0

Hey..it's me southern again...my computer is running great thanks to all your help, I maintain it regularly, and so far no problems..However my dads computer had a nervous breakdown, and we can't figure out what happened...he's running Vista, the computer shut down and would not boot back up, he had to reinstall XP just to get it to come back up, now it can't recognize the isp, so no online, and it is acting crazy, super slow, icons missing...he has 4 Gig of memory, so that's not an issue...what info do you need from me?..I will get it to you...thanks for your time...again...
Southern

2
Contributors
36
Replies
37
Views
7 Years
Discussion Span
Last Post by SouthernBark30
0

Hi welcome back...:(
When you say you reinstalled XP I presume you mean you formatted the computer and installed XP, correct? When you reformat you wipe the drive, meaning EVERYTHING has to be reinstalled too. So you need to reinstall all drivers and hardware also. Did you do that? It sounds to me either that the reinstall of XP was done incorrectly, OR you only installed the operating system but nothing else to go with it. How did you do the reinstall?

Edited by jholland1964: n/a

0

Hello again...it's me...my computer is still running great thanks to you...remember my dad was having issues, well it turned out he lost everything and had to reinstall xp insted of vista...his computer has been fine until now...he is getting the pc virus malware...I have tried to run malwarebytes...the computer wouldn't even let me get to the website, or anyother web site having to do with malwarebytes...we loaded it froma disk and the scan stops at about 6000 objects scanned...we don't kno what to do...below is a hijackthis log....we als had to load it from a disk...weird..are the hackers getting that slick...this started after he received a video in facebook...

hope you are well and can help...thanks


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:35:01 PM, on 3/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desksware\Desktop iCal\Calendar.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\windows\bill103.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PlaySushi - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [sysfbtray] C:\windows\bill103.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iCalendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\Program Files\PlaySushi\PSText.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9599 bytes

0

I would recommend that you totally disconnect that infected computer from the internet. Then boot to safe mode and run MBA-M on it and have it remove what it finds. Reboot.Then try again to run it in normal mode. It won't be fully updated I know but it's possible that the run in safe mode, which is only recommended for instances like this one as it doesn't scan everything in safe mode, will have removed enough to allow a normal mode run.
Post back here with both the safe mode log and the normal mode log. But continue to keep it offline for the moment.

0

Ok....my dad jumped the gun a bit and did what u said but he forgot to save logs...the problem has stopped...as I knew it would with you on the job...I went back and brought the computer up insafe mode and rescanned just to get the logs...I know it's is a mute point now that the problem has been removed, but i wanted to show you some respect, because i know you do this voluntarily,,,and i want to follow your instructions to the letter...my dad is new to daniweb...but he knows now...follow all directions...again thank you...you're my secret weapon...I want to make a donation, how do i go about that?...have a wonderful rest of the week..and if you see anything suspicious, please let me know...thanks again jholland

SouthernBark

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/30/2010 3:16:58 PM
mbam-log-2010-03-30 (15-16-58).txt

Scan type: Quick Scan
Objects scanned: 123863
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/30/2010 4:18:57 PM
mbam-log-2010-03-30 (16-18-57).txt

Scan type: Quick Scan
Objects scanned: 125257
Time elapsed: 10 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

I also am concerned about the dates showing on the logs todays logs show 3/30/2010 ???? The HiJackThis log shows 3/29/2010 so the date was put on the computer incorrectly when it was reformatted...at least that is what I am hoping happened. If that's the case you need to go in and change it to the correct date.
I am not sure of your location, I am in the US and the current date is 3/2/2010
You also just said, with this post;

I went back and brought the computer up insafe mode and rescanned just to get the logs.

MBA-M really should be run in NORMAL mode. Safe mode should only be used if the computer cannot be booted to normal or if the program won't run in normal mode.
Also the MBA-M program wasn't updated before any of the scans because the database showing is the one contained in the install file. Can you update it and run it again? The current database is 3817. Run a Full Scan in Normal mode this time as there is a good chance there could be more infection but it would not be found with the old database, it needs the new one to be able to scan for all infections which have developed since this version was released.
But I also do need to see the log that first removed whatever was on there.
If you open the MBA-M program and go to the Logs tab you should be able to find the logs which were run earlier. They are dated so you should be able to find them. Post them here ASAP, then UPDATE and do the new MBA-M scan in Normal Mode with the updated database and then do a new HJT scan and post back with the MBA-M log along with a new HiJackThis log.
Judy

Edited by jholland1964: n/a

0

Hey judy..Im having problems, I can't get malwarebytes to update..I keep gettin error 732...I tried reinstalling and that still didn't work...what should i do?

