Spybot exe file gets deleted

Status
Not open for further replies.
G

greg2b

New member
Hi,

I have my neighbors computer that has a hell of a something in it... I have cleaned a few computers by running spybot and other removal programs in the past, but this one looks to be bad.

What I've tried to do
First I can get online, but only with Firefox and it only works for some sites and does not work if I go to download any removal programs like spybot, HijackThis. But I can download and install Ad-Aware, CCleaner. I did get Spybot installed on the system by downloading it to my flash drive, but would not startup. I did find that the spybot exe file is gone from the dir. So I took it from my computer to my flash drive and when I pluged it in to the infected computer the exe file is gone.
I did run Ad-Aware and deleted all the recommend files, I also ran CCleaner and did the cleaning of all the files and ran the ATF-Cleaner. I have tried to get these installed with no luck:
HJT, mbam, spybotsd162 and combofix.
I am at a lost and do not know what to do next, any help here would be great.
I have not yet backed up the system because I do not want what-ever is not that computer on my backup drive, so I did not do anything to much to to it.
Thanks for you time. Greg
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

Hi Greg, sounds like you have some real problems. It's not unusual for the hackers to block access to the tools we need to help, I am not even sure I can help until I have more information. Let's see if we can get a HJT log, we will use a self-installer version:

1) When you click OK to "Save this file now", make sure it is being saved to the Desktop. BEFORE you click SAVE, change the name of the file to: greg2b.exe then Save it. Follow the rest of the instructions and post that HJT log.

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

2) Let's see if we can also get this information:

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

3) There is always the possiblity this is the Conflicker worm, I have yet to run into it. I am posting this link to provide information if it turns out you need it?
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Thanks...Phil
 
HJT file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:08 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\user\Application Data\U3\0610CB608331594C\LaunchPad.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\8047e04c1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\8047e04c1.dll"" (User 'NETWORK SERVICE')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183841109968
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 7360 bytes
 
DDS file

DDS (Ver_09-02-01.01) - NTFSx86
Run by user at 15:44:34.79 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\user\Application Data\U3\0610CB608331594C\LaunchPad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} -
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy2\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Dell AIO Printer A960] "c:\program files\dell aio printer a960\dlbfbmgr.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183841109968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\csy1qlpc.default\
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2008-2-7 15544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-1 11840]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-7-7 15424]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-1 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-1 151297]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-7-7 552064]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-1 52032]
R3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-7-27 90357]

=============== Created Last 30 ================

2009-03-04 14:49 <DIR> --d----- c:\program files\SpywareBlaster
2009-03-02 09:01 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-02 09:01 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-02 09:01 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-02 09:01 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-02 09:01 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-02 09:01 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-02 09:01 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-01 13:46 <DIR> --d----- c:\program files\Lavasoft
2009-03-01 13:46 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-01 12:09 <DIR> --d----- c:\program files\Avira
2009-03-01 12:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-01 12:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-01 11:54 <DIR> --d----- c:\program files\CCleaner
2009-02-26 21:25 8,297,026 a------- c:\windows\system32\SBSP.dat
2009-02-26 21:25 153 a------- c:\windows\system32\SBFC.dat
2009-02-26 21:25 0 a------- c:\windows\system32\SBRC.dat
2009-02-08 10:45 <DIR> --d----- c:\documents and settings\user\IECompatCache
2009-02-08 10:44 <DIR> --d----- c:\documents and settings\user\PrivacIE
2009-02-08 10:44 <DIR> --d----- c:\documents and settings\user\IETldCache
2009-02-08 10:40 <DIR> --d----- c:\windows\ie8updates
2009-02-08 10:36 <DIR> -cd----- c:\windows\ie8

==================== Find3M ====================

2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-11 17:48 410,984 a------- c:\windows\system32\deploytk.dll
2007-07-20 18:16 34 a--sh--- c:\windows\system32\L8C50.tmp.exe

============= FINISH: 15:46:23.46 ===============
 
Attach file

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/7/2007 2:53:09 PM
System Uptime: 3/4/2009 3:02:34 PM (72 hours ago)

Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 130.133 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: TI Technologies Inc.
Description: RADEON X300 Series Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&16EC1A1&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 Series Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&16EC1A1&0&0108
Service: ati2mtag

