There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt hjt log install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: Help Needed Please Cant get rid Of Bugs After Many Scans


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
1wozk's Avatar
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
06-May-2008, 05:07 PM #1
Solved: Help Needed Please Cant get rid Of Bugs After Many Scans
Started getting many ads everytime i opened a new page online so carried out a avg scan and a spysweeper scan which found some trojons in the system restore area and some malware, After i done these scans i went online again and i still have many popups soi tried various other anti virus/spyware scanners and still have the same problem so i got rid of my avg and spysweeper and am now using avasst and super antispyware which cant get rid of the problems either, I carried out all these scans in safe mode and cat figure out where the problem is can anyone help please as i am starting to go mad
Here is a log of my spyware scan
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/05/2008 at 09:05 PM

Application Version : 4.0.1154

Core Rules Database Version : 3452
Trace Rules Database Version: 1444

Scan type : Complete Scan
Total Scan Time : 01:48:58

Memory items scanned : 157
Memory threats detected : 0
Registry items scanned : 5742
Registry threats detected : 0
File items scanned : 90810
File threats detected : 8

Malware.SpywareNuker
C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP882\A0196118.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP883\A0196813.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP884\A0197491.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP886\A0198169.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP887\A0198704.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP888\A0199239.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP889\A0199774.SYS

and here are the anti virus results
win32 trojan-gen delphi
kernal32.dll
win32:ngvck-e
winsock.dll
Last edited by 1wozk : 06-May-2008 05:40 PM.
1wozk's Avatar
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
07-May-2008, 02:51 PM #2
Help Needed Please Cant get rid Of Bugs After Many Scans
Hi I need some help urgently with the following, I started getting these annoying popups on every new page i would look at online I have used many different anti virus/spyware softwares in safe mode which have found many bugs which is listed below in the logs, then after i have re-started my pc and gone online the popups are back straight away and i have now run out of ideas to stop this if anyone knows of a soloution i would appreciate any help offered.

logs

Malwarebytes' Anti-Malware 1.12
Database version: 729

Scan type: Quick Scan
Objects scanned: 36574
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/AntvrsInstall.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/AntvrsInstall.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\edfqvrw.bdgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Antivirus 2008 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\warren keen\Application Data\Antivirus (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Antivirus 2008\Antvrs.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\AntvrsInstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpeavkgshd_navps.dat (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpeavkgshd_nav.dat (Adware.EGDAccess) -> Quarantined and deleted successfully.

avast anti virus log

06/05/2008 09:15:33 warren keen 3092 Sign of "Win32:Trojan-gen {Delphi}" has been found in "C:\Documents and Settings\warren keen\Application Data\PerformanceoptimizerFreeSetup[1].exe\$INSTDIR\PoChk.exe" file.
06/05/2008 10:55:27 warren keen 3092 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\warren keen\Application Data\PerformanceoptimizerFreeSetup[1].exe\$COMMONFILES\$[33]\$NS_LANG_CODE\pcid.exe" file.
06/05/2008 10:55:33 warren keen 3092 Sign of "Win32:Trojan-gen {Delphi}" has been found in "C:\Documents and Settings\warren keen\Application Data\PerformanceoptimizerFreeSetup[1].exe\$COMMONFILES\$[33]\$NS_LANG_CODE\creader.exe" file.
06/05/2008 11:22:45 warren keen 3092 Sign of "Win32:NGVCK-E" has been found in "C:\Program Files\PCPitstop\AV\PAV.SIG" file.
06/05/2008 11:54:56 warren keen 3092 Sign of "Win32:Trojan-gen {Delphi}" has been found in "C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP895\A0200560.exe\$INSTDIR\PoChk.exe" file.
06/05/2008 11:56:06 warren keen 3092 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP895\A0200560.exe\$COMMONFILES\$[33]\$NS_LANG_CODE\pcid.exe" file.
06/05/2008 11:56:11 warren keen 3092 Sign of "Win32:Trojan-gen {Delphi}" has been found in "C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP895\A0200560.exe\$COMMONFILES\$[33]\$NS_LANG_CODE\creader.exe" file.
Last edited by 1wozk : 07-May-2008 03:03 PM. Reason: add info
cybertech's Avatar
Computer Specs
Moderator with 56,527 posts.
  
