Problems with yahoo_._com.

J

joselepiu

New member
Hi I’m trying to get help to fix my comp. I’m trying to do it the right way. If I’m doing something wrong please forgive me and advice as how to do it, the right way, thanks. The problem that I have it’s that every time that I try to open yahoo_._com my comp freezes and I have to turn it off manually. I found some posts with similar problems, but they say not to try to fix other comps with the fixes that they provide, since every comp has different configurations and profiles.
Here is the log of the Kaspersky Online after I scanned my comp.
Thanks.

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:


Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:


When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.





Protect your PC from future infection.
BUY KASPERSKY ANTI-VIRUS NOW





Select: All, None, Suspicious Selected objects: 0




Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.







Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)





Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)





Please wait to update the virus definitions...
Downloading from url:
http://dnl-us6.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: dailyc.avc
Downloading from url:
http://dnl-us8.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: dailyc.avc
Downloading remote file: daily-ec.avc
Downloading remote file: avp.klb
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.



Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file





Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Scan complete.
No malware has been detected. The sections that
have been scanned are CLEAN.



Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:







Total number of scanned objects:37461
Number of viruses found:0
Number of infected objects:0
Number of suspicious objects:0
Duration of the scan process:02:16:01
New Scan








Get a Free Trial


Buy Kaspersky Anti-Virus


Help


Virus Encyclopedia


Kaspersky Lab






Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Saturday, February 09, 2008 and
contains 555870 records.

System Info
Operating System: Microsoft Windows XP
Professional, Service Pack 2 (Build 2600)Please
wait while the Kaspersky Online Scanner is
initializing and updating...








Copyright (C) Kaspersky Lab 1997 - 2007
Portions Copyright (C) Lan Crypto
 
4) HiJackThis log - Trend Micro HijackThis 2.0.2
Click here to download HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your (Click --> ) own new topic

* DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
* DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a helper will guide you.
 
yahoo_._com and other...

Ok, her we again. Last time I thought that I follow the correct procedure.

Here is a link to my previous post. The problem is still the same only this time it getting worse since there is more sites that freeze my computer.

http://forums.spybot.info/showthread.php?t=24059


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 15, 2008 4:43:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/02/2008
Kaspersky Anti-Virus database records: 567998
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 39843
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:09:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\uncletthhoom00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\MSHist012008021520080216\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Temp\tem4C.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\Documents and Settings\Family\Local Settings\Temp\tem4C.tmp.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PlayMP3z\PlayMP3.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010006.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:01 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\1201572665\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7040 bytes
 
Last edited by a moderator:
joselepiu said:
Ok, her we again. Last time I thought that I follow the correct procedure.

Here is a link to my previous post. The problem is still the same only this time it getting worse since there is more sites that freeze my computer.
Click to expand...

Merged two topics, please post all replies to this one, thank you. ;)
 
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Leave it disabled until we are done,

------------------------------------

Download and run - ATF Cleaner instructions here.

----------------------------------

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on Fix Checked when finished and exit HijackThis.

----------------------------------

Download Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
 
Ok what's next...

Ok, I opened Spybot-S&D and uncheck the "Resident TeaTimer" box then I restarted my comp when it was on I opened Spybot-S&D again just to check if the "Resident TeaTimer" box was unchecked and it was not, so I unchecked it again and also the "SD Helper" box and restarted.

So I opened Spybot-S&D again to re-check if the "Resident TeaTimer" and the "SD Helper" boxes were unchecked and they were. So I ran ATF Cleaner selected the "select all" box and clicked on the "empty selected" box.

Open and ran HijackThis after it finished I selected the box by "O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)"
and hit the "Fix Checked" and closed it.

Open, updated I ran Malwarebytes it did not find any infected files here is the log:

Malwarebytes' Anti-Malware 1.03
Database version: 367

Scan type: Full Scan (A:\|C:\|D:\|F:\|)
Objects scanned: 57958
Time elapsed: 33 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Then I ran again HijackThis and here is that log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:05 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/...|lc:en-us|mt:AOL|snt:ScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1431BA40-1483-4AB1-9EA8-790E9133ADE8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7203 bytes





Then run the KASPERSKY program again and as you can see it finds that my comp it si still infected, here is the log:

-----------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 9:55:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 569883
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38567
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:24:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\uncletthhoomas\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\uncletthhoom00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\uncletthhoomas.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Family\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\A0009056.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{AD4D9314-0530-458A-81FC-3E5CE37D0C37}\RP28\change.log Object is locked skipped

Scan process completed.


