0

Hoping for help. Trying to get my daughters computer ready for college and can't seem to kill the three trojan.tdss files

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:43 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236822754925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236822747034
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8229 bytes

5
Contributors
25
Replies
26
Views
8 Years
Discussion Span
Last Post by jholland1964
Featured Replies
  • Ok. How is the computer at the moment? Read More

  • Becareful where you surf and what you surf with. I use Opera browser and it is arguably the safest browser available. Forget about adaware and spybot as they are both pretty dated. Not sure about IObit as I have had no experience with it. Avira is ok. Block unwanted stuff … Read More

0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new HJT log.

0

Thanks Crunchie!

Running the scan now. As ususal it is showing the same three objects infected.

0

Another fun thin has started. Getting barraged with "hjgruiqmcofyfw.dll is not a valid windows image" popups.

0

Here is the log before reboot:

Malwarebytes' Anti-Malware 1.40
Database version: 2680
Windows 5.1.2600 Service Pack 3

8/22/2009 9:03:20 PM
mbam-log-2009-08-22 (21-03-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 149259
Time elapsed: 26 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruiqmcofyfw.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruiqmcofyfw.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjgruilog.dat (Trojan.Agent) -> Delete on reboot.

0

And...now that computer is locked up. Getting the hourglass of death when I try and open a link or run mbam.

0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Here is the combofix:

ComboFix 09-08-22.06 - Becca 08/22/2009 21:50.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.586 [GMT -7:00]
Running from: c:\documents and settings\Becca\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Installer\59260b0.msp
c:\windows\system32\drivers\hjgruirvdyiurt.sys.vir
c:\windows\system32\hjgruigwydqxdq.dat
c:\windows\system32\hjgruikjpumpko.dat
c:\windows\system32\hjgruiltxjkoep.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hjgruikhbvmpjc
-------\Service_hjgruikhbvmpjc


