.ma...ointsSetup.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

No need to download again, but we need to get it to run, let me know.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

For combofix, please navigate to where this was in the combofix information:

c:\windows\system32\winlogon.exe . . . is infected!!

(((((((((((((( Drivers/Services ))))))))))))

and make sure the item in RED is not there this time, let me know this in the post.

If the MBAM log is extremely log, you may attach it.

Thanks...Phil

achalk · Dec 9, 2008

>> SoundMovieServer <<< can you tell me this item is safe and that you know it?

No. I have disabled the service.

A quick google search on the file name does not indictae which useful program it is part of.

achalk · Dec 9, 2008

Combofix step

Ran Combofix again. log below:
ComboFix 08-12-07.04 - Susan Chew 2008-12-09 11:25:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.452 [GMT -6:00]
Running from: c:\documents and settings\Susan Chew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Susan Chew\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\TDSSqxgx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Susan Chew\My Documents\LimeWire
c:\documents and settings\Susan Chew\My Documents\LimeWire\.NetworkShare\LimeWirePackedJars4.10.2.7z
c:\documents and settings\Susan Chew\My Documents\LimeWire\.NetworkShare\LimeWireWin4.10.2.exe
c:\documents and settings\Susan Chew\My Documents\LimeWire\clink.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\commons-httpclient.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\commons-logging.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\commons-net.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\daap.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\data.ser
c:\documents and settings\Susan Chew\My Documents\LimeWire\donotremove.htm
c:\documents and settings\Susan Chew\My Documents\LimeWire\GenericWindowsUtils.dll
c:\documents and settings\Susan Chew\My Documents\LimeWire\hashes
c:\documents and settings\Susan Chew\My Documents\LimeWire\hs_err_pid1052.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\hs_err_pid1712.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\hs_err_pid1900.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\hs_err_pid4944.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\hs_err_pid528.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\i18n.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\icu4j.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\id3v2.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\install.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\jcraft.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\jl011.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\jmdns.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\language.prop
c:\documents and settings\Susan Chew\My Documents\LimeWire\LimeWire On Startup.lnk
c:\documents and settings\Susan Chew\My Documents\LimeWire\LimeWire.exe
c:\documents and settings\Susan Chew\My Documents\LimeWire\LimeWire.ico
c:\documents and settings\Susan Chew\My Documents\LimeWire\LimeWire.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\LimeWire20.dll
c:\documents and settings\Susan Chew\My Documents\LimeWire\log.txt
c:\documents and settings\Susan Chew\My Documents\LimeWire\log4j.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\log4j.properties
c:\documents and settings\Susan Chew\My Documents\LimeWire\logicrypto.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\looks.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\MessagesBundle.properties
c:\documents and settings\Susan Chew\My Documents\LimeWire\MessagesBundles.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\mp3sp14.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\pmf.ico
c:\documents and settings\Susan Chew\My Documents\LimeWire\ProgressTabs.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\root\magnet10\badge.img
c:\documents and settings\Susan Chew\My Documents\LimeWire\root\magnet10\canHandle.img
c:\documents and settings\Susan Chew\My Documents\LimeWire\root\magnet10\limewire.gif
c:\documents and settings\Susan Chew\My Documents\LimeWire\root\magnet10\options.js
c:\documents and settings\Susan Chew\My Documents\LimeWire\root\magnet10\silentdetect.js
c:\documents and settings\Susan Chew\My Documents\LimeWire\SOURCE
c:\documents and settings\Susan Chew\My Documents\LimeWire\spacer.gif
c:\documents and settings\Susan Chew\My Documents\LimeWire\themes.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\tritonus.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\uninstall.exe
c:\documents and settings\Susan Chew\My Documents\LimeWire\unpack.log
c:\documents and settings\Susan Chew\My Documents\LimeWire\update.ver
c:\documents and settings\Susan Chew\My Documents\LimeWire\vorbis.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\WindowsV5PlusUtils.dll
c:\documents and settings\Susan Chew\My Documents\LimeWire\xerces.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\xml-apis.jar
c:\documents and settings\Susan Chew\My Documents\LimeWire\xml.war
c:\program files\mypoints
c:\program files\mypoints\mypoints1.old
c:\program files\mypoints\uninstall.exe
c:\program files\PremierOpinion
c:\program files\PremierOpinion\pmai.dll
c:\program files\PremierOpinion\pmls.dll
c:\program files\PremierOpinion\pmoci.bin
c:\program files\PremierOpinion\pmph.dll
c:\program files\PremierOpinion\pmropn.exe
c:\program files\PremierOpinion\pmservice.exe
c:\program files\PremierOpinion\pmxf.dll
c:\windows\system32\TDSSqxgx.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 22:06 . 2008-12-08 22:06 <DIR> d-------- c:\windows\LastGood
2008-12-08 22:06 . 2008-12-08 22:06 <DIR> d-------- c:\program files\Secunia
2008-12-08 21:06 . 2008-12-08 21:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 09:37 . 2008-12-03 09:37 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-03 00:05 . 2008-12-05 16:47 <DIR> d-------- c:\documents and settings\Susan Chew\Application Data\AVGTOOLBAR
2008-12-02 19:43 . 2008-12-05 13:49 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-02 19:16 . 2008-12-08 08:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-02 19:16 . 2008-12-02 19:16 <DIR> d-------- c:\program files\AVG
2008-12-02 19:16 . 2008-12-03 00:04 <DIR> d-------- c:\documents and settings\Andrew Chalk\Application Data\AVGTOOLBAR
2008-12-02 19:16 . 2008-12-02 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-02 19:16 . 2008-12-02 19:16 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-02 19:16 . 2008-12-02 19:16 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-02 19:14 . 2008-12-02 19:14 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-23 14:34 . 2008-11-23 14:34 <DIR> d-------- c:\program files\iTunes
2008-11-23 14:34 . 2008-11-23 14:34 <DIR> d-------- c:\program files\iPod
2008-11-23 14:34 . 2008-11-23 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-23 14:33 . 2008-11-23 14:33 <DIR> d-------- c:\program files\QuickTime
2008-11-18 07:36 . 2008-11-18 07:36 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-11-11 20:53 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:53 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 04:29 --------- d-----w c:\program files\Java
2008-12-09 04:16 --------- d-----w c:\program files\Common Files\Adobe
2008-12-09 01:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 02:00 --------- d-----w c:\program files\ezt
2008-12-01 00:50 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-23 20:32 --------- d-----w c:\program files\Common Files\Apple
2008-11-23 20:21 --------- d-----w c:\program files\Safari
2008-11-04 04:10 --------- d-----w c:\documents and settings\Susan Chew\Application Data\dvdcss
2008-11-01 19:14 --------- d-----w c:\program files\Google
2008-10-29 00:06 --------- d-----w c:\program files\Quicken
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 20:22 --------- d-----w c:\documents and settings\Susan Chew\Application Data\ZoomBrowser EX
2008-10-19 16:31 --------- d-----w c:\documents and settings\Susan Chew\Application Data\CameraWindowDC
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
2004-08-04 07:56 4,096 --sha-w c:\windows\system32\1112.dat
.