==== System Restore Points ===================

RP536: 12/2/2008 8:15:30 PM - System Checkpoint
RP537: 12/4/2008 7:05:54 PM - System Checkpoint
RP538: 12/5/2008 7:09:27 PM - System Checkpoint
RP539: 12/6/2008 8:09:29 PM - System Checkpoint
RP540: 12/7/2008 8:58:29 PM - System Checkpoint
RP541: 12/8/2008 9:38:07 PM - System Checkpoint
RP542: 12/9/2008 10:38:06 PM - System Checkpoint
RP543: 12/10/2008 3:01:06 AM - Software Distribution Service 3.0
RP544: 12/11/2008 3:17:51 AM - System Checkpoint
RP545: 12/11/2008 5:48:39 PM - Installed Java(TM) 6 Update 11
RP546: 12/12/2008 3:00:42 AM - Software Distribution Service 3.0
RP547: 12/13/2008 3:15:42 AM - System Checkpoint
RP548: 12/14/2008 4:15:33 AM - System Checkpoint
RP549: 12/15/2008 5:15:33 AM - System Checkpoint
RP550: 12/16/2008 6:15:33 AM - System Checkpoint
RP551: 12/17/2008 7:15:34 AM - System Checkpoint
RP552: 12/18/2008 6:55:21 PM - System Checkpoint
RP553: 12/18/2008 9:16:09 PM - Software Distribution Service 3.0
RP554: 12/19/2008 9:32:36 PM - System Checkpoint
RP555: 12/20/2008 9:40:42 PM - System Checkpoint
RP556: 12/21/2008 9:00:43 AM - CounterSpy - 12/21/2008 9:00:25 AM
RP557: 12/22/2008 9:40:43 AM - System Checkpoint
RP558: 12/23/2008 9:55:39 AM - System Checkpoint
RP559: 12/24/2008 10:41:47 AM - System Checkpoint
RP560: 12/25/2008 11:40:43 AM - System Checkpoint
RP561: 12/26/2008 12:40:39 PM - System Checkpoint
RP562: 12/27/2008 2:07:39 PM - System Checkpoint
RP563: 12/28/2008 2:40:39 PM - System Checkpoint
RP564: 12/29/2008 3:40:39 PM - System Checkpoint
RP565: 12/30/2008 4:36:45 PM - System Checkpoint
RP566: 12/31/2008 4:40:39 PM - System Checkpoint
RP567: 1/1/2009 5:40:39 PM - System Checkpoint
RP568: 1/2/2009 6:40:32 PM - System Checkpoint
RP569: 1/3/2009 7:40:32 PM - System Checkpoint
RP570: 1/5/2009 4:41:49 PM - System Checkpoint
RP571: 1/6/2009 5:29:39 PM - System Checkpoint
RP572: 1/7/2009 6:30:43 PM - System Checkpoint
RP573: 1/8/2009 7:29:37 PM - System Checkpoint
RP574: 1/9/2009 7:32:44 PM - System Checkpoint
RP575: 1/10/2009 8:27:23 PM - System Checkpoint
RP576: 1/11/2009 8:49:41 PM - System Checkpoint
RP577: 1/12/2009 4:34:45 PM - CounterSpy - 1/12/2009 4:34:39 PM
RP578: 1/13/2009 6:37:25 PM - System Checkpoint
RP579: 1/14/2009 3:00:54 AM - Software Distribution Service 3.0
RP580: 1/15/2009 3:14:10 AM - System Checkpoint
RP581: 1/16/2009 5:32:31 PM - System Checkpoint
RP582: 1/16/2009 5:53:23 PM - Restore Operation
RP583: 1/17/2009 3:01:12 AM - Software Distribution Service 3.0
RP584: 1/18/2009 3:23:02 AM - System Checkpoint
RP585: 1/19/2009 3:04:46 PM - System Checkpoint
RP586: 1/20/2009 5:28:58 PM - System Checkpoint
RP587: 1/21/2009 5:07:58 PM - Restore Operation
RP588: 1/22/2009 3:01:04 AM - Software Distribution Service 3.0
RP589: 1/23/2009 6:18:52 PM - System Checkpoint
RP590: 1/24/2009 6:19:30 PM - System Checkpoint
RP591: 1/26/2009 8:07:02 PM - System Checkpoint
RP592: 1/27/2009 8:10:10 PM - System Checkpoint
RP593: 1/29/2009 9:25:35 PM - System Checkpoint
RP594: 1/30/2009 9:49:38 PM - System Checkpoint
RP595: 1/31/2009 10:49:39 PM - System Checkpoint
RP596: 2/1/2009 11:49:38 PM - System Checkpoint
RP597: 2/5/2009 4:58:04 PM - System Checkpoint
RP598: 2/6/2009 8:16:46 PM - System Checkpoint
RP599: 2/7/2009 8:56:00 PM - System Checkpoint
RP600: 2/8/2009 10:37:49 AM - Installed Windows Internet Explorer 8.
RP601: 2/8/2009 10:39:10 AM - Software Distribution Service 3.0
RP602: 2/8/2009 10:56:57 AM - Restore Operation
RP603: 2/9/2009 11:03:42 AM - System Checkpoint
RP604: 2/10/2009 6:51:54 PM - Restore Operation
RP605: 2/10/2009 10:23:07 PM - Software Distribution Service 3.0
RP606: 2/12/2009 6:02:54 PM - System Checkpoint
RP607: 2/13/2009 6:36:20 PM - System Checkpoint
RP608: 2/14/2009 8:06:17 AM - CounterSpy - 2/14/2009 8:06:11 AM
RP609: 2/15/2009 9:27:21 AM - System Checkpoint
RP610: 2/16/2009 9:36:21 AM - System Checkpoint
RP611: 2/17/2009 10:22:02 AM - System Checkpoint
RP612: 2/18/2009 4:48:13 PM - System Checkpoint
RP613: 2/19/2009 7:11:53 PM - System Checkpoint
RP614: 2/20/2009 8:09:24 PM - System Checkpoint
RP615: 2/22/2009 8:57:17 PM - System Checkpoint
RP616: 2/23/2009 9:36:02 PM - System Checkpoint
RP617: 2/25/2009 4:45:47 PM - System Checkpoint
RP618: 2/26/2009 3:00:42 AM - Software Distribution Service 3.0
RP619: 3/1/2009 8:51:02 PM - Software Distribution Service 3.0
RP620: 3/1/2009 10:28:41 PM - CounterSpy - 3/1/2009 10:28:36 PM