0

Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).
Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
Then see if it will work.

0

not working judy...everytime we try to click on your links it says it's broken...we had to download the files on my dads laptop and load that way...still didn't work, if you try to go anywhere having to do with malwarebytes or mbam-clean, it redirects...or the link is broken...and it wont update..mbam clean did run and we restarted but still n o update...we saved it to disk off my dads laptop and ran it that way

Edited by SouthernBark30: n/a

0

Obviously this nasty thing is running in the background and stopping the MBA-M program. Uninstall MBA-M again the same way as before and also using that mba-m removal file posted earlier at the end.

Then download this program which hopefully will stop the nasty thing from running long enough to get a new MBA-M on there and installed.
You need to do all of the instructions below in NORMAL MODE.
Download the following files to the infected computers desktop
These are all actually the same program, rkill but with different names, hopefully one will work.
rkill.com
iExplore.exe
eXplorer.exe
These instructions below are from bleepingcomputer

Now try these one at a time beginning at the top. "Double click to run rkill. You should see a small blackscreen appear while the program runs. Please be patient while the program looks for various malware programs and ends them. When it has finished successfully, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the infection when it terminates programs that may potentially remove it. If you run into these infections warnings that close rkill, a trick is to leave the warning on the screen and then run rkill again using the next file. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the infection . So, please try running rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide.
Do not reboot your computer after running rkill as the malware programs will start again.
Now try again to download MBA-M from HERE
Once downloaded, close all programs and Windows on your computer, including this one.

Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps.
As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:HERE
When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. MBAM will now start and you will be at the main program screen.
Please update the program now. Then do a Full Scan and when it is complete have it Remove Everything Found.
If it displays a message stating that it needs to reboot, please allow it to do so.
Once rebooted run a new HJT scan, save the log. Post back here with the MBA-M log and the new HJT log.
I will keep my fingers crossed.
Judy

0

Hey judy were tryin, everytime we click on the rkill liks, it says its a broken link, this thing is really nasty and very frustrating, we can try to load it from another computer, but we didnt think that's what you wanted...

0

Yes, try to load it from another computer. These are just executable files, the links are good, I just tried them, and when you click them you should get the option to save the files. Save them on the clean computer then just move them to a flash drive or cd and take them to the infected computer. I would advise that you do the same with the MBA-M files also.
Then follow the instructions. Remember, normal mode. If you still can't get them then let me know.
Judy

Edited by jholland1964: n/a

0

Yes, try to load it from another computer. These are just executable files, the links are good, I just tried them, and when you click them you should get the option to save the files. Save them on the clean computer then just move them to a flash drive or cd and take them to the infected computer. I would advise that you do the same with the MBA-M files also.
Then follow the instructions. Remember, normal mode. If you still can't get them then let me know.
Judy

Was able to do everything........but it doesn't appear to have done anything, problem still exists. Here is the logfile from mbam -

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 4:43:43 PM
mbam-log-2010-03-04 (16-43-43).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 192092
Time elapsed: 23 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is the hijack this scan

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:52:06 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PlaySushi - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iCalendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\JOYCEA~1\LOCALS~1\Temp\mcupdate_1267661829.exe /insfin C:\DOCUME~1\JOYCEA~1\LOCALS~1\Temp\mcupdate_1267661829.ini /syncfin
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\Program Files\PlaySushi\PSText.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8211 bytes

Please let me know if there is anything else I can do to resolve this, other than just erasing and reloading Windows.........

0

Ok, we are likely going to have to run another very powerful tool but first of all I would like to see an Uninstall list generated by using HiJackThis.
To do this do the following;
Open the program, click on Msc Tools.
Click on the Open Uninstall Manager button. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply.

