rusty reading hojack logs please help

It sure would be easier to decipher if we could also see those other logs to find out what was all ready removed because from the looks of this NOTHING was removed!
Judy

Were the instructions for these programs followed exactly?
Combofix for one tells you;

Close or disable all running Antivirus, Antispyware, and Firewall programs

MBA-M tells you to;
Be sure that everything is checked, and click Remove Selected.
Did you REBOOT after each program was run? Many infections cannot be removed until the computer is rebooted.

There are TWO antivirus programs running on this computer, Norton and AVG 8. Absolutely a No-No. UNINSTALL one of them. Choice is yours, Norton is a pay for program, if it is current then I would suggest you remove AVG 8 if it is the FREE version. If you paid for both then the choice is yours, but ONE MUST GO IMMEDIATELY.
There is a P2P file sharing program running, ares, TURN IT OFF.

Another thing, turn off Spybot TeaTimer for the duration, it CAN interfere with fixes attempted.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Post back with all of those other logs, expecially MBA-M and combofix.
Judy

It sure would be easier to decipher if we could also see those other logs to find out what was all ready removed because from the looks of this NOTHING was removed!
Judy

i agree,im helping someone through email ,a poster from this forum that i sent a legit copy of winxp to so he could reinstall windows on a computer that came with no cd's ,he is not sure of everything ,but says hes hitting the fix for malwareware bytes and spybot ,but to answer your question ,all the logs look the same .i was just wondering if maybe he had something specific that those programs are missing

here is his combo fix log ,im going to get him to rerun it in safe mode .