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI Parental Control
Avira AntiVir Personal - Free Antivirus
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
CCScore
Conexant D850 56K V.9x DFVc Modem
Creative PC-CAM Center
Creative WebCam Monitor
Creative WebCam NX Pro Driver (1.00.06.0512)
Creative WebCam NX Pro User's Guide (English)
Dell AIO Printer A960
Dell Picture Studio - Dell Image Expert
DrawPlus 3.0
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 11
Java(TM) 6 Update 6
Java(TM) 6 Update 7
K-Lite Codec Pack 3.2.5 Full
kgcbase
Kodak EasyShare software
KSU
Memorex exPressit Label Design Studio
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
netbrdg
NOD32 antivirus system
Notifier
OfotoXMI
OpenOffice.org Installer 1.0
Paint Shop Pro 7
Print to Fax
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SFR
SHASTA
skin0001
SKINXSDK
Sony Picture Utility
Sony USB Driver
SoundMAX
SpywareBlaster 4.1
staticcr
Sunbelt CounterSpy
The Print Shop
tooltips
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox

==== Event Viewer Messages From Past Week ========

3/1/2009 11:12:31 AM, error: Dhcp [1002] - The IP address lease 173.19.250.186 for the Network Card with network address 001111452460 has been denied by the DHCP server 12.49.129.81 (The DHCP Server sent a DHCPNACK message).
3/1/2009 2:36:48 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
3/1/2009 2:36:53 PM, error: Service Control Manager [7031] - The NOD32 Kernel Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/1/2009 2:37:03 PM, error: Service Control Manager [7031] - The NOD32 Kernel Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/1/2009 2:37:25 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/1/2009 2:37:37 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
3/1/2009 2:37:48 PM, error: Service Control Manager [7031] - The NOD32 Kernel Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/1/2009 2:38:07 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/1/2009 2:38:25 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
3/1/2009 4:13:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/1/2009 4:14:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm nod32drv ssmdrv
3/1/2009 4:40:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/1/2009 5:04:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/1/2009 11:00:10 PM, error: Service Control Manager [7034] - The Sunbelt CounterSpy Antispyware service terminated unexpectedly. It has done this 1 time(s).
3/2/2009 1:10:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

==== End Of File ===========================
 
1) Are you reading the same directions I am posting? This is where the instructions in #1 say to place HJT:
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
Click to expand...
This is the unsafe location you installed it at:
C:\Documents and Settings\user\Desktop\HijackThis.exe

2) At least twice I requested that the "Before you Post" directions be read and followed:

Before you post a HJT log
When Spybot-S&D is installed.

TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.

TeaTimer can be re-enabled once the computer is clean.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Click to expand...

and yet TeaTimer is running in the log you posted??
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe


3) Two antivirus programs are running at the same time and this is not a good thing.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

AntiVir PersonalEdition Classic and Eset <<< uninstall one of those.