Very likely after seeing this list there are programs I am going to insist that you uninstall. Then the next step will be using the very powerful tool to try to remove whatever this is.
But let me see the Uninstall list first.
Judy

Edited by jholland1964: n/a

0

Ok, we are likely going to have to run another very powerful tool but first of all I would like to see an Uninstall list generated by using HiJackThis.
To do this do the following;
Open the program, click on Msc Tools.
Click on the Open Uninstall Manager button. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply.

Very likely after seeing this list there are programs I am going to insist that you uninstall. Then the next step will be using the very powerful tool to try to remove whatever this is.
But let me see the Uninstall list first.
Judy

Here it is:

Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bing Bar
Bonjour
Compatibility Pack for the 2007 Office system
Corel Home Office
Corel Home Office
Corel Home Office
Corel Home Office - CS Templates
Corel Home Office - CT Templates
Corel Home Office - IPM
Corel Home Office - JP Templates
Corel Home Office - KR Templates
Corel Home Office - Launcher
Corel Home Office - Templates RU
Corel Home Office - Templates1
Desktop iCalendar Lite 1.1.0
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Driver Detective
Easy DVD Player 2.0
EPSON Scan
Google Toolbar for Internet Explorer

0

That can't be the entire list, it stops with the "G"s

Sorry.......

Google Toolbar for Internet Explorer
Google Update Helper
Graboid Video 1.65
Gravis Xperience 4.5
H&R Block Deluxe + Efile + State 2009
H&R Block North Carolina 2009
Hallmark Card Studio 2006 Deluxe
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Business Inkjet 1000 Series
iDump (Freeware) Build:29
iTunes
Java(TM) 6 Update 17
LimeWire 5.4.8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mixxx 1.7.2
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Norton Security Scan
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
Playsushi
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Spooky Halloween
Tesco Picture Suite
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6d
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Windows Imaging Component
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Zynga Toolbar

0

These programs MUST be uninstalled:
LimeWire 5.4.8, Playsushi, Zynga Toolbar

I have uninstalled all three.......

0

I have uninstalled all three.......

Here is the new uninstall list :

Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bing Bar
Bonjour
Compatibility Pack for the 2007 Office system
Corel Home Office
Corel Home Office
Corel Home Office
Corel Home Office - CS Templates
Corel Home Office - CT Templates
Corel Home Office - IPM
Corel Home Office - JP Templates
Corel Home Office - KR Templates
Corel Home Office - Launcher
Corel Home Office - Templates RU
Corel Home Office - Templates1
Desktop iCalendar Lite 1.1.0
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Driver Detective
Easy DVD Player 2.0
EPSON Scan
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Graboid Video 1.65
Gravis Xperience 4.5
H&R Block Deluxe + Efile + State 2009
H&R Block North Carolina 2009
Hallmark Card Studio 2006 Deluxe
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Business Inkjet 1000 Series
iDump (Freeware) Build:29
iTunes
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mixxx 1.7.2
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Norton Security Scan
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Spooky Halloween
Tesco Picture Suite
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6d
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Windows Imaging Component
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

0

Ok now do the following and if you have to carry the program file from the clean computer to the infected one that's fine, but first try to do the downloading on the infected one.

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Run Combofix ONCE only!!
Again keeping my fingers crossed, though that didn't seem to help last time. But we must have confidence!

Edited by jholland1964: n/a

0

Ok now do the following and if you have to carry the program file from the clean computer to the infected one that's fine, but first try to do the downloading on the infected one.

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Run Combofix ONCE only!!
Again keeping my fingers crossed, though that didn't seem to help last time. But we must have confidence!

Here is the Combofix log:

ComboFix 10-03-04.02 - Joyce and Dale 03/04/2010 20:12:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2315 [GMT -5:00]
Running from: c:\documents and settings\Joyce and Dale\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bill103.exe
c:\windows\lgo
c:\windows\ligh
c:\windows\rdr_1269912253.exe
c:\windows\rdr_1269955988.exe
c:\windows\system32\MSVolumeAP.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVOKO6
-------\Service_srvoko6