ComboFix 08-09-16.05 - Owner 2008-09-17 20:07:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.216 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Hotbar
C:\Documents and Settings\All Users\Start Menu\Programs\Hotbar\About Hotbar.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Hotbar\Reset Cursor.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Hotbar\Uninstall Hotbar.lnk
C:\Documents and Settings\Owner\Application Data\ASEMBL~1
C:\Documents and Settings\Owner\Application Data\CROSOF~1
C:\Documents and Settings\Owner\Application Data\DOBE~1
C:\Documents and Settings\Owner\Application Data\ICROSO~1
C:\Documents and Settings\Owner\Application Data\MBOLS~1
C:\Documents and Settings\Owner\Application Data\MCROSO~1.NET
C:\Documents and Settings\Owner\Application Data\RACLE~1
C:\Documents and Settings\Owner\Application Data\RACLE~1\??mbols\
C:\Documents and Settings\Owner\Application Data\RACLE~1\?racle\
C:\Documents and Settings\Owner\Application Data\RACLE~1\?ystem\
C:\Documents and Settings\Owner\Application Data\SCURIT~1
C:\Documents and Settings\Owner\Application Data\SSEMBL~1
C:\Documents and Settings\Owner\My Documents\APPATC~1
C:\Documents and Settings\Owner\My Documents\CROSOF~1.NET
C:\Documents and Settings\Owner\My Documents\FNTS~1
C:\Documents and Settings\Owner\My Documents\MCROSO~1
C:\Program Files\AntiSpywareShield
C:\Program Files\AntiSpywareShield\AntiSpywareShield1.ad
C:\Program Files\asembl~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~2
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~2
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\crosof~1
C:\Program Files\Dcads Advanced Toolbar
C:\Program Files\Dcads Advanced Toolbar\buttons.xml
C:\Program Files\Dcads Advanced Toolbar\search.xml
C:\Program Files\Dcads Advanced Toolbar\toolbar.dll
C:\Program Files\Dcads Advanced Toolbar\uninstall.exe
C:\Program Files\fnts~1
C:\Program Files\icroso~1.net
C:\Program Files\pppatc~1
C:\Program Files\sembly~1
C:\Program Files\smbols~1
C:\Program Files\stem~1
C:\Program Files\wnsxs~1
C:\Program Files\ymbols~1
C:\WINNT\asembl~1
C:\WINNT\asks~1
C:\WINNT\crosof~1
C:\WINNT\dobe~1
C:\WINNT\icroso~1
C:\WINNT\icroso~1.net
C:\WINNT\ppatch~1
C:\WINNT\racle~1
C:\WINNT\sembly~1
C:\WINNT\sks~1
C:\WINNT\system32\ablcuwke.ini
C:\WINNT\system32\abyntjxj.ini
C:\WINNT\system32\adssitesuggest.dll
C:\WINNT\system32\afnhgkgg.ini
C:\WINNT\system32\ahinctrp.ini
C:\WINNT\system32\asembl~1
C:\WINNT\system32\auovhmoi.ini
C:\WINNT\system32\aycdd.bak1
C:\WINNT\system32\aycdd.bak2
C:\WINNT\system32\aycdd.ini
C:\WINNT\system32\aycdd.ini2
C:\WINNT\system32\aycdd.tmp
C:\WINNT\system32\aydhpjso.ini
C:\WINNT\system32\bcioelfe.ini
C:\WINNT\system32\bdtejxpp.ini
C:\WINNT\system32\bfqtcvrn.ini
C:\WINNT\system32\boshhglu.ini
C:\WINNT\system32\bwegolqq.ini
C:\WINNT\system32\bxbxvjua.ini
C:\WINNT\system32\bxusfcgo.dll
C:\WINNT\system32\bxynlbul.ini
C:\WINNT\system32\chqfyyje.ini
C:\WINNT\system32\cltehbbd.ini
C:\WINNT\system32\cmeuhqfg.ini2
C:\WINNT\system32\cpcahmux.ini
C:\WINNT\system32\crosof~1
C:\WINNT\system32\crosof~1.net
C:\WINNT\system32\cvrpcjgs.ini
C:\WINNT\system32\dcads-remove.exe
C:\WINNT\system32\dcadssuggest.dll
C:\WINNT\system32\dfdsvjta.ini
C:\WINNT\system32\dobe~1
C:\WINNT\system32\dudinlyi.ini
C:\WINNT\system32\efewuqql.ini
C:\WINNT\system32\effkovih.ini
C:\WINNT\system32\ehtsupae.ini
C:\WINNT\system32\epkxixkp.ini
C:\WINNT\system32\ewhlfwbu.ini
C:\WINNT\system32\fcljliwk.ini
C:\WINNT\system32\fkwqrowt.ini
C:\WINNT\system32\flrxfsqx.ini
C:\WINNT\system32\fnts~1
C:\WINNT\system32\frkvyali.ini
C:\WINNT\system32\fvdfampj.ini
C:\WINNT\system32\gjkmp.bak1
C:\WINNT\system32\gjkmp.ini
C:\WINNT\system32\glfjxyni.ini
C:\WINNT\system32\gsrqsklc.ini
C:\WINNT\system32\guniipey.ini
C:\WINNT\system32\hatfdnck.ini
C:\WINNT\system32\hfghueur.ini
C:\WINNT\system32\hglwspet.ini
C:\WINNT\system32\hogaensf.ini
C:\WINNT\system32\hrwoynst.ini
C:\WINNT\system32\hwdgytwj.ini
C:\WINNT\system32\hwobemqv.ini
C:\WINNT\system32\ibraxfjk.ini
C:\WINNT\system32\ikkasmwx.ini
C:\WINNT\system32\ikwdnfcu.ini
C:\WINNT\system32\ippkpcyn.ini
C:\WINNT\system32\ixyyruqu.ini
C:\WINNT\system32\iyfdtkff.ini
C:\WINNT\system32\jehljtrk.ini
C:\WINNT\system32\jfvujave.ini
C:\WINNT\system32\jphbrkgp.ini
C:\WINNT\system32\kgsmoqsy.ini
C:\WINNT\system32\kgxvrnwk.ini
C:\WINNT\system32\kqgpkbir.ini
C:\WINNT\system32\kubeiemg.ini
C:\WINNT\system32\lbqijepr.ini
C:\WINNT\system32\lbrgukcg.ini
C:\WINNT\system32\lcvfsfov.ini
C:\WINNT\system32\lmiyrvdy.ini
C:\WINNT\system32\loctrqxi.ini
C:\WINNT\system32\lqjfmxxm.ini
C:\WINNT\system32\lyrnxfob.ini
C:\WINNT\system32\makbrvbv.ini
C:\WINNT\system32\mbbhxpen.ini