((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 03:30 . 2009-08-23 03:30 -------- d-----w- c:\program files\Trojan Remover
2009-08-23 02:50 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-08-23 02:50 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-08-23 02:50 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-08-23 02:50 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-08-23 02:50 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-08-23 02:50 . 2009-08-23 03:30 -------- d-----w- c:\documents and settings\Becca\Application Data\Simply Super Software
2009-08-23 02:50 . 2009-08-23 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-08-22 23:15 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-22 23:15 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 23:15 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-22 23:15 . 2009-08-23 04:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-22 23:15 . 2009-08-22 23:16 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-22 23:15 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-22 23:15 . 2009-08-23 02:27 -------- d-----w- c:\program files\Spyware Doctor
2009-08-22 23:15 . 2009-08-22 23:15 -------- d-----w- c:\documents and settings\Becca\Application Data\PC Tools
2009-08-22 23:15 . 2009-08-22 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-22 17:50 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 17:50 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-22 17:50 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-22 17:50 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-22 17:50 . 2009-08-22 17:50 -------- d-----w- c:\program files\Avira
2009-08-22 17:50 . 2009-08-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-17 05:25 . 2009-08-17 05:25 152576 ----a-w- c:\documents and settings\Becca\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-13 20:13 . 2009-08-13 20:13 -------- d-----w- c:\program files\iPod
2009-08-13 20:13 . 2009-08-13 20:14 -------- d-----w- c:\program files\iTunes
2009-08-13 20:05 . 2009-08-13 20:05 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-13 09:13 . 2009-08-13 09:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-08-12 04:04 . 2009-08-12 04:04 -------- d-----w- c:\documents and settings\Becca\Application Data\Yahoo!
2009-08-12 04:04 . 2009-08-12 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-12 04:03 . 2009-08-12 04:03 -------- d-----w- c:\program files\Yahoo!
2009-08-08 20:57 . 2009-08-08 20:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-08-08 20:57 . 2009-08-08 20:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-08-08 20:54 . 2009-08-08 20:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-08 20:20 . 2009-08-08 20:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-08-02 00:58 . 2009-08-02 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-08-02 00:45 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-08-01 19:09 . 2009-08-08 22:05 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 05:43 . 2009-06-10 01:08 -------- d-----w- c:\documents and settings\Becca\Application Data\Skype
2009-08-17 05:26 . 2008-07-30 00:19 -------- d-----w- c:\program files\Java
2009-08-17 04:00 . 2009-03-13 01:40 -------- d-----w- c:\documents and settings\Becca\Application Data\skypePM
2009-08-13 20:13 . 2009-04-05 03:28 -------- d-----w- c:\program files\Common Files\Apple
2009-08-13 09:56 . 2009-03-13 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-08 22:07 . 2009-07-08 04:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2008-07-29 22:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-07-08 04:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-07-08 04:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 00:58 . 2009-07-04 20:24 -------- d-----w- c:\program files\IObit
2009-08-02 00:48 . 2009-08-02 00:48 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-02 00:48 . 2009-08-02 00:48 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-31 19:27 . 2009-07-08 03:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 12:23 . 2009-03-12 01:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 00:54 . 2009-07-22 00:54 -------- d-----w- c:\documents and settings\Becca\Application Data\Windows Search
2009-07-17 19:01 . 2008-07-29 22:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2008-07-29 22:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 15:48 . 2009-07-09 23:00 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-09 23:01 . 2009-07-09 23:01 -------- d-----w- c:\documents and settings\Becca\Application Data\Windows Desktop Search
2009-07-09 22:58 . 2009-07-09 22:58 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 00:37 . 2009-07-09 00:37 -------- d-----w- c:\program files\Trend Micro
2009-07-08 19:05 . 2009-07-08 19:05 -------- d-----w- c:\program files\Zamaan's Software
2009-07-08 04:57 . 2009-07-08 04:57 -------- d-----w- c:\program files\Windows Defender
2009-07-08 04:45 . 2009-07-08 04:45 -------- d-----w- c:\documents and settings\Becca\Application Data\Malwarebytes
2009-07-08 04:33 . 2009-07-08 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-08 04:33 . 2009-07-08 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 21:37 . 2008-07-30 00:13 -------- d-----w- c:\program files\REALTEK RTL8187SE Wireless LAN Driver
2009-07-05 21:33 . 2007-11-21 09:15 1826816 ----a-w- c:\windows\SkyTel.exe
2009-07-05 21:33 . 2007-11-08 08:31 1191936 ----a-w- c:\windows\RtlUpd.exe
2009-07-05 21:33 . 2007-03-24 10:19 9715200 ----a-w- c:\windows\RTLCPL.EXE
2009-07-05 21:33 . 2006-07-22 07:14 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2009-07-05 21:33 . 2008-03-19 09:21 4744704 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-07-05 21:33 . 2008-03-07 08:14 16858112 ----a-w- c:\windows\RTHDCPL.EXE
2009-07-05 21:33 . 2007-06-29 07:44 2165760 ----a-w- c:\windows\MicCal.exe
2009-07-05 21:33 . 2006-05-05 07:26 2808832 ----a-w- c:\windows\ALCWZRD.EXE
2009-07-05 21:33 . 2005-05-04 09:43 69632 ----a-w- c:\windows\ALCMTR.EXE
2009-07-04 21:01 . 2009-04-05 03:30 -------- d-----w- c:\program files\Bonjour
2009-07-04 20:40 . 2009-03-12 14:31 96520 ----a-w- c:\documents and settings\Becca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 20:24 . 2009-07-04 20:24 -------- d-----w- c:\documents and settings\Becca\Application Data\IObit
2009-07-04 19:14 . 2009-07-04 19:08 96520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 19:10 . 2009-06-10 01:08 -------- d-----w- c:\program files\Google
2009-07-03 17:09 . 2008-07-29 22:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 08:38 . 2009-04-05 03:30 -------- d-----w- c:\documents and settings\Becca\Application Data\Apple Computer
2009-06-25 08:25 . 2008-07-29 22:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-07-29 22:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-07-29 22:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-07-29 22:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-07-29 22:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-07-29 22:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-07-29 22:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 04:49 . 2009-06-22 04:49 152576 ----a-w- c:\documents and settings\Becca\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-20 09:30 . 2009-06-20 09:30 9871152 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B3EC9B2B5945A1B7AFC5FAFC297401\TalkingHeadzSetup.exe
2009-06-20 09:30 . 2009-06-20 09:30 419328 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B3EC9B2B5945A1B7AFC5FAFC297401\THSkypePlugin.dll
2009-06-20 09:30 . 2009-06-20 09:30 1010688 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B3EC9B2B5945A1B7AFC5FAFC297401\UninstallTalkingHeadz.exe
2009-06-20 09:20 . 2009-06-20 09:20 9843864 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\95F12167483D466CABC98CAFE4B4FD93\CT4SKypePlugIn20_Multi_Media.exe
2009-06-20 09:20 . 2009-06-20 09:20 77824 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\95F12167483D466CABC98CAFE4B4FD93\RLLauncher.exe
2009-06-16 14:36 . 2008-07-29 22:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-07-29 22:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-07-29 22:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-07-29 23:04 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2008-07-29 22:51 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2008-07-29 22:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 01:09 . 2009-06-10 01:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-03 19:09 . 2008-07-29 22:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 02:14 . 2009-06-03 02:14 152576 ----a-w- c:\documents and settings\Becca\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-03 02:12 . 2009-06-03 02:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-03 02:12 . 2009-05-08 03:48 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-25 07:24 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll
2008-05-07 14:34 . 2008-07-30 00:28 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-23_04.40.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 22:51 . 2009-08-23 04:47 78516 c:\windows\system32\perfc009.dat
- 2008-07-29 22:51 . 2009-08-23 04:40 78516 c:\windows\system32\perfc009.dat
+ 2008-07-29 22:51 . 2009-08-23 04:47 462736 c:\windows\system32\perfh009.dat
- 2008-07-29 22:51 . 2009-08-23 04:40 462736 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-21 943888]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-08-04 1068424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/11/2009 8:38 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/22/2009 4:15 PM 130936]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/22/2009 10:50 AM 108289]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/1/2009 5:58 PM 305936]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/7/2009 9:33 PM 232720]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [11/17/2008 8:25 AM 10752]
R3 Ktp;Elantech TouchPad;c:\windows\system32\drivers\ETD.sys [7/11/2008 3:29 AM 26112]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/3/2008 11:23 PM 38400]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/7/2009 9:33 PM 19096]
S2 acyoxiif;acyoxiif;c:\windows\system32\drivers\nonlezek.sys --> c:\windows\system32\drivers\nonlezek.sys [?]
S2 fqirvmqktjpoqfg;fqirvmqktjpoqfg;\??\c:\windows\system32\drivers\wrnsztznbwvjhl.sys --> c:\windows\system32\drivers\wrnsztznbwvjhl.sys [?]
S2 hezdasyu;hezdasyu;c:\windows\system32\drivers\maxkyj.sys --> c:\windows\system32\drivers\maxkyj.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 PAC207;CIF USB Camera;c:\windows\system32\drivers\PFC027.SYS [6/10/2009 5:48 PM 505984]
S3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [7/29/2008 5:13 PM 306176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/22/2009 4:15 PM 348752]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [8/19/2008 11:38 AM 38272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 05:14]