So now what is next? Any advice?
Thanks.
 
Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
joselepiu said:
Can you tell me how to turn off "script blocking ".
Please.
Click to expand...
For which program?


We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
 
little eagle said:
For which program?
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
Click to expand...

little eagle said:
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click to expand...

For the one that you mention after the anti-virus, I know how to turn off the other ones.
Thanks.

And just a question, would it be better to do it on safe mode?
 
Ok, done...

Ok, I'm done with the combo fix.


Please advice next step.
Thanks.

Here is the combofix log and the new hijackthis log:

ComboFix 08-02-20.1 - Family 2008-02-20 11:53:42.2 - NTFSx86
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-02-16 12:36 . 2008-02-16 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-14 00:53 . 2008-02-15 18:59 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-02-14 00:37 . 2008-02-14 00:37 268 --ah----- C:\sqmdata00.sqm
2008-02-14 00:37 . 2008-02-14 00:37 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 00:24 . 2008-02-14 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 00:23 . 2008-02-14 00:24 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-13 23:55 . 2008-02-13 23:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\PlayFirst
2008-02-13 23:04 . 2008-02-13 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-02-12 23:19 . 2008-02-12 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-02-12 22:58 . 2008-02-12 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-02-09 01:50 . 2008-02-09 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 23:28 . 2008-02-08 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:52 . 2008-02-08 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-08 18:52 . 2008-02-08 19:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 18:51 . 2008-02-08 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-06 02:27 . 2008-02-06 12:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-02-06 00:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 00:46 . 2008-02-06 00:49 <DIR> d-------- C:\Program Files\Java
2008-02-06 00:06 . 2008-02-06 00:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-05 23:00 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\LimeWire 4.16.4
2008-02-05 17:35 . 2008-02-05 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 17:35 . 2008-02-05 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 18:41 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Sonic
2008-02-04 18:09 . 2008-02-04 18:09 <DIR> d-------- C:\Program Files\RecordNow!
2008-02-04 18:05 . 2008-02-04 18:05 <DIR> d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\CyberLink
2008-02-04 18:02 . 2008-02-04 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-04 18:01 . 2008-02-04 18:02 <DIR> d-------- C:\Program Files\PowerDVD
2008-02-04 17:53 . 2008-02-04 17:53 <DIR> d-------- C:\Program Files\MUSICMATCH Update
2008-02-04 17:53 . 2008-02-04 17:54 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-04 17:51 . 2008-02-07 17:41 <DIR> d-------- C:\Program Files\MUSICMATCH Jukebox
2008-02-04 17:42 . 2008-02-04 17:43 <DIR> d-------- C:\Program Files\MediaFACE
2008-02-04 17:36 . 2008-02-04 17:36 <DIR> d-------- C:\Documents and Settings\Family\Application Data\DivX
2008-02-04 17:25 . 1999-04-23 21:22 26,768 --a------ C:\WINDOWS\system\ctl3d.dll
2008-02-04 17:22 . 2008-02-04 17:25 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-02-04 17:22 . 2008-02-04 17:22 <DIR> d-------- C:\Program Files\Printscape
2008-02-04 16:57 . 2008-02-04 16:57 <DIR> d-------- C:\Program Files\DivX
2008-02-04 16:21 . 2008-02-04 16:22 <DIR> d-------- C:\Program Files\DivX 4 Windows
2008-02-04 16:21 . 2007-12-04 11:38 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-04 16:21 . 2007-12-04 11:38 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-04 16:14 . 2008-02-04 16:14 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-02-04 16:13 . 2008-02-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-04 16:13 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iTunes
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\iPod
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 16:09 . 2008-02-04 16:10 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Vso
2008-02-04 15:38 . 2008-02-04 15:41 <DIR> d-------- C:\Program Files\Winamp 5 52
2008-02-04 15:38 . 2008-02-04 15:49 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Winamp 5 52
2008-02-04 15:31 . 2008-02-04 15:36 <DIR> d-------- C:\Program Files\RipIt 4 Me
2008-02-04 15:31 . 2008-02-04 15:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-04 15:27 . 2008-02-04 15:31 <DIR> d-------- C:\Program Files\FLV Downloader
2008-02-04 15:27 . 2008-02-04 15:27 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Moyea
2008-02-04 14:51 . 2008-02-04 15:32 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-02-04 14:50 . 2008-02-04 14:50 <DIR> d-------- C:\Program Files\DVDFab FreeDVD