C:\WINNT\system32\mcyqknpi.ini
C:\WINNT\system32\mdaqaywo.ini
C:\WINNT\system32\mfxksicf.ini
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\muuphxtj.ini
C:\WINNT\system32\mwpxtair.ini
C:\WINNT\system32\myiateph.ini
C:\WINNT\system32\napnafml.ini
C:\WINNT\system32\nccwrfvk.ini
C:\WINNT\system32\npnrwvtm.ini
C:\WINNT\system32\ntdxaqlk.ini
C:\WINNT\system32\okiouhuf.ini
C:\WINNT\system32\omckcxvi.ini
C:\WINNT\system32\ornejopx.ini
C:\WINNT\system32\pahaqyup.ini
C:\WINNT\system32\pbmytwvj.ini
C:\WINNT\system32\pgesrhqq.ini
C:\WINNT\system32\pivrcmub.ini
C:\WINNT\system32\pkgeifqx.ini
C:\WINNT\system32\ppjintqy.ini
C:\WINNT\system32\pqijixmw.ini
C:\WINNT\system32\ptewifxy.ini
C:\WINNT\system32\qcqsthit.ini
C:\WINNT\system32\qpubsncm.ini
C:\WINNT\system32\qpxdeloe.ini
C:\WINNT\system32\qqxehayv.ini
C:\WINNT\system32\qrshkpjr.ini
C:\WINNT\system32\qubrousk.ini
C:\WINNT\system32\redjnyje.ini
C:\WINNT\system32\rivhlffo.ini
C:\WINNT\system32\rshgxdyc.ini
C:\WINNT\system32\sbhkpanh.ini
C:\WINNT\system32\scnvehpq.ini
C:\WINNT\system32\scphnxgf.ini2
C:\WINNT\system32\scphnxgf.tmp
C:\WINNT\system32\scurit~1
C:\WINNT\system32\skoqgcli.ini
C:\WINNT\system32\suxdtkvw.ini
C:\WINNT\system32\tbobpcgk.ini
C:\WINNT\system32\tbxvpdko.ini
C:\WINNT\system32\tcmmtxrp.ini
C:\WINNT\system32\tghxcwgf.ini
C:\WINNT\system32\thomtcoi.ini
C:\WINNT\system32\tniynryg.ini
C:\WINNT\system32\tyhavxua.ini
C:\WINNT\system32\ubkeevrg.ini
C:\WINNT\system32\ufmbcbyh.ini
C:\WINNT\system32\ugbtowib.ini2
C:\WINNT\system32\ugbtowib.tmp
C:\WINNT\system32\uhauiebf.ini
C:\WINNT\system32\ujuoeeex.ini
C:\WINNT\system32\ukcjmarm.ini
C:\WINNT\system32\ukjfheec.ini
C:\WINNT\system32\unejesou.ini
C:\WINNT\system32\upvylfos.ini
C:\WINNT\system32\vbehjfti.ini
C:\WINNT\system32\vbluxwvu.ini
C:\WINNT\system32\vqmgogwf.ini
C:\WINNT\system32\vxefcwja.ini
C:\WINNT\system32\waprqtpa.ini
C:\WINNT\system32\wcxfmpef.ini
C:\WINNT\system32\wnstssv.exe
C:\WINNT\system32\wpgndusf.ini
C:\WINNT\system32\wvmwjbyq.ini
C:\WINNT\system32\xdhheyqw.ini
C:\WINNT\system32\xiktklpr.ini
C:\WINNT\system32\xlublpad.ini2
C:\WINNT\system32\xlublpad.tmp
C:\WINNT\system32\xomdkmaa.ini
C:\WINNT\system32\xstadpgg.ini
C:\WINNT\system32\xweicuwc.ini
C:\WINNT\system32\yaipfcnb.ini
C:\WINNT\system32\yguhxvki.ini
C:\WINNT\system32\yivifeik.ini
C:\WINNT\system32\ymtipvbe.ini
C:\WINNT\system32\ypkmbfdh.ini
C:\WINNT\system32\yrljbjjq.ini
C:\WINNT\system32\ywxufnht.ini
C:\WINNT\wnsxs~1
C:\WINNT\ymbols~1
C:\WINNT\system32\audiosr.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-13 20:13 . 2008-09-13 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 20:07 . 2008-09-17 17:35 <DIR> d-------- C:\WINNT\system32\wTR19
2008-09-07 20:07 . 2008-09-07 20:07 <DIR> d-------- C:\temp\dax41
2008-09-07 19:29 . 2008-09-11 23:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 19:29 . 2008-09-12 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 19:15 . 2008-09-07 19:15 <DIR> d-------- C:\Program Files\CCleaner
2008-09-07 16:52 . 2008-09-07 16:52 0 --a------ C:\temp\jfidoj.exe
2008-09-07 16:52 . 2008-09-07 16:52 0 --a------ C:\jfidoj.exe
2008-09-07 16:30 . 2008-09-07 16:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 16:30 . 2008-09-07 16:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-07 16:30 . 2008-09-07 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 16:30 . 2008-09-02 00:16 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-07 16:30 . 2008-09-02 00:16 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-09-03 21:24 . 2003-11-18 01:09 155,648 --a------ C:\WINNT\system32\igfxres.dll
2008-09-03 21:17 . 2008-09-03 21:17 1,396 --a------ C:\WINNT\system32\wpa.bak
2008-09-03 18:39 . 2004-08-04 08:00 28,288 --a--c--- C:\WINNT\system32\dllcache\xjis.nls
2008-09-03 18:37 . 2004-08-04 08:00 482,304 --a--c--- C:\WINNT\system32\dllcache\pintlgnt.ime
2008-09-03 18:36 . 2004-08-04 08:00 1,875,968 --a--c--- C:\WINNT\system32\dllcache\msir3jp.lex
2008-09-03 18:35 . 2004-08-04 08:00 13,463,552 --a--c--- C:\WINNT\system32\dllcache\hwxjpn.dll
2008-09-03 18:34 . 2004-08-04 08:00 1,677,824 --a--c--- C:\WINNT\system32\dllcache\chsbrkr.dll
2008-09-03 18:30 . 2008-09-03 18:30 749 -rah----- C:\WINNT\WindowsShell.Manifest
2008-09-03 18:30 . 2008-09-03 18:30 749 -rah----- C:\WINNT\system32\wuaucpl.cpl.manifest
2008-09-03 18:30 . 2008-09-03 18:30 749 -rah----- C:\WINNT\system32\sapi.cpl.manifest
2008-09-03 18:30 . 2008-09-03 18:30 749 -rah----- C:\WINNT\system32\ncpa.cpl.manifest
2008-09-03 18:30 . 2008-09-03 18:30 488 -rah----- C:\WINNT\system32\logonui.exe.manifest
2008-09-03 18:00 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET6D.tmp