Join Date: Apr 2002
Location: Washington State
08-May-2008, 03:55 PM #3
Hi, Welcome to TSG!!


Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
1wozk's Avatar
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
08-May-2008, 04:11 PM #4
log you requested thankyou
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:01, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Product Driver v2.33r005\shwicon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ShowIcon_JustRams_USB Product Driver v2.33r005] "C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" -t"JustRams\USB Product Driver v2.33r005"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Disk Monitor] "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Window Monitor] winmon32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Window Monitor] winmon32.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46...abblecubes.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://uk.midas.games.yahoo.net/midasa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47...m/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47...amesLoader.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/bt/wbiw/bin/wizard.exe
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.games.yahoo.net/ctl/kingcomie.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52...s/wwhearts.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49.../blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41...l/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166606521953
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46...o/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41...an/hangman.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42...y/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49.../dinerdash.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbde...ivePreQual.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44...ol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47...s/wwspades.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O24 - Desktop Component 0: (no name) - https://www.1stoptrading.com/images/...H0101.03.1.jpg
O24 - Desktop Component 1: (no name) - http://www.globaldiscounts.co.uk/ima...00006/logo.jpg

--
End of file - 11026 bytes
cybertech's Avatar
Computer Specs
Moderator with 56,527 posts.
  
Join Date: Apr 2002
Location: Washington State
08-May-2008, 06:12 PM #5
Run HJT again and put a check in the following:

O4 - HKUS\S-1-5-18\..\RunServices: [Window Monitor] winmon32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [Window Monitor] winmon32.exe (User 'Default user')

Close all applications and browser windows before you click "fix checked".



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\WINDOWS\System32\winmon32.exe
  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.


Please perform a scan with Kaspersky Webscan Online Virus Scanner
  • Read the Requirements and Privacy statement, then select "Accept".
  • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
  • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
  • When the download is complete it will say ready, click "Next".
  • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
  • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
  • Click "OK".
  • Under "Select a target to scan", click on "My Computer".
  • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!



I don't see any anti-virus software running.
Load AVG it's free.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
1wozk's Avatar
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
09-May-2008, 05:24 PM #6
Scan results and logs
Hi thanks for all your support in this annoying matter i hope we can fix it as im still getting many popups, I have carried out all you asked me to do and hve listed all you need below thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:12, on 09/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\USB Product Driver v2.33r005\shwicon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ShowIcon_JustRams_USB Product Driver v2.33r005] "C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" -t"JustRams\USB Product Driver v2.33r005"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Disk Monitor] "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46...abblecubes.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://uk.midas.games.yahoo.net/midasa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47...m/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47...amesLoader.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/bt/wbiw/bin/wizard.exe
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.games.yahoo.net/ctl/kingcomie.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52...s/wwhearts.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49.../blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41...l/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166606521953
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46...o/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41...an/hangman.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42...y/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49.../dinerdash.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbde...ivePreQual.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44...ol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47...s/wwspades.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O24 - Desktop Component 0: (no name) - https://www.1stoptrading.com/images/...H0101.03.1.jpg
O24 - Desktop Component 1: (no name) - http://www.globaldiscounts.co.uk/ima...00006/logo.jpg