2008-02-04 14:49 . 2008-02-04 14:49 <DIR> d-------- C:\Program Files\FixVTS
2008-02-04 14:45 . 2008-02-04 14:45 <DIR> d-------- C:\Program Files\DVD Shrink
2008-02-04 14:45 . 2008-02-07 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-04 14:42 . 2008-02-04 14:42 <DIR> d-------- C:\Program Files\CCleaner 2 03
2008-02-04 14:07 . 2008-02-04 14:41 <DIR> d-------- C:\Downloads
2008-02-04 14:07 . 2008-02-04 14:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-04 14:06 . 2008-02-04 14:41 <DIR> d-------- C:\Program Files\BitComet 0 98
2008-02-04 14:01 . 2008-02-04 14:01 <DIR> d-------- C:\Program Files\Belarc
2008-02-04 14:01 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-04 13:54 . 2008-02-04 13:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 13:54 . 2008-02-04 13:54 <DIR> d-------- C:\Program Files\Adobe Reader 8.0
2008-01-30 17:09 . 2008-01-30 17:09 <DIR> d-------- C:\Documents and Settings\Family\Application Data\COWON
2008-01-30 17:07 . 2008-01-30 17:07 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-30 17:06 . 2008-02-04 18:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 17:05 . 2008-02-04 08:18 <DIR> d-------- C:\Program Files\Jet Audio
2008-01-30 17:03 . 2008-02-04 17:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-30 07:36 . 2008-01-30 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 15:22 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 13:08 . 2008-01-29 13:08 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-28 23:50 . 2008-02-04 07:47 <DIR> d-------- C:\Documents and Settings\Family\Application Data\FaxCtr
2008-01-28 23:46 . 2008-02-20 10:51 <DIR> d-------- C:\Program Files\lx_cats
2008-01-28 23:45 . 2007-02-22 15:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-28 23:45 . 2006-03-23 01:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-28 23:44 . 2006-08-08 12:58 692,224 --a------ C:\WINDOWS\system32\lxcydrs.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-28 23:44 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-28 23:44 . 2006-08-14 14:07 65,536 --a------ C:\WINDOWS\system32\lxcycaps.dll
2008-01-28 23:44 . 2006-01-25 15:11 61,440 --a------ C:\WINDOWS\system32\lxcycnv4.dll
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-28 23:44 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-28 23:43 . 2006-04-28 02:16 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-01-28 23:43 . 2006-04-28 02:16 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-01-28 23:43 . 2006-04-28 02:16 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-01-28 23:43 . 2006-04-28 02:16 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-01-28 23:43 . 2006-11-22 06:51 45,056 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2008-01-28 23:43 . 2006-11-22 06:50 32,768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2008-01-28 23:43 . 2006-11-22 07:08 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2008-01-28 23:42 . 2008-01-28 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:59 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 18:38 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-04 18:38 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-04 18:35 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntkrnlpa.exe
----a-w 2,056,832 2004-08-04 05:59:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntkrnlpa.exe
----a-w 2,056,832 2006-02-28 12:00:00 C:\WINDOWS\system32\ntkrnlpa.exe
-c----w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2gdr\ntoskrnl.exe
----a-w 2,180,992 2004-08-04 06:20:00 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\backup\sp2qfe\ntoskrnl.exe
----a-w 2,180,992 2006-02-28 12:00:00 C:\WINDOWS\system32\ntoskrnl.exe
-c----w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 23:48 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [2008-01-28 21:05 579072]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\AVG7\avgw.exe" [2008-01-28 21:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 07:34 82608 C:\Program Files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 07:35 295600 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 07:34 291504 C:\Program Files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

S2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2006-02-28 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 11:57:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-20 12:00:39
ComboFix2.txt 2008-02-20 17:45:07
.
2008-01-31 02:47:13 --- E O F ---


Note:The hijackthis log is too long I'll post another message to post it.

Thanks.
 
Second Part...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:48 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/...|lc:en-us|mt:AOL|snt:ScreenName&seamless=novl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201572665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0 98\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet 0 98\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 6321 bytes






Please advice next step.
Thanks.
 
Lets run an F-Secure online scan.
  • Click HERE
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.
 
You must log in or register to reply here.
Back
Top