2008-09-03 18:00 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET67.tmp
2008-09-03 18:00 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET7C.tmp
2008-09-03 17:36 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET66.tmp
2008-09-03 17:36 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET63.tmp
2008-09-03 17:36 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET75.tmp
2008-09-03 17:27 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET65.tmp
2008-09-03 17:27 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET62.tmp
2008-09-03 17:27 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET74.tmp
2008-09-03 16:42 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET64.tmp
2008-09-03 16:42 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET61.tmp
2008-09-03 16:42 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET73.tmp
2008-09-03 16:32 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET6C.tmp
2008-09-03 16:31 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET60.tmp
2008-09-03 16:31 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET5D.tmp
2008-09-03 16:22 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET5F.tmp
2008-09-03 16:22 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET5C.tmp
2008-09-03 16:22 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET6B.tmp
2008-09-03 16:13 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINNT\SET5E.tmp
2008-09-03 16:13 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINNT\SET5B.tmp
2008-09-03 16:13 . 2004-08-04 08:00 13,753 -ra------ C:\WINNT\SET6A.tmp
2008-09-03 15:41 . 2004-08-04 08:00 24,661 --a------ C:\WINNT\system32\spxcoins.dll
2008-09-03 15:41 . 2004-08-04 08:00 24,661 --a--c--- C:\WINNT\system32\dllcache\spxcoins.dll
2008-09-03 15:41 . 2004-08-04 08:00 13,312 --a------ C:\WINNT\system32\irclass.dll
2008-09-03 15:41 . 2004-08-04 08:00 13,312 --a--c--- C:\WINNT\system32\dllcache\irclass.dll
2008-09-03 15:39 . 2008-09-03 19:08 1,366,473 --a------ C:\WINNT\setupapi.log.0.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-09-17 23:28 --------- d-----w C:\Program Files\LimeWire
2008-09-17 21:04 --------- d-----w C:\Program Files\World of Warcraft
2008-09-17 21:02 --------- d-----w C:\Program Files\Ventrilo
2008-09-17 21:00 --------- d-----w C:\Program Files\QuickTime
2008-09-17 20:50 --------- d-----w C:\Program Files\EbatesMoeMoneyMaker4
2008-09-17 20:39 --------- d-----w C:\Program Files\AIM6
2008-09-17 19:54 97,928 ----a-w C:\WINNT\system32\drivers\avgldx86.sys
2008-09-17 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 19:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-17 19:40 --------- d-----w C:\Program Files\Symantec
2008-09-17 19:40 --------- d-----w C:\Program Files\Norton AntiVirus
2008-09-13 15:13 --------- d-----w C:\Program Files\MSN Messenger
2008-09-13 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-12 19:57 --------- d-----w C:\Program Files\AviSynth 2.5
2008-09-12 01:13 --------- d-----w C:\Program Files\IEMenuExtension
2008-09-04 00:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-09-03 22:55 90,921 ----a-w C:\WINNT\system32\lxvpprcnbwpyfh.dll-uninst.exe
2008-08-06 14:40 76,040 ----a-w C:\WINNT\system32\drivers\avgtdix.sys
2008-08-06 14:40 10,520 ----a-w C:\WINNT\system32\avgrsstx.dll
2008-08-06 14:39 --------- d-----w C:\Program Files\AVG
2008-08-06 12:23 --------- d-----w C:\Program Files\Panicware
2008-08-06 11:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-08-06 11:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 11:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hotbar
2008-08-06 11:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\HotbarSA
2008-08-06 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 16:00 64,849 ----a-w C:\WINNT\system32\efpbduvbpjvkeshm.exe
2008-07-15 20:37 101,632 ----a-w C:\WINNT\system32\audiosr.dll
2008-07-12 04:00 0 -c--a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2007-08-09 02:03 811,436 -c--a-w C:\Program Files\WoW-2.1.3.6898-to-0.2.0.6932-enUS-downloader.exe
2007-08-09 01:51 353,320 -c--a-w C:\Program Files\world of warcraft.exe
2004-11-24 00:22 490,792 -csha-w C:\WINNT\Config\cvsmoc.bak1
2004-11-24 00:26 490,664 -csha-w C:\WINNT\Config\cvsmoc.bak2
2004-11-16 22:29 502,854 -csh--w C:\WINNT\Registration\tundrah.bak2
2006-11-08 15:35 4,605 -csha-w C:\WINNT\system32\srsc.dat
2004-11-17 22:30 503,336 -csha-w C:\WINNT\Web\printers\dvdevaw.bak1
2004-11-18 22:52 7,549,576 -csha-w C:\WINNT\Web\printers\dvdevaw.bak2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 32,768 2003-11-01 00:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