--
End of file - 11796 bytes



OTMOVEIT2 LOG

File delete failed. C:\Documents and Settings\warren keen\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.
File/Folder avenger.zip not found.
File/Folder avenger.exe not found.
File/Folder Avenger not found.
File/Folder avenger.txt not found.
File/Folder bfu.zip not found.
File/Folder BFU not found.
File/Folder combofix.exe not found.
File/Folder Combo-Fix.sys not found.
File/Folder ComboFix not found.
File/Folder erdnt not found.
File/Folder QooBox not found.
File/Folder ComboFix*.txt not found.
Service not present: catchme.
File/Folder catchme.exe not found.
File/Folder fdsv.exe not found.
File/Folder grep.exe not found.
File/Folder moveex.exe not found.
File/Folder nircmd.exe not found.
File/Folder sed.exe not found.
File/Folder swreg.exe not found.
File/Folder Swsc.exe not found.
File/Folder Swxcacls.exe not found.
File/Folder VFind.exe not found.
File/Folder WS2Fix.exe not found.
File/Folder zip.exe not found.
File/Folder tmp.reg not found.
File/Folder dss.exe not found.
File/Folder Deckard not found.
File/Folder deljob.exe not found.
File/Folder deljob not found.
File/Folder logit.txt not found.
File/Folder FindAWF.exe not found.
File/Folder AWF.txt not found.
File/Folder fixwareout.exe not found.
File/Folder fixwareout not found.
File/Folder fsbl.exe not found.
File/Folder fsbl*.log not found.
File/Folder gmer.exe not found.
File/Folder gmer.dll not found.
File/Folder gmer.ini not found.
File/Folder gmer.log not found.
File/Folder gmer_uninstall.cmd not found.
File/Folder gmer.sys not found.
Service not present: gmer.
File/Folder haxfix.exe not found.
File/Folder haxfix.txt not found.
File/Folder killbox.exe not found.
File/Folder !Killbox not found.
File/Folder NoLop.exe not found.
File/Folder NoLop.txt not found.
File/Folder NoLopOLD.txt not found.
File/Folder delete.bat not found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/09/2008 at 07:51 PM

Application Version : 4.0.1154

Core Rules Database Version : 3452
Trace Rules Database Version: 1444

Scan type : Complete Scan
Total Scan Time : 01:14:10

Memory items scanned : 347
Memory threats detected : 0
Registry items scanned : 5777
Registry threats detected : 0
File items scanned : 91535
File threats detected : 0

KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 9:37:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 750036


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 92625
Number of viruses found 6
Number of infected objects 19
Number of suspicious objects 0
Duration of the scan process 01:28:36

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{5CC77D96-2CA2-44D1-B26E-446AA92284CE}.bin Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\warren keen\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Temp\Perflib_Perfdata_6ac.dat Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Temp\~DFF256.tmp Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\warren keen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\warren keen\ntuser.dat Object is locked skipped

C:\Documents and Settings\warren keen\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\warren keen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-9-2008( 18-36-58 ).LOG Object is locked skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP896\change.log Object is locked skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP803\A0174411.exe/file1 Infected: not-a-virus:FraudTool.Win32.ErrClean.b skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP803\A0174411.exe/file2 Infected: not-a-virus:FraudTool.Win32.SanitarDiska.r skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP803\A0174411.exe Inno: infected - 2 skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP866\A0194133.msi/app.cab/TclLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bu skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP866\A0194133.msi/app.cab/ZLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bx skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP866\A0194133.msi/app.cab Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bx skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP866\A0194133.msi Embedded: infected - 3 skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP867\A0194141.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bu skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP867\A0194142.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bx skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP879\A0196058.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP882\A0196169.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP883\A0196855.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP884\A0197533.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP886\A0198211.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP887\A0198746.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP888\A0199281.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP889\A0199816.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.m skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP895\A0200802.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP895\A0200802.exe WiseSFX: infected - 1 skipped

Scan process completed.


I await your response o the reports i just sent you and hop we can fix these problems
Last edited by 1wozk : 09-May-2008 05:38 PM.
cybertech's Avatar
Computer Specs
Moderator with 56,527 posts.
  
Join Date: Apr 2002
Location: Washington State
09-May-2008, 05:49 PM #7
The OTMoveIt log is from running cleanup and not what I requested.