((((((((((((((((((((((((((((( snapshot_2008-12-08_19.40.28.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-09 04:17:22 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-17 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-10-08 864256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

c:\documents and settings\Susan Chew\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-25 728408]

[HKLM\~\startupfolder\C:^Documents and Settings^Susan Chew^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Susan Chew\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Wireless Sync\\Client\\Monitor.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1743:UDP"= 1743:UDP:*

isabled:Windows Media Format SDK (wmplayer.exe)
"1742:UDP"= 1742:UDP:*

isabled:Windows Media Format SDK (wmplayer.exe)
"1749:UDP"= 1749:UDP:*

isabled:Windows Media Format SDK (wmplayer.exe)

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-07-29 138780]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-07-29 46779]
R3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-08-21 509312]
R3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-08-21 3768]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]
S4 SoundMovieServer;SoundMovieServer;"c:\windows\system32\snmvtsvc.exe" [2008-08-21 200704]

*Newly Created Service* - PSI
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:39]

2008-12-03 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-10-08 16:30]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PremierOpinion - c:\program files\PremierOpinion\pmropn.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\documents and settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 11:29:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(796)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
Completion time: 2008-12-09 11:32:14
ComboFix-quarantined-files.txt 2008-12-09 17:30:55
ComboFix2.txt 2008-12-09 01:43:03
ComboFix3.txt 2008-05-18 04:27:20

Pre-Run: 17,976,123,392 bytes free
Post-Run: 18,000,457,728 bytes free

230 --- E O F --- 2008-11-27 05:44:11

achalk · Dec 9, 2008

HiJack This step

the lines you asked about are not in the new log. See below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:48 AM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tbar/mypointsSetup.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

--
End of file - 7826 bytes

pskelley · Dec 9, 2008

I am waiting to hear if we need to remove MBAM with combofix, but there is still some junk in the HJT log and the log was run with MSConfig in Selective Startup mode. I need to see the HJT log in Normal Startup Mode.