((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-30 01:34 . 2010-03-30 01:34 388096 ----a-r- c:\documents and settings\Joyce and Dale\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-30 01:33 . 2010-03-30 01:33 -------- d-----w- c:\program files\TrendMicro
2010-03-30 01:06 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Malwarebytes
2010-03-30 01:06 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 01:17 . 2010-03-05 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-04 20:12 . 2010-03-04 20:12 64 ----a-w- c:\windows\system32\rp_stats.dat
2010-03-04 20:12 . 2010-03-04 20:12 44 ----a-w- c:\windows\system32\rp_rules.dat
2010-03-04 19:35 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 19:35 . 2010-03-04 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 19:35 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 19:20 . 2010-02-05 09:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-04 19:10 . 2010-02-05 09:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-04 19:08 . 2010-02-05 09:04 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{52AC600B-5800-407E-99FF-83CD0669760B}\Ad-AwareInstaller.exe
2010-03-04 19:08 . 2010-03-04 19:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{52AC600B-5800-407E-99FF-83CD0669760B}
2010-03-04 19:08 . 2010-03-04 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-04 19:08 . 2010-03-04 19:08 -------- d-----w- c:\program files\Lavasoft
2010-03-04 00:26 . 2010-03-04 00:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-26 09:09 . 2010-02-26 09:09 -------- d-----w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\Temp
2010-02-25 22:26 . 2010-02-25 22:26 -------- d-----w- c:\program files\Vuze
2010-02-22 19:40 . 2010-02-22 20:37 -------- d-----w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\Mixxx
2010-02-22 19:39 . 2010-02-22 19:40 -------- d-----w- c:\program files\Mixxx
2010-02-22 15:53 . 2010-02-22 15:53 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 21:39 . 2010-03-04 21:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\program files\Norton Security Scan
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\program files\NortonInstaller
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-04 20:51 . 2010-02-04 20:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-02-03 22:20 . 2010-02-03 22:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-03 22:15 . 1999-08-16 14:35 110592 ------w- c:\windows\system32\DUNZIP32.DLL
2010-02-03 22:15 . 1999-08-04 16:16 126976 ------w- c:\windows\system32\DZIP32.DLL
2010-02-03 22:15 . 2010-02-03 22:15 -------- d-----w- c:\program files\Gravis
2010-02-03 22:13 . 2010-02-03 22:13 -------- d-----w- C:\Xp4_5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 00:49 . 2010-02-01 22:37 -------- d-----w- c:\program files\Bing Bar Installer
2010-03-28 04:45 . 2009-10-30 13:07 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\CorelHomeOffice
2010-03-04 00:28 . 2009-10-19 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-26 03:12 . 2010-02-01 22:37 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Azureus
2010-02-25 22:26 . 2010-02-01 22:37 -------- d-----w- c:\program files\Microsoft
2010-02-24 08:17 . 2009-10-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 00:15 . 2009-12-16 00:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 00:13 . 2010-02-02 21:31 -------- d-----w- c:\program files\Hotel Dash Suite Success
2010-02-03 22:14 . 2009-10-19 04:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-03 22:14 . 2009-10-18 23:23 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-02 21:31 . 2010-02-02 21:31 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-02 17:24 . 2009-12-16 00:31 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\PlayFirst
2010-02-01 22:37 . 2010-02-01 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-02-01 20:47 . 2010-02-01 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-02-01 20:47 . 2010-02-01 20:47 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\pdf995
2010-02-01 20:47 . 2010-02-01 18:10 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\TaxCut
2010-02-01 20:14 . 2010-02-01 20:14 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-01 20:14 . 2010-02-01 20:14 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-01 20:14 . 2010-02-01 18:07 -------- d-----w- c:\program files\PDF995
2010-02-01 20:14 . 2009-10-19 00:10 53624 ----a-w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 20:02 . 2010-02-01 20:02 2926280 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNC.exe
2010-02-01 18:15 . 2010-02-01 18:15 16832384 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001xupd.exe
2010-02-01 18:08 . 2010-02-01 18:07 -------- d-----w- c:\program files\HRBlock2009
2010-02-01 18:04 . 2010-02-01 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-01 12:04 . 2009-10-18 23:11 -------- d-----w- c:\program files\Google
2010-01-27 21:16 . 2009-10-18 23:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-26 15:34 . 2010-01-26 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-01-25 00:59 . 2009-11-13 19:59 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\vlc
2010-01-25 00:21 . 2010-01-25 00:21 -------- d-----w- c:\program files\Easy DVD Player
2010-01-25 00:17 . 2009-12-16 23:01 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\DivX
2010-01-22 13:01 . 2010-01-21 01:10 -------- d-----w- c:\program files\Java
2010-01-22 13:00 . 2010-01-22 13:00 152576 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-22 12:59 . 2010-01-22 12:59 79488 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-22 08:17 . 2009-10-20 13:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 01:10 . 2010-01-21 01:10 152576 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-19 19:17 . 2009-11-12 16:12 144160 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\uninstall.exe
2010-01-19 19:17 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-19 19:17 . 2009-11-12 16:12 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks
2009-12-31 16:50 . 2007-07-27 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-24 04:54 . 2009-10-18 22:12 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-21 19:14 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-18 22:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 00:31 . 2009-12-16 00:31 249856 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\components\pfMultiplayer.dll
2009-12-16 00:31 . 2009-12-16 00:31 466944 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-12-14 07:08 . 2007-07-27 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-08 19:27 . 2007-07-27 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-18 39408]
"iCalendar"="c:\program files\Desksware\Desktop iCal\Calendar.exe" [2008-01-28 2670080]
"Tesco Insert Detect"="c:\program files\Tesco\Picture Suite\InsDetect.exe" [2003-02-17 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWT myPrintMileage Agent"="c:\program files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe" [2005-01-26 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:GateOKO