Recap:
Position HJT as instructed
Disable TeaTimer
Post a new HJT log running one antivirus program only.

Thanks
 
I uninstalled spybot and moved the HJT install, here is the new HJT scan:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:34 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Application Data\U3\0610CB608331594C\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\8047e04c1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\8047e04c1.dll"" (User 'NETWORK SERVICE')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183841109968
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 6769 bytes
 
Uninstall list first:
This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 8.1.2 <<< out of date and unsafe, see this:
Adobe Reader 8.1.2 Security Update 1 (KB403742)http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 11 <<< valid but there is an update.
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Other two are out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Mozilla Firefox (3.0.1) <<< quite a ways out of date?


Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html


Thanks
 
OK, I updated:
Adobe Flash to v10
Adobe Reader to v9
Java to v12
FireFox to v3.0.7

I downloaded Malwarebytes (had to install it thru safe mode) I could not run it, when I click on the desktop icon it looks like it will start up but it don't. I was not in safe mode when I trid to start it up.
Do you want a HJT scan ever thow I did not run Malwarebytes?

Greg
 
My guess is the malware is preventing the tools from running. Delete MBAM and try downloading it again from here:
http://www.besttechie.net/mbam/mbam-setup.exe
When you click on "Save this file now" before you Save it to your Desktop, change the File name to something else, like greg2b.exe, then save it. Doubleclick the installer and follow the directions in Post #8.

Thanks...Phil
 
I downloaded it (to my flash card and transferred to the computers desktop) I did change the name at the save file as. I when thru the install, did not start the updates and also did not start up. This computer does have CounterSpy v2.5.1053 (is out of date). I can not update, they downloaded the free copy, I also can not uninstall this program. I am running the CounterSpy to try to get a log file. Anything other programs you have that might work on this machine?...

Greg
 
You can give combofix a try, you might have to rename it also. If you are bringing it to the infected computer, keep in mind it is 2.79 MB's in size.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


You might also want to consider a reformat option:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

That is the only way you have to be able to be 100% sure you are secure.

Thanks
 
Last edited:
Combo Fix

ComboFix 09-03-06.02 - user 2009-03-08 11:40:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.704 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Greg2B.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\4_exception.nls
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\drivers\UAClaswrubl.sys
c:\windows\system32\L8C50.tmp.exe
c:\windows\system32\UACewqwhxbx.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpultnsbr.log
c:\windows\system32\UACqsoqpphw.log
c:\windows\system32\UACripoymwu.dll
c:\windows\system32\UACvkbmpuqt.dll
c:\windows\system32\UACwllqjkll.dat
c:\windows\system32\UACwoliqpta.log
c:\windows\system32\UACxodpemyc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-08 10:15 . 2009-03-08 10:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 10:15 . 2009-03-08 10:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 10:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 10:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-07 21:33 . 2009-03-07 21:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-07 21:25 . 2009-03-07 21:25 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-07 21:24 . 2009-03-07 21:59 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-07 19:15 . 2009-03-07 19:15 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 15:49 . 2009-03-04 16:30 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-04 15:49 . 2009-03-04 16:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-04 15:24 . 2009-03-04 15:24 <DIR> dr-h----- c:\documents and settings\Administrator.USER-4OMUS4XFAI\Application Data\yahoo!
2009-03-02 12:00 . 2009-03-07 21:54 <DIR> d-------- c:\documents and settings\user\Application Data\U3
2009-03-02 10:01 . 2008-12-20 18:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-03-02 10:01 . 2008-12-20 18:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-03-02 10:01 . 2008-12-20 18:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-02 10:01 . 2008-12-20 18:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-03-02 10:01 . 2008-12-20 18:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-03-02 10:01 . 2008-12-20 18:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-02 10:01 . 2008-12-19 04:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-03-01 18:58 . 2009-03-01 21:35 <DIR> d-------- c:\documents and settings\Administrator.USER-4OMUS4XFAI\Application Data\U3
2009-03-01 17:12 . 2009-03-04 15:23 <DIR> d-------- c:\documents and settings\Administrator.USER-4OMUS4XFAI
2009-03-01 14:46 . 2009-03-01 14:46 <DIR> d-------- c:\program files\Lavasoft
2009-03-01 14:46 . 2009-03-01 14:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-01 14:46 . 2009-03-01 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-01 13:06 . 2009-03-04 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 12:54 . 2009-03-01 12:54 <DIR> d-------- c:\program files\CCleaner
2009-02-26 22:25 . 2009-02-26 22:25 8,297,026 --a------ c:\windows\system32\SBSP.dat
2009-02-26 22:25 . 2009-02-26 22:25 153 --a------ c:\windows\system32\SBFC.dat
2009-02-26 22:25 . 2009-02-26 23:30 0 --a------ c:\windows\system32\SBRC.dat
2009-02-08 11:45 . 2009-02-08 11:45 <DIR> d-------- c:\documents and settings\user\IECompatCache
2009-02-08 11:44 . 2009-02-08 11:44 <DIR> d-------- c:\documents and settings\user\PrivacIE
2009-02-08 11:44 . 2009-02-08 11:44 <DIR> d-------- c:\documents and settings\user\IETldCache
2009-02-08 11:40 . 2009-02-08 11:40 <DIR> d-------- c:\windows\ie8updates
2009-02-08 11:36 . 2009-02-10 19:53 <DIR> d----c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 02:33 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 02:33 --------- d-----w c:\program files\Java
2009-03-08 02:24 --------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-04 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-02 16:26 --------- d-----w c:\program files\ESET
2009-03-02 04:45 --------- d-----w c:\program files\Yahoo!
2009-03-01 20:29 --------- d-----w c:\program files\Windows Live Toolbar
2009-01-21 23:10 --------- d-----w c:\documents and settings\user\Application Data\Yahoo!
2009-01-20 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-16 01:09 --------- d-----w c:\documents and settings\TEMP\Application Data\MSN6
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-07-07 949376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-20 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-14 185896]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]