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.ma...ointsSetup.exe
http://www.systemlookup.com/O16/439.html
http://www.spywareguide.com/product_show.php?id=651

I also need some feedback about how the computer is performing.

When you create the HJT log, you can return to Normal Startup in System Configuration Utility (MSConfig) and create the HJT log, then return to Selective Startup without rebooting to save your resources. Post that log and some feeback, so I will know how to proceed.

Thanks...Phil

achalk · Dec 9, 2008

MBAM log

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/9/2008 1:08:58 PM
mbam-log-2008-12-09 (13-08-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 119454
Time elapsed: 1 hour(s), 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bfc08cff-c737-4433-bd5a-0ee7efcfee54} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{A4B9609A-BB12-441F-9A44-2C3C65607EB0}\RP27\A0005193.exe (Adware.RK) -> Quarantined and deleted successfully.

achalk · Dec 9, 2008

ComboFix fixed winlogon

>>
For combofix, please navigate to where this was in the combofix information:

c:\windows\system32\winlogon.exe . . . is infected!!

(((((((((((((( Drivers/Services ))))))))))))

and make sure the item in RED is not there this time, let me know this in the post.

If the MBAM log is extremely log, you may attach it.

Not present after second run.

achalk · Dec 9, 2008

pskelley said:
I am waiting to hear if we need to remove MBAM with combofix, but there is still some junk in the HJT log and the log was run with MSConfig in Selective Startup mode. I need to see the HJT log in Normal Startup Mode.

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.ma...ointsSetup.exe
http://www.systemlookup.com/O16/439.html
http://www.spywareguide.com/product_show.php?id=651

I also need some feedback about how the computer is performing.

When you create the HJT log, you can return to Normal Startup in System Configuration Utility (MSConfig) and create the HJT log, then return to Selective Startup without rebooting to save your resources. Post that log and some feeback, so I will know how to proceed.

Thanks...Phil

==================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:50 PM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Susan Chew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Susan Chew\My Documents\LimeWire\LimeWire.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tbar/mypointsSetup.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

--
End of file - 7535 bytes

1) MBAM was uninstalled and updated;
2) New HJT log below. Note: Still a reference to Limewire in the startup sequence but it has been uninstalled and the directory does not exist. How do I get rid of the erroneous reference?

achalk · Dec 9, 2008

pskelley said:
I also need some feedback about how the computer is performing.

Thanks...Phil

The computer seems to be behaving correctly. Doesn't seem much faster at the moment but it is too early to tell..

achalk · Dec 9, 2008

pskelley said:
I also need some feedback about how the computer is performing.

Windows update is not accessable. Reason: The computer thinks the ActiveX control is not installed. The bar to install the ActiveX does not appear at the top of IE7.

pskelley · Dec 9, 2008

As far as speed, you can look at this information to help with that:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Have a look at this website for the Windows Update issues:
http://v4.windowsupdate.microsoft.com/troubleshoot/

Windows update is not accessable <<< is this the complete error as Windows give it to you? I always need error messages word for word.
What you posted provides no answers:
http://www.google.com/search?hl=en&q=Windows+update+is+not+accessable&btnG=Google+Search&aq=f&oq=

Let's continue like this:

1) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.ma...ointsSetup.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

2) Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

3) Run AVG 8
*Right click the icon for AVG in System Tray and choose Open AVG User Interface.

*Click on Update now, allow AVG to download and install any new updates.

* Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.

* Near the bottom above the words "The scan is complete" choose "Export overview to file"

* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.

* Close results and close the Interface.

* Copy and paste the contents of that file unless it is clean.

Let me know because it is about time to remove combofix from the computer and do some wrapup.

Thanks

achalk · Dec 10, 2008

The "Internet Explorer Information Bar" is what is not displayed.

The exact error..