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/4/2010 2:10 PM 64288]
R1 o6ko;BandProxy Shell Microsoft Net Bus Repository;c:\windows\system32\drivers\o6ko.sys [9/3/2007 2:29 AM 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/5/2010 4:03 AM 1229232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 7:04 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc6 REG_MULTI_SZ srvoko6
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 09:03]

2010-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:04]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:04]

2010-03-04 c:\windows\Tasks\Norton Security Scan for Joyce and Dale.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-11 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-04 20:21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 01:21

Pre-Run: 46,453,374,976 bytes free
Post-Run: 46,819,942,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 43DA75A9B04E1BC0BD951696CF211BCA


And here is Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:24:57 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [iCalendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7325 bytes

0

Here is the Combofix log:

ComboFix 10-03-04.02 - Joyce and Dale 03/04/2010 20:12:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2315 [GMT -5:00]
Running from: c:\documents and settings\Joyce and Dale\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bill103.exe
c:\windows\lgo
c:\windows\ligh
c:\windows\rdr_1269912253.exe
c:\windows\rdr_1269955988.exe
c:\windows\system32\MSVolumeAP.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVOKO6
-------\Service_srvoko6


((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-30 01:34 . 2010-03-30 01:34 388096 ----a-r- c:\documents and settings\Joyce and Dale\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-30 01:33 . 2010-03-30 01:33 -------- d-----w- c:\program files\TrendMicro
2010-03-30 01:06 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Malwarebytes
2010-03-30 01:06 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 01:17 . 2010-03-05 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-04 20:12 . 2010-03-04 20:12 64 ----a-w- c:\windows\system32\rp_stats.dat
2010-03-04 20:12 . 2010-03-04 20:12 44 ----a-w- c:\windows\system32\rp_rules.dat
2010-03-04 19:35 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 19:35 . 2010-03-04 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 19:35 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 19:20 . 2010-02-05 09:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-04 19:10 . 2010-02-05 09:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-04 19:08 . 2010-02-05 09:04 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{52AC600B-5800-407E-99FF-83CD0669760B}\Ad-AwareInstaller.exe
2010-03-04 19:08 . 2010-03-04 19:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{52AC600B-5800-407E-99FF-83CD0669760B}
2010-03-04 19:08 . 2010-03-04 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-04 19:08 . 2010-03-04 19:08 -------- d-----w- c:\program files\Lavasoft
2010-03-04 00:26 . 2010-03-04 00:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-26 09:09 . 2010-02-26 09:09 -------- d-----w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\Temp
2010-02-25 22:26 . 2010-02-25 22:26 -------- d-----w- c:\program files\Vuze
2010-02-22 19:40 . 2010-02-22 20:37 -------- d-----w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\Mixxx
2010-02-22 19:39 . 2010-02-22 19:40 -------- d-----w- c:\program files\Mixxx
2010-02-22 15:53 . 2010-02-22 15:53 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 21:39 . 2010-03-04 21:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\program files\Norton Security Scan
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\program files\NortonInstaller
2010-02-11 03:26 . 2010-02-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-04 20:51 . 2010-02-04 20:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-02-03 22:20 . 2010-02-03 22:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-03 22:15 . 1999-08-16 14:35 110592 ------w- c:\windows\system32\DUNZIP32.DLL
2010-02-03 22:15 . 1999-08-04 16:16 126976 ------w- c:\windows\system32\DZIP32.DLL
2010-02-03 22:15 . 2010-02-03 22:15 -------- d-----w- c:\program files\Gravis
2010-02-03 22:13 . 2010-02-03 22:13 -------- d-----w- C:\Xp4_5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 00:49 . 2010-02-01 22:37 -------- d-----w- c:\program files\Bing Bar Installer