2009-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-22 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Becca.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-08 20:36]

2009-08-22 c:\windows\Tasks\Malwarebytes' Scheduled Update for Becca.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-08 20:36]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,9a,cb,11,9a,f8,ca,49,92,c9,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,9a,cb,11,9a,f8,ca,49,92,c9,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-23 22:02
ComboFix-quarantined-files.txt 2009-08-23 05:02

Pre-Run: 102,309,113,856 bytes free
Post-Run: 102,275,805,184 bytes free

259 --- E O F --- 2009-08-21 02:54

0

And the Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:05 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236822754925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236822747034
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7562 bytes

-2

Go to Malwarebytes web site and download that program it is free and does get rid of a lot of viruses if that can't be done then you will have to redo your daughter's system and make it new again like it came out of the box and if it has any personal data on it back it up to a removal hard drive only the data not programs those you will have reinstall. Hope this helps.

Votes + Comments
No. Not helpful at all. Read what others have suggested before throwing your worthless 2 cents.
Cannot read
0

It looks like combofix was run twice. Do you have the log from the first run? It will be in C:\qoobox

==

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\documents and settings\Becca\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

0

Go to Malwarebytes web site and download that program it is free and does get rid of a lot of viruses if that can't be done then you will have to redo your daughter's system and make it new again like it came out of the box and if it has any personal data on it back it up to a removal hard drive only the data not programs those you will have reinstall. Hope this helps.

If you read the whole thread you will see that MBAM has been advised and run already!

0

Crunchie,

The first run was done in safe mode and it hung up on reboot..

Can I still retrieve that one?

Thanks

Rog

0

Just wondering why you would not follow instructions given? It is in bold, red letters and is there for a reason.
The log should still have been created and in the location I gave.

0

The only items in the Qoobox are:
add remove programs
combofix quarantined files
snapshot@2009-08-23_04.40
and two folders
Backenv
Quarantine

0

Looks like you should have followed instructions, or posted you had a problem running it.
Have you uploaded that file?

Run a full scan with MBA-M again and see if it still registers those entries.

0

OK...
Here is the new MBAM Log - Thanks for the help!!

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

7/8/2009 5:33:49 PM
mbam-log-2009-07-08 (17-33-49).txt

Scan type: Quick Scan
Objects scanned: 95672
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b1d95a2-f547-4e5e-8902-622b08354622} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Having trouble browsing to that file. Can't find the Application Data folder under the Becca directory. Any suggestions?

0

Here tis:
Filename: lzma.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Sun 23 Aug 2009 08:29:45 (CET) Permalink

0

What is the best way to prevent this? I already use the following:
Avira
IObit
IObit Security
Ad Aware
Spybot
MBAM (Paid Edition)
And added Spyware Dr today

Thanks Rog

2

Becareful where you surf and what you surf with.
I use Opera browser and it is arguably the safest browser available.
Forget about adaware and spybot as they are both pretty dated.
Not sure about IObit as I have had no experience with it.
Avira is ok.
Block unwanted stuff using your Hosts file. You can download a Hosts file from here; http://www.mvps.org/winhelp2002/hosts.htm

Votes + Comments
Thanks for the host file link
That's a nice hosts file :)
0

I think it has hijacked this as well! I get - malwarebyr5ews.org does not exist.

sionnyn, you need to begin your own thread. This one is solved.
Create your own thread with all your information, including any scan logs that you have and one of us will be happy to offer assistance.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.