c:\documents and settings\user\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-05-09 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 282624]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-12-21 16:30 698864 c:\program files\Sunbelt Software\CounterSpy\SBCSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2008-02-07 15544]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-07-07 15424]
R3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-07-27 90357]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SBAPIFS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy2\TeaTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\csy1qlpc.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 11:45:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\user\LOCALS~1\Temp\.Sony_PMBrowser2000_BrowserDiskCache 6574080 bytes
c:\docume~1\user\LOCALS~1\Temp\W7351XOV.htm 1735 bytes
c:\docume~1\user\LOCALS~1\Temp\WEA07UTO.htm 1450 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.addbtn.btn upgrade status 109 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.msn.mymsn.btn feed 0 4831 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.msn.mymsn.btn update 365 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.msn.mymsn.btn upgrade status 109 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.addbtn.btn feed 0 2275 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.addbtn.btn feed 1 2717 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.addbtn.btn feed 2 382 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.addbtn.btn feed 3 2696 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 0 21231 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 1 19981 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 2 18185 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 3 23898 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 4 21340 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 5 31985 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 6 23069 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 7 28510 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 8 382 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn feed 9 382 bytes
c:\docume~1\user\LOCALS~1\Temp\WLTB Custom Button Feeds\microsoft.windowslive.news.btn upgrade status 109 bytes
c:\docume~1\user\LOCALS~1\Temp\.Sony_PMBrowser2000_BrowserDiskCache.idx 2199920 bytes
c:\docume~1\user\LOCALS~1\Temp\{1501B916-81BC-4242-B4B8-626168B9B74C}
c:\docume~1\user\LOCALS~1\Temp\{1501B916-81BC-4242-B4B8-626168B9B74C}\{D5068583-D569-468B-9755-5FBF5848F46F}
c:\docume~1\user\LOCALS~1\Temp\{1501B916-81BC-4242-B4B8-626168B9B74C}\{D5068583-D569-468B-9755-5FBF5848F46F}\ENG
c:\docume~1\user\LOCALS~1\Temp\{1501B916-81BC-4242-B4B8-626168B9B74C}\{D5068583-D569-468B-9755-5FBF5848F46F}\ENG\LocaleSetting.xml 19305 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\Audio
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\CardScan.dll 81920 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\Common.dll 98304 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\CTCabEx.DLL 286720 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\Error.ini 1196 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\Pfmodbs.vxd 7062 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\RegEdit.dll 53248 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\Setup.bmp 9160 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\SUPPORT.CAB 84983 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\WebDrv.ini 790 bytes
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\_ISUSER.DLL 126976 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{1948D49E-D2AD-4CD7-A683-AF1CA07031FF}\{CD4C8BAB-29E8-4F95-B685-B9F53AB89F15}\_setup.dll 368640 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}.log 803 bytes
c:\docume~1\user\LOCALS~1\Temp\{2580475D-701E-43CB-B5E5-DF9A7727E1CE}
c:\docume~1\user\LOCALS~1\Temp\{2580475D-701E-43CB-B5E5-DF9A7727E1CE}\{f0a37341-d692-11d4-a984-009027ec0a9c}
c:\docume~1\user\LOCALS~1\Temp\{2580475D-701E-43CB-B5E5-DF9A7727E1CE}\{f0a37341-d692-11d4-a984-009027ec0a9c}\Platform.ini 5988 bytes
c:\docume~1\user\LOCALS~1\Temp\{28B97CAB-828F-49D8-A30A-675476F9BA92}.log 850 bytes