2010-03-28 04:45 . 2009-10-30 13:07 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\CorelHomeOffice
2010-03-04 00:28 . 2009-10-19 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-26 03:12 . 2010-02-01 22:37 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Azureus
2010-02-25 22:26 . 2010-02-01 22:37 -------- d-----w- c:\program files\Microsoft
2010-02-24 08:17 . 2009-10-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 00:15 . 2009-12-16 00:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 00:13 . 2010-02-02 21:31 -------- d-----w- c:\program files\Hotel Dash Suite Success
2010-02-03 22:14 . 2009-10-19 04:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-03 22:14 . 2009-10-18 23:23 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-02 21:31 . 2010-02-02 21:31 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-02 17:24 . 2009-12-16 00:31 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\PlayFirst
2010-02-01 22:37 . 2010-02-01 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-02-01 20:47 . 2010-02-01 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-02-01 20:47 . 2010-02-01 20:47 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\pdf995
2010-02-01 20:47 . 2010-02-01 18:10 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\TaxCut
2010-02-01 20:14 . 2010-02-01 20:14 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-02-01 20:14 . 2010-02-01 20:14 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-02-01 20:14 . 2010-02-01 18:07 -------- d-----w- c:\program files\PDF995
2010-02-01 20:14 . 2009-10-19 00:10 53624 ----a-w- c:\documents and settings\Joyce and Dale\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 20:02 . 2010-02-01 20:02 2926280 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNC.exe
2010-02-01 18:15 . 2010-02-01 18:15 16832384 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001xupd.exe
2010-02-01 18:08 . 2010-02-01 18:07 -------- d-----w- c:\program files\HRBlock2009
2010-02-01 18:04 . 2010-02-01 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-01 12:04 . 2009-10-18 23:11 -------- d-----w- c:\program files\Google
2010-01-27 21:16 . 2009-10-18 23:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-26 15:34 . 2010-01-26 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-01-25 00:59 . 2009-11-13 19:59 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\vlc
2010-01-25 00:21 . 2010-01-25 00:21 -------- d-----w- c:\program files\Easy DVD Player
2010-01-25 00:17 . 2009-12-16 23:01 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\DivX
2010-01-22 13:01 . 2010-01-21 01:10 -------- d-----w- c:\program files\Java
2010-01-22 13:00 . 2010-01-22 13:00 152576 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-22 12:59 . 2010-01-22 12:59 79488 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-22 08:17 . 2009-10-20 13:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 01:10 . 2010-01-21 01:10 152576 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-19 19:17 . 2009-11-12 16:12 144160 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\uninstall.exe
2010-01-19 19:17 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-19 19:17 . 2009-11-12 16:12 -------- d-----w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks
2009-12-31 16:50 . 2007-07-27 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-24 04:54 . 2009-10-18 22:12 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-21 19:14 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-18 22:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 00:31 . 2009-12-16 00:31 249856 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\components\pfMultiplayer.dll
2009-12-16 00:31 . 2009-12-16 00:31 466944 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-12-14 07:08 . 2007-07-27 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Joyce and Dale\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-08 19:27 . 2007-07-27 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-18 39408]
"iCalendar"="c:\program files\Desksware\Desktop iCal\Calendar.exe" [2008-01-28 2670080]
"Tesco Insert Detect"="c:\program files\Tesco\Picture Suite\InsDetect.exe" [2003-02-17 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWT myPrintMileage Agent"="c:\program files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe" [2005-01-26 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:GateOKO

