Slow Running Computer & Possible Virus

krh977 · 30-Jan-2010, 04:22 PM #1

E Machines computer running windows xp.
Possible virus also startup is slow
HJT Included

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:21 PM, on 1/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\XoftSpySE6\XoftSpySE.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cleanmgr.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: &Security Update - {C73FD00D-A099-405C-92B4-8997710D187D} - C:\WINDOWS\system32\win32extension.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cathy\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10819 bytes

**eddie5659** · 06-Feb-2010, 09:34 AM #2

Hiya

Are you still having this problem? If so, do the following:

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "No", save the log and post back the results.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

Please include the MBAM log, SAS log, Results.log and a fresh HijackThis log in your next reply

Regards

eddie

krh977 · 07-Feb-2010, 05:08 PM #3

Thanks for all your help. I followed your directions completely. Included in this post are the logs that you asked for.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/06/2010 at 05:16 PM
Application Version : 4.33.1000
Core Rules Database Version : 4561
Trace Rules Database Version: 2373
Scan type : Complete Scan
Total Scan Time : 01:07:48
Memory items scanned : 563
Memory threats detected : 0
Registry items scanned : 5080
Registry threats detected : 1
File items scanned : 49773
File threats detected : 267
Adware.Tracking Cookie
C:\Documents and Settings\Cathy\Cookies\cathy@content.yieldmanager[3].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6whmyeidpaep.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wflikpc5slo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@qksrv[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@sales.liveperson[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@richmedia.yahoo[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.181[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@realmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@casalemedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@yieldmanager[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@phg.hitbox[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ehg-uniontrib.hitbox[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@bizrate[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@xiti[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@highbeam.122.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjl4eodpifo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@bluestreak[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@fastclick[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@tribalfusion[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@doubleclick[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@collective-media[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@specificclick[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@vitamine.networldmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@advertising[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnycjc5cdo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.undertone[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@eb.adbureau[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@rotator.adjuggler[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@mywebsearch[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@pro-market[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@edge.ru4[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@specificmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@trafficmp[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@media.adrevolver[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@eaeacom.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfk4ehcjkfp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@app.insightgrit[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@burstnet[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjl4opdzohq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@oasn04.247realmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ad.m5prod[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@serving-sys[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@amlocalhost.trymedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@overture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkocnajofo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adbrite[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@sales.liveperson[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adserver.adtechus[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wmlokkcpekp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@server.iad.liveperson[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@insightexpressai[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@classmates.112.2o7[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@interclick[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@s.clickability[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@247realmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@roiservice[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wnk4shdzwaq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@mediaplex[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.pointroll[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@findarticles[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@atdmt[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@counter.hitslink[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.bridgetrack[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@invitemedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ehg-viacom.hitbox[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@123stat[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnyagcpccp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@traffic.jostens[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@dmtracker[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@2o7[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@chitika[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ad.yieldmanager[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wck4sncjabp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adinterax[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@yadro[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wblywnczcfp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wdliehazieq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@media.legacy[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@csc.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@a.websponsors[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@perf.overture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@cdn4.specificclick[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@hitbox[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@pointroll[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6whliknc5edp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@smartadserver[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@tacoda[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@a1.interclick[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.clickmanage[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@bs.serving-sys[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@media6degrees[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@paypal.112.2o7[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ad.wsod[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@cms.trafficmp[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ad.turn[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkyqncjslp.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ehg-akronbeacon.hitbox[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@imrworldwide[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@kontera[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@oasn03.247realmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@dkommel.freestats[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@server.iad.liveperson[3].txt
C:\Documents and Settings\Cathy\Cookies\cathy@statcounter[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ice.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@stats.paypal[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@questionmarket[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@apmebf[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjmyqnczgcp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adcentriconline[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.gamersmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@stats.adbrite[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ero-advertising[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@tripod[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfmikmcjgko.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wnkoenajico.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnycjczilq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@networldmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adtech[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnyeoczmaq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjliwndpwbp.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjloojcpkhq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@network.realmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@stat.dealtime[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.cnn[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wdkygkajkhq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnyghazgco.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@iacas.adbureau[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@eas.apm.emediate[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@sparknetworks.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@classic-porn-stars[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjliencjmgo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkowgajolq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@tracking.foxnews[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjl4uoczkap.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfkywldpkfp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@at.atwola[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@viacom.adbureau[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.adap[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjk4qmdpwfo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.speedmediamarketing[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wgmyqnazoaq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.googleadservices[9].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.burstbeacon[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@advertising.virtualstar[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@server.iad.liveperson[4].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnyekdjmep.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.networldmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@videoegg.adbureau[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfliojazcgo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@traveladvertising[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adserver.paleymedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@printcountry[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@dreamsinc.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@intermundomedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjny-1kd5og.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.songlyrics[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjk4qpdzmgp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@msnportal.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wmmiqgd5kao.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@deepdiscount[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@findlyrics[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wmkyoidpecp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@find.t-mobile[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkywgd5ocp.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkyegazelo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@media.adfrontiers[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@dc.tremormedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfkiqpd5aeo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wmmiujajeho.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@gemoneysusmb2.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wgkoqmcpaap.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@nextag[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.addynamix[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkyckdzceq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wnkoehcpggp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@bizjournals.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@dealtime[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@eyewonder[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnyojcpgap.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@businessfinder.mlive[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@linksynergy[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wdl4qhdzefq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@lulu.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.glispa[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@media.mtvnservices[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@tradedoubler[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@travidia.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfkispdjwep.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wfkyuld5ieo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@adserver.racingone[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@clickbank[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wdlywgajibp.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wnkikndpslo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.lycos[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@avl.112.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@thefind[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@burstbeacon[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.googleadservices[10].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.deepdiscount[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wdliohd5ibq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@us.sitestat[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@content.yieldmanager[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@stats.clicktracks[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@beacon.dmsinsights[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@lucidmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@lfstmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@revsci[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.burstnet[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjny-1kdzeg.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@businessfinder.mlive[3].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.windowsmedia[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@google.lucidmedia[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjl4uncpwdo.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@link.mercent[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@ads.pastemagazine[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@uac.advertising[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@test.coremetrics[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@efashionsolutions.122.2o7[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@us.sitestat[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@zedo[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@www.classic-porn-stars[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjl4umajgeo.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wmmiukdjweq.stats.esomniture[1].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjnywidpieq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@e-2dj6wjkygjajklq.stats.esomniture[2].txt
C:\Documents and Settings\Cathy\Cookies\cathy@pgcom.adbureau[2].txt
.imrworldwide.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\4uoylbub.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.avgtechnologies.112.2o7.net [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.ehg-lexmark.hitbox.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
.yieldmanager.net [ C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\cookies.txt ]
Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-3757229995-706513020-917345004-1005\SOFTWARE\FunWebProducts