-c--a-w 73,728 2004-02-08 21:30:48 C:\Program Files\Gateway\GWCares\bak\GWCares.exe

-c--a-w 257,088 2007-05-26 16:45:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 257,088 2007-05-26 17:45:54 C:\Program Files\iTunes\iTunesHelper.exe

-c--a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

-c--a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 663,552 2003-10-29 20:40:06 C:\Program Files\Webroot\Spy Sweeper\bak\SpySweeper.exe

-c--a-w 198,144 2003-10-08 09:00:08 C:\Program Files\Webroot\Washer\bak\wwDisp.exe

-c--a-w 204,288 2006-10-19 00:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

-c--a-w 4,670,968 2007-03-27 19:22:56 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

-c--a-w 15,360 2004-08-04 07:56:48 C:\WINNT\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINNT\system32\ctfmon.exe

-c--a-w 118,784 2003-11-18 05:11:44 C:\WINNT\system32\bak\hkcmd.exe
----a-w 118,784 2003-11-18 05:11:44 C:\WINNT\system32\hkcmd.exe

-c--a-w 155,648 2003-11-18 05:24:50 C:\WINNT\system32\bak\igfxtray.exe
----a-w 155,648 2003-11-18 05:24:50 C:\WINNT\system32\igfxtray.exe

-c--a-r 155,648 2001-07-09 09:50:42 C:\WINNT\system32\bak\NeroCheck.exe

-c--a-w 406,016 2004-03-11 06:26:10 C:\WINNT\system32\bak\PSDrvCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C03609A-095F-44B7-A8D6-4DF2B14FC8DB}]
2008-07-15 16:37 101632 --a------ C:\WINNT\system32\audiosr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Batzu"="C:\WINNT\system32\j?vaw.exe" [?]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 15360]
"Ltho"="C:\PROGRA~1\COMMON~1\DOBE~1\notepad.exe" [N/A]
"HeavyWeaponSetup.exe"="C:\DOCUME~1\Owner\MYDOCU~1\MORPHE~1\DOWNLO~1\HEAVYW~1.EXE" [N/A]
"WormsArmageddon.exe"="C:\DOCUME~1\OWNER\DESKTOP\WORMSA~1.EXE" [N/A]
"ares"="C:\Documents and Settings\Owner\My Documents\My Games\Ares\Ares.exe" [N/A]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [N/A]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [N/A]
"IE Menu Extension toolbar"="C:\PROGRA~1\IEMENU~1\tbextn.dll" [N/A]
"*hardnut"="C:\WINNT\Registration\hardnut.exe" [N/A]
"*wavedvd"="C:\WINNT\Web\printers\wavedvd.exe" [N/A]
"*comsvc"="C:\WINNT\Config\comsvc.exe" [N/A]
"satmat"="C:\WINNT\satmat.exe" [N/A]
"pOQnfza"="C:\documents and settings\owner\local settings\temp\pOQnfza.exe" [N/A]
"Ug"="C:\documents and settings\owner\local settings\temp\Ug.exe" [N/A]
"ITMMp15uK"="C:\documents and settings\owner\local settings\temp\ITMMp15uK.exe" [N/A]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [N/A]
"NI.UGES_0002_N108M1607"="c:\documents and settings\owner\application data\setup_en[1].exe" [N/A]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-17 1235736]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2003-11-18 118784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho"="C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.dvacm"= dvacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINNT\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 12:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\bak\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder]
C:\Program Files\SpyShredder\SpyShredder.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1191889479\\ee\\aolsoftware.exe"=
"C:\\WINNT\\system32\\regsvr32.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13813:TCP"= 13813:TCP:BitComet 13813 TCP
"13813:UDP"= 13813:UDP:BitComet 13813 UDP