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/4/2010 2:10 PM 64288]
R1 o6ko;BandProxy Shell Microsoft Net Bus Repository;c:\windows\system32\drivers\o6ko.sys [9/3/2007 2:29 AM 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/5/2010 4:03 AM 1229232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 7:04 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc6 REG_MULTI_SZ srvoko6
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 09:03]

2010-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:04]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:04]

2010-03-04 c:\windows\Tasks\Norton Security Scan for Joyce and Dale.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-11 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-04 20:21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 01:21

Pre-Run: 46,453,374,976 bytes free
Post-Run: 46,819,942,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 43DA75A9B04E1BC0BD951696CF211BCA


And here is Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:24:57 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [iCalendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7325 bytes

Yay ! It looks like the problem has finally been fixed ! I'm able to go anywhere I want on the Internet now.......plus I was able to go to Malwarebytes and run an update !
Thank you so much, I could not have done this without your help............You are a wonderful person !

0

Not done yet. I really need to go through the log, which, as you can imagine can take a bit. You say you could update and run the MBA-M program. Can I see that new log?
Judy

0

Not done yet. I really need to go through the log, which, as you can imagine can take a bit. You say you could update and run the MBA-M program. Can I see that new log?
Judy

Sure.....I'm running the full scan now and when it's done I will post the log.

0

Sure.....I'm running the full scan now and when it's done I will post the log.

Here it is Judy.......

Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 10:05:08 PM
mbam-log-2010-03-04 (22-05-08).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 177579
Time elapsed: 39 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\o6ko (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc6 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D716F7E8-4715-4B4F-AE2D-528EB503A804}\RP184\A0012550.dll (Worm.KoobFace) -> Quarantined and deleted successfully.

0

Well I see more has been found, that Koobface by the way came from the video in Facebook.
You say this is your Dad's computer? Is he really into P2P file sharing and gaming?
Another P2P program which should be removed is Vuze.
I also would recommend that any programs downloaded and installed using P2P be removed. P2P sharing is very dangerous and can lead to serious infections. I can say for sure the ONE infection Koobface came from the Facebook video, but cannot say what others may have been involved here. I would recommend uninstalling any programs NOT legally obtained, this includes music, videos, games which normally would be paid for but instead were gotten via P2P.

I am also confused here, earlier logs showed McAfee, Uninstall list shows NO McAfee but shows some form of Norton. Combofix doesn't show McAfee at all but does show Norton and the latest HJT log shows no anti-virus program whatsoever....??????
You need to run the online ESET Scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

Edited by jholland1964: n/a

0

Well I see more has been found, that Koobface by the way came from the video in Facebook.
You say this is your Dad's computer? Is he really into P2P file sharing and gaming?
Another P2P program which should be removed is Vuze.
I also would recommend that any programs downloaded and installed using P2P be removed. P2P sharing is very dangerous and can lead to serious infections. I can say for sure the ONE infection Koobface came from the Facebook video, but cannot say what others may have been involved here. I would recommend uninstalling any programs NOT legally obtained, this includes music, videos, games which normally would be paid for but instead were gotten via P2P.


I am also confused here, earlier logs showed McAfee, Uninstall list shows NO McAfee but shows some form of Norton. Combofix doesn't show McAfee at all but does show Norton and the latest HJT log shows no anti-virus program whatsoever....??????
You need to run the online ESET Scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

Here is the ESET scan log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=97cd0129823feb42bc78aed3a2213d1a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-05 01:03:01
# local_time=2010-03-05 08:03:01 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 94 0 39506758 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=58424
# found=0
# cleaned=0
# scan_time=2339

0

Ok looks clean, now can you answer my questions? I really need all this info before we can go farther and we really are not finished yet.

I am also confused here, earlier logs showed McAfee, Uninstall list shows NO McAfee but shows some form of Norton. Combofix doesn't show McAfee at all but does show Norton and the latest HJT log shows no anti-virus program whatsoever....??????
You say this is your Dad's computer? Is he really into P2P file sharing and gaming?

Edited by jholland1964: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.