Install the ActiveX control required to view the website
The website will not display correctly on your computer without this control. To install it:
1. Right-click the Internet Explorer Information Bar. It's located just below the address bar.
2. In the right-click menu, click Install ActiveX Control.
3. In the Security Warning dialog box, click Install.

Note: If the Information Bar doesn't appear, or if you've installed the control but still can't use the website, take these steps to solve the problem.

Example: Internet Explorer Information Bar with right-click menu

pskelley · Dec 10, 2008

Sounds to me like the setting in Internet Explorer may be to high for certain Active X. I personally keep mine high also and often can not view certain websites without allowing their Active X (good way to infect you) Here is a little information you can view:
http://www.google.com/search?hl=en&...+view+the+website&btnG=Google+Search&aq=f&oq=
http://www.google.com/search?hl=en&...r+computer+without+this+control.+&btnG=Search

Let's do some wrap up and see how the computer is running. Then we can look at any issues remaining, though I may need to send you to Microsoft or a good Windows XP forum to resolve issues that may not be caused by malware.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update AVG 8 and scan the system, to be sure it is running right and scanning clean.

If all is well at this point, let me know and I will close the topic.

At this point, mention any malware issues, review the links below because information about about Active X settings is I believe included.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

achalk · Dec 10, 2008

pskelley said:
Let's continue like this:

1) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.ma...ointsSetup.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

DONE

pskelley said:
2) Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

DONE

pskelley said:
3) Run AVG 8
*Right click the icon for AVG in System Tray and choose Open AVG User Interface.

*Click on Update now, allow AVG to download and install any new updates.

* Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.

* Near the bottom above the words "The scan is complete" choose "Export overview to file"

* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.

* Close results and close the Interface.

* Copy and paste the contents of that file unless it is clean.

Coming shortly.

achalk · Dec 10, 2008

Here is the AVG8 scan...

pskelley said:
3) Run AVG 8
*Right click the icon for AVG in System Tray and choose Open AVG User Interface.

*Click on Update now, allow AVG to download and install any new updates.

* Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.

* Near the bottom above the words "The scan is complete" choose "Export overview to file"

* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.

* Close results and close the Interface.

* Copy and paste the contents of that file unless it is clean.

Let me know because it is about time to remove combofix from the computer and do some wrapup.

Thanks

Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"114"
Information count:;"0"
Scan started:;"Wednesday, December 10, 2008, 1:01:50 PM"
Scan finished:;"Wednesday, December 10, 2008, 2:07:56 PM (1 hour(s) 6 minute(s) 5 second(s))"
Total object scanned:;"551849"
User who launched the scan:;"Susan Chew"