R0 klrkytxh;klrkytxh;C:\WINNT\system32\drivers\nlvxpjix.dat [ ]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-09-17 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-17 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-06 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 TBPSSvc;WebSeach Toolbar support NT service;C:\PROGRA~1\Toolbar\TBPSSvc.exe [ ]
S3 dac970nt;dac970nt;C:\WINNT\system32\drivers\gsossn.sys [ ]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINNT\system32\Drivers\xbreader.sys [2001-01-02 19677]
.
- - - - ORPHANS REMOVED - - - -

BHO-{050DDC19-6B6F-43B3-8FBE-D3E1431A8244} - (no file)
BHO-{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A} - (no file)
BHO-{D6261BDE-2BF3-40F7-B978-92DFC6C8ACBF} - C:\WINNT\system32\ddcya.dll
BHO-{E1872FA4-6140-4868-B088-DD5407AE96AA} - (no file)
ShellIconOverlayIdentifiers-{EA3775F2-28BE-11D3-9C8D-00105A24ED29} - (no file)
ShellExecuteHooks-{E1872FA4-6140-4868-B088-DD5407AE96AA} - (no file)
SSODL-contrabandists-{dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
Notify-pmkjg - C:\WINNT\system32\pmkjg.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cij1hc0y.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 20:15:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\klrkytxh]
"ImagePath"="system32\drivers\nlvxpjix.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2008-09-17 20:25:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-18 00:25:32

Pre-Run: 9,740,083,200 bytes free
Post-Run: 9,556,418,560 bytes free

489 --- E O F --- 2008-09-04 01:26:40

Combofix DID remove a lot. I would like to see that MBA-M log too. BEFORE he does anymore scanning he MUST Uninstall one of those Anti-virus program.
Have him then do the MBA-M in Safe Mode, but nothing else yet.

I would also like to see results of a scan at

http://virusscan.jotti.org/

for those unknown O4 items but the person you are helping would have to do that because they must be uploaded from the infected computer.

These are the ones;
C:\WINNT\Registration\hardnut.exe
C:\WINNT\Web\printers\wavedvd.exe
C:\WINNT\Config\comsvc.exe
C:\WINNT\satmat.exe
C:\documents and settings\owner\local settings\temp\pOQnfza.exe
C:\documents and settings\owner\local settings\temp\Ug.exe
C:\documents and settings\owner\local settings\temp\ITMMp15uK.exe
c:\documents and settings\owner\application data\setup_en[1].exe -nag
C:\WINNT\system32\j?vaw.exe
C:\PROGRA~1\COMMON~1\DOBE~1\notepad.exe" -vt rbnd
C:\DOCUME~1\Owner\MYDOCU~1\MORPHE~1\DOWNLO~1\HEAVYW~1.EXE /r
C:\DOCUME~1\OWNER\DESKTOP\WORMSA~1.EXE /r
C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv
C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv

Combofix DID remove a lot. I would like to see that MBA-M log too. BEFORE he does anymore scanning he MUST Uninstall one of those Anti-virus program.
Have him then do the MBA-M in Safe Mode, but nothing else yet.

yeah ,he uninstalled norton ,with the removal tool . i will see i can get the mba log

Still going through the log but looks like your friend got his infection/infections on or around 9/03/08 between around 3 p.m and 6 p.m. At least that is what it looks like to me because most of those "unknowns" or odd entries showed up then.

Still going through the log but looks like your friend got his infection/infections on or around 9/03/08 between around 3 p.m and 6 p.m. At least that is what it looks like to me because most of those "unknowns" or odd entries showed up then.

thank you ,i was in contact with them but they will be busy till monday night ,also not sure if they have the knowledge to follow instructions to upload to the site you linked .i will try though

Uploading really isn't that hard. Just give them step by step instructions with printscreens if necessary.
Judy

latest email ,and hijack log .