c:\docume~1\user\LOCALS~1\Temp\{390FF986-468D-4CA9-8830-2C4B313F447F}
c:\docume~1\user\LOCALS~1\Temp\{4E7DC12A-3597-4A94-9429-F6C6987361B1}.log 852 bytes
c:\docume~1\user\LOCALS~1\Temp\{6813C983-427E-4511-8456-E98FCAA1A125}.log 852 bytes
c:\docume~1\user\LOCALS~1\Temp\wmplog00.sqm 1680 bytes
c:\docume~1\user\LOCALS~1\Temp\wmplog01.sqm 1416 bytes
c:\docume~1\user\LOCALS~1\Temp\wmplog02.sqm 1416 bytes
c:\docume~1\user\LOCALS~1\Temp\wmplog03.sqm 1416 bytes
c:\docume~1\user\LOCALS~1\Temp\wmplog04.sqm 1620 bytes
c:\docume~1\user\LOCALS~1\Temp\wmsetup.log 13159 bytes
c:\docume~1\user\LOCALS~1\Temp\WPDNSE
c:\docume~1\user\LOCALS~1\Temp\WQVR2BPM.htm 32768 bytes
c:\docume~1\user\LOCALS~1\Temp\wr-1-0000077.exe 5574 bytes executable
c:\docume~1\user\LOCALS~1\Temp\X04UGI05.emf 284 bytes
c:\docume~1\user\LOCALS~1\Temp\XBJNL0JO.emf 138968 bytes
c:\docume~1\user\LOCALS~1\Temp\XLTJ411I.emf 78488 bytes
c:\docume~1\user\LOCALS~1\Temp\Y0SKFEQZ.htm 1735 bytes
c:\docume~1\user\LOCALS~1\Temp\Y0XVZ16G.htm 1735 bytes
c:\docume~1\user\LOCALS~1\Temp\YDFXSettings.dat 72 bytes
c:\docume~1\user\LOCALS~1\Temp\YGBCHDKS.htm 624 bytes
c:\docume~1\user\LOCALS~1\Temp\ymemsi.log 6092 bytes
c:\docume~1\user\LOCALS~1\Temp\ymp2EB.exe 12932840 bytes executable
c:\docume~1\user\LOCALS~1\Temp\ymp6812.exe 12955880 bytes executable
c:\docume~1\user\LOCALS~1\Temp\YSZH7ULF.htm 14145 bytes
c:\docume~1\user\LOCALS~1\Temp\YV9I7ZKF.emf 41024 bytes
c:\docume~1\user\LOCALS~1\Temp\dgm000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\gaopdx000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\hsperfdata_user
c:\docume~1\user\LOCALS~1\Temp\IH4B.tmp 11387 bytes
c:\docume~1\user\LOCALS~1\Temp\IHFA.tmp 8316 bytes
c:\docume~1\user\LOCALS~1\Temp\java_install.log 26955 bytes
c:\docume~1\user\LOCALS~1\Temp\java_install_reg.log 5651 bytes
c:\docume~1\user\LOCALS~1\Temp\java_install_sp.log 2840 bytes
c:\docume~1\user\LOCALS~1\Temp\jinstall.cfg 9669 bytes
c:\docume~1\user\LOCALS~1\Temp\jusched.log 6772 bytes
c:\docume~1\user\LOCALS~1\Temp\MSI3de3d.LOG 392 bytes
c:\docume~1\user\LOCALS~1\Temp\MSI5291d.LOG 392 bytes
c:\docume~1\user\LOCALS~1\Temp\MSI5e17f.LOG 392 bytes
c:\docume~1\user\LOCALS~1\Temp\MSI66db3.LOG 392 bytes
c:\docume~1\user\LOCALS~1\Temp\MSI8b051.LOG 434 bytes
c:\docume~1\user\LOCALS~1\Temp\MSIcc4e8.LOG 392 bytes
c:\docume~1\user\LOCALS~1\Temp\msqpdx000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\Perflib_Perfdata__755.dat 60416 bytes executable
c:\docume~1\user\LOCALS~1\Temp\quadra000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\RarSFX0
c:\docume~1\user\LOCALS~1\Temp\seneka000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\VerChk.txt 88 bytes
c:\docume~1\user\LOCALS~1\Temp\WMC0000.tmp
c:\docume~1\user\LOCALS~1\Temp\WMC0000.tmp\WMPAU.exe 1669120 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}
c:\docume~1\user\LOCALS~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\CP_XP.reg 2593 bytes
c:\docume~1\user\LOCALS~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\FGL_32.reg 7881 bytes
c:\docume~1\user\LOCALS~1\Temp\{FCDD3F6E-EFE9-4DD5-BF02-9341C49F10DC}
c:\docume~1\user\LOCALS~1\Temp\{FCDD3F6E-EFE9-4DD5-BF02-9341C49F10DC}\{f0a37341-d692-11d4-a984-009027ec0a9c}
c:\docume~1\user\LOCALS~1\Temp\{FCDD3F6E-EFE9-4DD5-BF02-9341C49F10DC}\{f0a37341-d692-11d4-a984-009027ec0a9c}\Platform.ini 5988 bytes
c:\docume~1\user\LOCALS~1\Temp\2132-1-2009-3-2-17-16-25-609
c:\docume~1\user\LOCALS~1\Temp\2132-1-2009-3-2-17-16-25-609\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\2656-1-2009-3-1-19-40-6-546
c:\docume~1\user\LOCALS~1\Temp\2656-1-2009-3-1-19-40-6-546\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\2684-1-2009-3-1-20-58-57-578
c:\docume~1\user\LOCALS~1\Temp\2684-1-2009-3-1-20-58-57-578\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\348-1-2009-3-8-3-10-24-953
c:\docume~1\user\LOCALS~1\Temp\348-1-2009-3-8-3-10-24-953\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\3780-1-2009-3-2-2-52-55-640
c:\docume~1\user\LOCALS~1\Temp\3780-1-2009-3-2-2-52-55-640\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\3900-1-2009-3-1-19-29-26-859
c:\docume~1\user\LOCALS~1\Temp\3900-1-2009-3-1-19-29-26-859\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\460-1-2009-3-2-6-12-28-343