Warnings
File;"Infection";"Result"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\adrevolver.com.9b9d670a;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\adrevolver.com.f6cfcad4;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\fastclick.net.9b41aa53;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\casalemedia.com.5e43734d;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\hypertracker.com.f9487006;"Found Tracking cookie.Hypertracker";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\media.adrevolver.com.5fed601d;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\questionmarket.com.3eb5a9f1;"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\questionmarket.com.4dd5e426;"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\realmedia.com.125a868c;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\realmedia.com.e14be39e;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\zedo.com.775ee79c;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Application Data\Mozilla\Firefox\Profiles\g7hij9fj.default\cookies.txt:\zedo.com.ff8ec9c0;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@247realmedia[2].txt;"Found Tracking cookie.247realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@247realmedia[2].txt:\247realmedia.com.855b46d;"Found Tracking cookie.247realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@247realmedia[2].txt:\247realmedia.com.d90d45cf;"Found Tracking cookie.247realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@2o7[2].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@2o7[2].txt:\2o7.net.6492a00e;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.830b6f08;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.87a9ab5d;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.8a47878;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.17044b51;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.6d7740f7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.891542da;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.8b1bd7bc;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.fb764ef7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adopt.euroclick[2].txt:\adopt.euroclick.com.ffe11db7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adrevolver[2].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adrevolver[2].txt:\adrevolver.com.9b9d670a;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@adrevolver[2].txt:\adrevolver.com.f6cfcad4;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt:\advertising.com.1820df7a;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt:\advertising.com.203aa218;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt:\advertising.com.b624fa46;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@advertising[1].txt:\advertising.com.f62113d5;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@atdmt[2].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@atdmt[2].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@bs.serving-sys[1].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@burstnet[2].txt;"Found Tracking cookie.Burstnet";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@burstnet[2].txt:\burstnet.com.27341d57;"Found Tracking cookie.Burstnet";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@burstnet[2].txt:\burstnet.com.c4fe2ebb;"Found Tracking cookie.Burstnet";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.1773afc;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.3a28db8d;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.6a12b080;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.987e6b46;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@casalemedia[2].txt:\casalemedia.com.f31be13a;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@doubleclick[1].txt;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@doubleclick[1].txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.8a6435e9;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.8dd1284a;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.9b41aa53;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.19d0b716;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.57e8da10;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@fastclick[1].txt:\fastclick.net.fac3d6f0;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@media.adrevolver[1].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@media.adrevolver[1].txt:\media.adrevolver.com.5fed601d;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@mediaplex[1].txt;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@mediaplex[1].txt:\mediaplex.com.f652b123;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@questionmarket[2].txt;"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@questionmarket[2].txt:\questionmarket.com.3eb5a9f1;"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@questionmarket[2].txt:\questionmarket.com.4dd5e426;"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.125a868c;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.1aa2fe4c;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.4f7c8da4;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.6270c386;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.7498cfc8;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.7b6ab77a;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.6b2e2a72;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.82c03de4;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.993c812f;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.e14be39e;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.ee3bb1b9;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.ef906bac;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@realmedia[1].txt:\realmedia.com.f1347e9f;"Found Tracking cookie.Realmedia";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.255d6f2f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.4b416ef8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.606c3d3b;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.400f83f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.6a1cf9e8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@serving-sys[1].txt:\serving-sys.com.c9034af6;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@trafficmp[1].txt;"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@trafficmp[1].txt:\trafficmp.com.a00e30b4;"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@tribalfusion[2].txt;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@tribalfusion[2].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.14a38114;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.27f1639b;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.a5b6a132;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.c1dd09f2;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.cef1c7af;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.dd15d628;"Found Tracking cookie.Zedo";"Potentially dangerous object"
C:\Documents and Settings\Susan Chew\Cookies\susan_chew@zedo[1].txt:\zedo.com.ff8ec9c0;"Found Tracking cookie.Zedo";"Potentially dangerous object"

achalk · Dec 10, 2008

pskelley said:
At this point, mention any malware issues,

There is a Limewire line in startup. It just displays an error at startup as Limewire is removed. Other than doing a selective start, how do I remove this line from the startup sequence?

Can Limewire be run safely? If not, where is a safe place to d/l music?

I think I can deal with the other XP issues. I appreciate your references.

pskelley · Dec 10, 2008

Those all look like cookies, hope you deleted or quarantined them. Here is information to help you contol cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

how do I remove this line from the startup sequence?

http://www.google.com/search?hl=en&q=How+to+remove+items+from+Startup&btnG=Search

Can Limewire be run safely? If not, where is a safe place to d/l music?

http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
http://arstechnica.com/news.ars/pos...s-cost-one-man-750-per-song-in-riaa-suit.html

You may find some information here:
http://www.google.com/search?hl=en&...to+download+music&btnG=Google+Search&aq=f&oq=

http://www.google.com/search?hl=en&q=purchase+music+online&btnG=Search

achalk · Dec 10, 2008

Should I remove ComboFix when I have deleted/quarantined the cookies. I am also going to try to limit their creation as they are created quickly after each deletion session.

I am using AVG. Is there a better anti-virus solution out there, in your opinion?

Many thanks.

pskelley · Dec 10, 2008

You can follow those directions I posted. That is AVG 8 that found the cookies. combofix does not target cookies, the database is big enough now with all of the malware it targets.

I use AVG 8 free myself, I am not sure what you are looking for. Google if you want to know what you can purchase, I avoid suggesting anything but freeware.

Thanks

achalk · Dec 11, 2008

>> Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

DONE -- clean;

>> Update AVG 8 and scan the system, to be sure it is running right and scanning clean.

DONE -- clean;

HiJackThis Log

In Memoriam -Always in our heart

New member

New member

New member

In Memoriam -Always in our heart

New member

New member

New member

New member

New member

In Memoriam -Always in our heart

New member

In Memoriam -Always in our heart

New member

New member

New member

In Memoriam -Always in our heart

New member

In Memoriam -Always in our heart

New member