unfortunately i didnt save the log from malwarebytes. I really dont think i can do anymore scans than ive done already, today when i got home search and destroy found less than 15, malware found 7, and avg said it had 19 warnings. i do know what you mean when you say i still have stuff becuase everytime i do a malware scan 3 infected objects are always found in the first 1000(whether theres 3 objects found in the end or more). i havean update on firefox, my computer seems to running faster with firefox, theres a game i play online, and it doesnt lag as much now, but recently ive had problems with it, every once and a while this message comes up saying 'something is wrong with firefox, please let it close'. is there anythnig that can be done about that?
~as for the hijackthis~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:40 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\1191889479\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4C03609A-095F-44B7-A8D6-4DF2B14FC8DB} - C:\WINNT\system32\audiosr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [*hardnut] C:\WINNT\Registration\hardnut.exe
O4 - HKLM\..\Run: [*wavedvd] C:\WINNT\Web\printers\wavedvd.exe
O4 - HKLM\..\Run: [*comsvc] C:\WINNT\Config\comsvc.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [pOQnfza] C:\documents and settings\owner\local settings\temp\pOQnfza.exe
O4 - HKLM\..\Run: [Ug] C:\documents and settings\owner\local settings\temp\Ug.exe
O4 - HKLM\..\Run: [ITMMp15uK] C:\documents and settings\owner\local settings\temp\ITMMp15uK.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NI.UGES_0002_N108M1607] "c:\documents and settings\owner\application data\setup_en[1].exe" -nag
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Batzu] C:\WINNT\system32\j?vaw.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\DOBE~1\notepad.exe" -vt rbnd
O4 - HKCU\..\Run: [HeavyWeaponSetup.exe] C:\DOCUME~1\Owner\MYDOCU~1\MORPHE~1\DOWNLO~1\HEAVYW~1.EXE /r
O4 - HKCU\..\Run: [WormsArmageddon.exe] C:\DOCUME~1\OWNER\DESKTOP\WORMSA~1.EXE /r
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Owner\My Documents\My Games\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Ltho] "C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ltho] "C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (HKCU)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/41/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://linksyssupport.webex.com/client/T26L/support/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Uploading really isn't that hard. Just give them step by step instructions with printscreens if necessary.
Judy

yeah, but it is when they don't know how to follow instructions ,i still don't think there are applying the "fix all found" in any of the scans ,

i still don't think there are applying the "fix all found" in any of the scans ,

And they obviously didn't uninstall one of those av programs, both AVG8 and Norton are still running as is SpybotTeaTimer.

His email to you says;

I really dont think i can do anymore scans than ive done already

Well then honestly, don't know what to tell you or them. The ONLY way to get this computer clean, other than total reformat and losing all they have saved they might want, is to do more scans and several other cleaning programs that we haven't gotten to yet and FOLLOW instructions exactly when using them...OR take it someplace and PAY to have it cleaned.

Sorry caperjack but that is what I think. Just THESE entries in the HJT logs show this computer is GROSSLY infected;

O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [*hardnut] C:\WINNT\Registration\hardnut.exe
O4 - HKLM\..\Run: [*wavedvd] C:\WINNT\Web\printers\wavedvd.exe
O4 - HKLM\..\Run: [*comsvc] C:\WINNT\Config\comsvc.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [pOQnfza] C:\documents and settings\owner\local settings\temp\pOQnfza.exe
O4 - HKLM\..\Run: [Ug] C:\documents and settings\owner\local settings\temp\Ug.exe
O4 - HKLM\..\Run: [ITMMp15uK] C:\documents and settings\owner\local settings\temp\ITMMp15uK.exe
O4 - HKLM\..\Run: [NI.UGES_0002_N108M1607] "c:\documents and settings\owner\application data\setup_en[1].exe" -nag
O4 - HKCU\..\Run: [Batzu] C:\WINNT\system32\j?vaw.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\DOBE~1\notepad.exe" -vt rbnd
O4 - HKCU\..\Run: [HeavyWeaponSetup.exe] C:\DOCUME~1\Owner\MYDOCU~1\MORPHE~1\DOWNLO~1\HEAVYW~1.EXE /r
O4 - HKCU\..\Run: [WormsArmageddon.exe] C:\DOCUME~1\OWNER\DESKTOP\WORMSA~1.EXE /r
O4 - HKUS\S-1-5-18\..\Run: [Ltho] "C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ltho] "C:\DOCUME~1\Owner\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv (User 'Default user')
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

Wonder WHY?
Other than the fact they are running TWO antivirus programs which, in a sense compete with each other and therefore lessen their protection, they are also using the following programs;
ares
LimeWire
uTorrent
More and more I am seeing threads where computers are highly infected AND the poster is using multiple P2P programs, running scads of security programs, including more than one antivirus program. This tells me this person does know there is danger in P2P file sharing but they cannot resist getting "something for nothing" so they add all these extra security programs hoping to protect the computer....IT DOESN'T WORK, they get a lot more FREE STUFF than they bargained for, not to mention the possible legalities of this in violating copyright laws..which is a felony.