c:\docume~1\user\LOCALS~1\Temp\460-1-2009-3-2-6-12-28-343\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\568-1-2009-3-2-6-21-7-703
c:\docume~1\user\LOCALS~1\Temp\568-1-2009-3-2-6-21-7-703\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\7fecc7.mst 1358848 bytes
c:\docume~1\user\LOCALS~1\Temp\816658.mst 1412608 bytes
c:\docume~1\user\LOCALS~1\Temp\964-1-2009-3-8-0-18-4-421
c:\docume~1\user\LOCALS~1\Temp\964-1-2009-3-8-0-18-4-421\KESetup.cfg 0 bytes
c:\docume~1\user\LOCALS~1\Temp\9e842.mst 1412608 bytes
c:\docume~1\user\LOCALS~1\Temp\AVSETUP_49b30cc0
c:\docume~1\user\LOCALS~1\Temp\AVSETUP_49b30cc0\setup.log 25496 bytes
c:\docume~1\user\LOCALS~1\Temp\BABHZP1B.htm 1735 bytes
c:\docume~1\user\LOCALS~1\Temp\calog.txt 50 bytes
c:\docume~1\user\LOCALS~1\Temp\catchme.dll 53248 bytes executable
c:\docume~1\user\LOCALS~1\Temp\cc2log.txt 38 bytes
c:\docume~1\user\LOCALS~1\Temp\CTZapTest.txt 8404 bytes
c:\docume~1\user\LOCALS~1\Temp\{7136FE70-D1A9-42A5-9BBD-87C440701D9F}
c:\docume~1\user\LOCALS~1\Temp\{7136FE70-D1A9-42A5-9BBD-87C440701D9F}\SBHRInst.exe 88560 bytes executable
c:\docume~1\user\LOCALS~1\Temp\{7DADB304-AF20-48C3-A780-4B4133A08817}.log 852 bytes
c:\docume~1\user\LOCALS~1\Temp\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}.log 852 bytes
c:\docume~1\user\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}.ini 724 bytes
c:\docume~1\user\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81200000003}.ini 1403 bytes
c:\docume~1\user\LOCALS~1\Temp\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}.log 1345 bytes
c:\docume~1\user\LOCALS~1\Temp\{D5068583-D569-468B-9755-5FBF5848F46F}.log 5952 bytes
c:\docume~1\user\LOCALS~1\Temp\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}.log 852 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF31DD.tmp 98304 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF3DA9.tmp 32768 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF5B0F.tmp 32768 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF62ED.tmp 212992 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF6F93.tmp 32768 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF82F2.tmp 98304 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF83BF.tmp 32768 bytes
c:\docume~1\user\LOCALS~1\Temp\~DF889B.tmp 16384 bytes
c:\docume~1\user\LOCALS~1\Temp\~DFC7E.tmp 98304 bytes
c:\docume~1\user\LOCALS~1\Temp\~DFF58A.tmp 16384 bytes
c:\docume~1\user\LOCALS~1\Temp\~nsu.tmp
c:\docume~1\user\LOCALS~1\Temp\1128-1-2009-3-8-15-18-42-62
c:\docume~1\user\LOCALS~1\Temp\1128-1-2009-3-8-15-18-42-62\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\1196-1-2009-3-4-21-12-4-687
c:\docume~1\user\LOCALS~1\Temp\1196-1-2009-3-4-21-12-4-687\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\1332-1-2009-3-1-19-17-37-0
c:\docume~1\user\LOCALS~1\Temp\1332-1-2009-3-1-19-17-37-0\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\1384-1-2009-3-2-15-39-49-125
c:\docume~1\user\LOCALS~1\Temp\1384-1-2009-3-2-15-39-49-125\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\1556-1-2009-3-1-23-14-34-765
c:\docume~1\user\LOCALS~1\Temp\1556-1-2009-3-1-23-14-34-765\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\1880-1-2008-4-15-23-1-50-203
c:\docume~1\user\LOCALS~1\Temp\1880-1-2008-4-15-23-1-50-203\KESetup.cfg 1487 bytes
c:\docume~1\user\LOCALS~1\Temp\SunbeltCSCInstaller.log 436604 bytes
c:\docume~1\user\LOCALS~1\Temp\tdss000 0 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search[1].htm 35115 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search[2] 454 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search[3] 512 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search[4] 550 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search_02[1].gif 7444 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\search_03[1].gif 395 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\sendToPhone[1].js 7402 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\send_email[1].gif 677 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\cumshot4[1].jpg 16245 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\dank-haus[1].htm 28709 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4TYZOL2V\dataCache[1].swf 401 bytes