The Kaspersky findings are all in system restore.

Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
1wozk's Avatar
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
09-May-2008, 06:08 PM #8
ComboFix 08-05-08.1 - warren keen 2008-05-09 22:57:11.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.49 [GMT 1:00]
Running from: C:\Documents and Settings\warren keen\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\warren keen\Local Settings\Application Data\bwdamyu.dat
C:\Documents and Settings\warren keen\Local Settings\Application Data\bwdamyu.exe
C:\Documents and Settings\warren keen\Local Settings\Application Data\bwdamyu_nav.dat
C:\Documents and Settings\warren keen\Local Settings\Application Data\bwdamyu_navps.dat
C:\Program Files\Common Files\companion wizard
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\eqqthxgsz.dat
c:\windows\system32\eqqthxgsz.exe
c:\WINDOWS\system32\eqqthxgsz_nav.dat
c:\WINDOWS\system32\eqqthxgsz_navps.dat

----- BITS: Possible infected sites -----

hxxp://onsafepro.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SZKG5


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 19:58 . 2008-05-09 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-09 07:13 . 2008-05-09 07:13 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-09 07:13 . 2008-05-09 07:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-09 07:12 . 2008-05-09 07:12 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-09 07:12 . 2008-05-09 07:12 <DIR> d-------- C:\Program Files\AVG
2008-05-09 07:12 . 2008-05-09 07:12 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-08 21:06 . 2008-05-08 21:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-07 21:50 . 2008-05-08 00:16 3,951 --a------ C:\rollback.ini
2008-05-07 21:19 . 2008-05-07 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-07 21:18 . 2008-05-08 07:12 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-07 21:17 . 2008-05-07 21:17 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-05-07 15:56 . 2008-05-07 15:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-07 15:56 . 2008-05-07 15:56 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\Malwarebytes
2008-05-07 15:56 . 2008-05-07 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-07 15:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-07 15:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 07:46 . 2008-05-06 07:46 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-06 07:46 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-05-06 07:21 . 2008-05-06 07:21 36 -r-h----- C:\WINDOWS\sued.dat
2008-05-06 07:17 . 2008-05-06 07:17 <DIR> d-------- C:\Program Files\WOT
2008-05-06 07:10 . 2008-05-06 07:10 <DIR> d-------- C:\Program Files\Camtech
2008-05-05 18:46 . 2008-05-05 18:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 18:46 . 2008-05-05 18:46 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\SUPERAntiSpyware.com
2008-05-05 18:46 . 2008-05-05 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 18:45 . 2008-05-05 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 17:59 . 2008-05-05 17:59 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-04 22:13 . 2008-05-04 22:13 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-04 18:26 . 2008-05-04 18:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 18:26 . 2008-05-04 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\INAC
2008-05-04 17:27 . 2008-05-04 17:27 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\INAC
2008-05-04 17:17 . 2008-05-04 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 16:58 . 2008-05-04 16:58 <DIR> d-------- C:\Program Files\INAC
2008-05-04 14:18 . 2008-05-04 14:18 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\PopUpSentry.com
2008-05-04 14:16 . 2008-05-04 14:16 <DIR> d-------- C:\Program Files\PopUpSentry.com
2008-05-04 13:12 . 2008-05-04 13:12 <DIR> d-------- C:\Program Files\a-squared Free
2008-05-04 10:13 . 2008-05-04 10:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-05-04 10:12 . 2008-05-04 10:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-04 10:12 . 2008-05-09 22:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-03 23:24 . 2001-08-17 22:37 24,576 --a------ C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-05-03 07:02 . 2008-05-03 07:02 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\Uniblue
2008-05-02 20:14 . 2008-05-02 20:14 <DIR> d-------- C:\WINDOWS\Speeditup Free
2008-05-02 20:14 . 2008-05-02 20:14 <DIR> d-------- C:\Program Files\Speeditup Free
2008-05-02 19:42 . 2008-05-02 19:42 <DIR> d-------- C:\WINDOWS\PC Check-up
2008-05-02 19:00 . 2008-05-02 19:00 170 --a------ C:\WINDOWS\spywarebegone-fullversion-installed.html
2008-05-02 12:55 . 2008-05-02 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 11:48 . 2008-05-02 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 10:23 . 2008-01-13 07:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-26 10:14 . 2008-04-26 10:14 <DIR> d-------- C:\Documents and Settings\warren keen\Application Data\AVGTOOLBAR
2008-04-26 10:12 . 2008-04-26 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-16 06:50 . 2008-04-16 06:50 <DIR> d--hs---- C:\FOUND.003
2008-04-13 06:37 . 2008-04-13 06:37 <DIR> d--hs---- C:\FOUND.002
2008-04-11 17:25 . 2008-04-11 17:25 <DIR> d-------- C:\Program Files\eBay
2008-04-11 17:25 . 2008-04-11 17:25 <DIR> d-------- C:\Documents and Settings\All Users\eBay
2008-04-11 13:19 . 2008-04-11 13:19 <DIR> d-------- C:\Program Files\iWin
2008-04-11 06:57 . 2008-04-11 06:57 <DIR> d--hs---- C:\FOUND.001
2008-04-10 23:04 . 2008-04-10 23:04 <DIR> d-------- C:\f7551fd52cabcc0d556fe1cedb558938
2008-04-10 07:09 . 2008-04-10 07:09 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 17:59 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-03-26 16:18 49,152 ----a-r C:\WINDOWS\system32\Inetwh32.dll
2008-03-26 16:18 1,044,480 ----a-r C:\WINDOWS\system32\roboex32.dll
2008-03-21 08:45 --------- d-----w C:\Program Files\CA Yahoo! Anti-Spy
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-10 06:09 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-03-26 10:57 52,274 ----a-w C:\Documents and Settings\warren keen\TB2Categories000.dat
2006-08-08 08:33 25,600 ----a-w C:\Documents and Settings\warren keen\usbsermptxp.sys
2006-08-08 08:33 22,768 ----a-w C:\Documents and Settings\warren keen\usbsermpt.sys
2006-05-14 08:43 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