Also showing are these two "goodies"
SpyShredder which is the successor to Spy Sherriff a Smitfraud infection.
AND if that isn't enough they also show this wonderful program;
EbatesMoeMoneyMaker4 which not only displays pop up advertisements but it interferes with many programs that try to prevent it from working properly. On top of this it also hijacks your browser and redirects you to sites where it can make money off of you.

they don't know how to follow instructions

Sorry, don't really buy this...they know how to edit video, they have several of these programs showing in their logs, they know how to P2P, indicated by the three programs I noted and which is likely how many of these infections got there in the first place....Which ALSO means they should be able to Upload those files to http://virusscan.jotti.org/.

You also said that you loaned or sent them a legitimate copy of XP so they could reinstall on a computer which came with no CD's. When WAS this? Combofix shows programs THEY installed dating back 3 months. IF it was less than three months ago then what month was the reinstall? They say they are having trouble with Firefox...there is no Firefox install showing in that Combofix log, meaning it was done MORE than three months ago. My thinking on this...either there was NO reinstall, or they did Repair not reinstall OR they did a lousy job with the reinstall.

No matter WHEN this reinstall supposedly took place, NOW WE KNOW WHY because I very much doubt that P2P is a new activity since the supposed reinstall of XP.

You can choose, if you want to I will stick with this...IF they are willing to turn off or get rid of the following for the duration;
ares, limewire, utorrent, Viewpoint, AIM6, iPod, TeaTimer, MusicMatch, iTunes, uninstall one of those Anti-virus programs, no online gaming, FOLLOW all instructions.
I will get off my "soapbox" now. But feel free to copy/paste this post and email it to them.
Judy

And they obviously didn't uninstall one of those av programs, both AVG8 and Norton are still running as is SpybotTeaTimer.

His email to you says;

Well then honestly, don't know what to tell you or them. The ONLY way to get this computer clean, other than total reformat and losing all they have saved they might want, is to do more scans and several other cleaning programs that we haven't gotten to yet and FOLLOW instructions exactly when using them...OR take it someplace and PAY to have it cleaned.

Sorry caperjack but that is what I think. Just THESE entries in the HJT logs show this computer is GROSSLY infected;

Wonder WHY?
Other than the fact they are running TWO antivirus programs which, in a sense compete with each other and therefore lessen their protection, they are also using the following programs;
ares
LimeWire
uTorrent
More and more I am seeing threads where computers are highly infected AND the poster is using multiple P2P programs, running scads of security programs, including more than one antivirus program. This tells me this person does know there is danger in P2P file sharing but they cannot resist getting "something for nothing" so they add all these extra security programs hoping to protect the computer....IT DOESN'T WORK, they get a lot more FREE STUFF than they bargained for, not to mention the possible legalities of this in violating copyright laws..which is a felony.

Also showing are these two "goodies"
SpyShredder which is the successor to Spy Sherriff a Smitfraud infection.
AND if that isn't enough they also show this wonderful program;
EbatesMoeMoneyMaker4 which not only displays pop up advertisements but it interferes with many programs that try to prevent it from working properly. On top of this it also hijacks your browser and redirects you to sites where it can make money off of you.

Sorry, don't really buy this...they know how to edit video, they have several of these programs showing in their logs, they know how to P2P, indicated by the three programs I noted and which is likely how many of these infections got there in the first place....Which ALSO means they should be able to Upload those files to http://virusscan.jotti.org/.

You also said that you loaned or sent them a legitimate copy of XP so they could reinstall on a computer which came with no CD's. When WAS this? Combofix shows programs THEY installed dating back 3 months. IF it was less than three months ago then what month was the reinstall? They say they are having trouble with Firefox...there is no Firefox install showing in that Combofix log, meaning it was done MORE than three months ago. My thinking on this...either there was NO reinstall, or they did Repair not reinstall OR they did a lousy job with the reinstall.

No matter WHEN this reinstall supposedly took place, NOW WE KNOW WHY because I very much doubt that P2P is a new activity since the supposed reinstall of XP.

You can choose, if you want to I will stick with this...IF they are willing to turn off or get rid of the following for the duration;
ares, limewire, utorrent, Viewpoint, AIM6, iPod, TeaTimer, MusicMatch, iTunes, uninstall one of those Anti-virus programs, no online gaming, FOLLOW all instructions.
I will get off my "soapbox" now. But feel free to copy/paste this post and email it to them.
Judy

thank you so much for all you help and great info .I will mark this thread solved and send one final email to them!

Like I said caperjack, if you think you want to go ahead I will stick with it. So if they agree to follow the rules as we lay them out....
Judy

Like I said caperjack, if you think you want to go ahead I will stick with it. So if they agree to follow the rules as we lay them out....
Judy

thanks for offer ,but i sent email suggestion a reload of winxp ,the best solution for them anyway i think .thanks again