****************
I took out Temporary Internet Files --- way to many
****************

c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\top_06[1].jpg 1175 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\top_07[1].jpg 1082 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\top_08[1].jpg 17130 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\toy[1].jpg 7397 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\to[1].htm 802 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\to[2].htm 804 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\trace[1].gif 43 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\trailer[1].jpg 42917 bytes
c:\docume~1\user\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5MVWHEN\transpacatchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\imon.dll
.
Completion time: 2009-03-08 11:48:52
ComboFix-quarantined-files.txt 2009-03-08 16:47:33

Pre-Run: 139,809,132,544 bytes free
Post-Run: 139,832,578,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

2879 --- E O F --- 2009-03-08 02:58:21
 
HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:11 AM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183841109968
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5982 bytes
 
Malwarebytes started up

I just tried to start up Malwarebytes and it did start up and I got the updates, should I run the full scan and remove all files now?

Greg
 
Give me a few mintues to post, I am looking at the last information now.

Thanks
 
Good job getting combofix to run:bigthumb: it removed a lot of the bad junk and should given you some relief. Let's proceed in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

(no need to download, make sure you update and use the instructions posted)

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now, and malware symptoms?

Thanks...Phil
 
Scanning is done and removed all files.
The computer seams to be running better, IE opens and then shuts down. FireFox opens and I do not get redrected to search sites anymore. I was able to download spybot 1.6.2. I did the Install and updates. Should I do a full scan with spybot program. Here is the HJT log and the MBAM log.
 
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:12 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183841109968
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5858 bytes
 
mbam log

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600 Service Pack 3

3/8/2009 1:40:47 PM
mbam-log-2009-03-08 (13-40-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155156
Time elapsed: 52 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Local Settings\Temp\UAC2942.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACewqwhxbx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACripoymwu.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvkbmpuqt.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxodpemyc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FC9E4337-5956-4247-883B-D64CE869DD85}\RP620\A0062760.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FC9E4337-5956-4247-883B-D64CE869DD85}\RP620\A0062761.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FC9E4337-5956-4247-883B-D64CE869DD85}\RP620\A0062762.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FC9E4337-5956-4247-883B-D64CE869DD85}\RP620\A0062763.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\System32KBRunOnce2.tm_ (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32KBRunOnce2.t__ (Malware.Trace) -> Quarantined and deleted successfully.
 
Status
Not open for further replies.
Back
Top