2004-08-04 07:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
2004-08-04 07:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-09 07:12 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]
2008-04-21 10:59 2249376 --a------ C:\Program Files\WOT\WOT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-04-01 13:18 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= "C:\Program Files\WOT\WOT.dll" [2008-04-21 10:59 2249376]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-09 07:12 2050816]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-09 07:12 2050816]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= C:\Program Files\WOT\WOT.dll [2008-04-21 10:59 2249376]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 17:41 223984]
"Glary Memory Optimizer"="C:\Program Files\Glary Utilities\memdefrag.exe" [2007-05-22 11:16 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowIcon_JustRams_USB Product Driver v2.33r005"="C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" [2005-04-22 11:11 81920]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 14:46 73728]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 13:17 94208]
"Disk Monitor"="C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe" [2003-06-18 10:57 466944]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-09 07:12 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll
"MSVideo"= VfwECamC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eqqthxgsz]
c:\windows\system32\eqqthxgsz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup]
C:\Program Files\PC Check-up\PCCheckUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-10 07:07 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Netcom3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-09 07:12]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-09 07:12]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-09 07:12]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-09 07:13]
S1 SABKUTIL;SABKUTIL;C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABKUTIL.sys []
S3 CoachUsb;Dual Mode Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []
S3 iadusb;BT Voyager 205 ADSL Router;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2005-11-06 13:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 23:02:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\BRSS01A.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRAM FILES\AVG\AVG8\AVGTRAY.EXE
C:\WINDOWS\system32\lxcecoms.exe
.
**************************************************************************
.
Completion time: 2008-05-09 23:05:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 22:0