krh977 · 07-Feb-2010, 05:09 PM #4

Here is the results log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-07 15:57:42
Windows 5.1.2600 Service Pack 3
Running: w6oxvyfg.exe; Driver: C:\DOCUME~1\Cathy\LOCALS~1\Temp\fwdoqpob.sys

---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEFB90B0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [90, FB, EE] {NOP ; STI ; OUT DX, AL }
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[120] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[868] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\iexplore.exe[868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4052] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----

krh977 · 07-Feb-2010, 05:10 PM #5

Here is the mbam log.

Malwarebytes' Anti-Malware 1.44
Database version: 3697
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/6/2010 3:52:23 PM
mbam-log-2010-02-06 (15-52-23).txt
Scan type: Quick Scan
Objects scanned: 109089
Time elapsed: 7 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 15
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2556 0540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc2 01fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff0 5104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f 4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perso nalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Cathy\Application Data\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cathy\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cathy\Application Data\FunWebProducts\Data\Cathy (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Anti-Virus Elite (Rogue.AntiVirusElite) -> Quarantined and deleted successfully.
C:\Program Files\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PersonalSecUninstall (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Cathy\Application Data\FunWebProducts\Data\Cathy\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cathy\Application Data\FunWebProducts\Data\Cathy\zbucks.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Anti-Virus Elite\noadware4_110909.na (Rogue.AntiVirusElite) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Computer Scan.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Help.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Personal Security.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Registration.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Security Center.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Settings.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalSec\Update.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PersonalSecUninstall\Uninstall.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cathy\Desktop\Personal Security.lnk (Rogue.PSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cathy\Application Data\Microsoft\Internet Explorer\Quick Launch\PersonalSec.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

krh977 · 07-Feb-2010, 05:11 PM #6

Here is a new hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:54 PM, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\XoftSpySE6\XoftSpySE.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: &Security Update - {C73FD00D-A099-405C-92B4-8997710D187D} - C:\WINDOWS\system32\win32extension.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cathy\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 11340 bytes

**eddie5659** · 08-Feb-2010, 03:31 PM #7

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

eddie

krh977 · 09-Feb-2010, 10:17 PM #8

Thank you for your help Eddie. I have included the log file that you have asked for. i couldn't figure out how to disable the avg anti virus program. I hope that wasn't a problem. Thanks again for your time and I will be awaiting on your next instruction.

ComboFix 10-02-09.03 - Cathy 02/09/2010 20:51:48.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.266 [GMT -5:00]
Running from: c:\documents and settings\Cathy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1558308743-2572520074-3164741993-1003
c:\recycler\S-1-5-21-1644491937-1979792683-725345543-1003
c:\recycler\S-1-5-21-1806513721-589375880-1920869270-1003
c:\recycler\S-1-5-21-228031753-2221876756-743715841-1003
c:\recycler\S-1-5-21-2698086840-2116681909-271717246-1003
c:\recycler\S-1-5-21-30474423-3009294701-1339401368-1003
c:\recycler\S-1-5-21-3436189223-726990764-4069274231-1003
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-09 23:53 . 2010-02-09 23:53 -------- d-----w- c:\windows\LastGood
2010-02-07 02:11 . 2010-02-07 02:11 293376 ----a-w- C:\w6oxvyfg.exe
2010-02-06 21:03 . 2010-02-06 21:03 52224 ----a-w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-06 21:03 . 2010-02-06 21:03 117760 ----a-w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-06 21:03 . 2010-02-06 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-06 21:02 . 2010-02-06 21:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-06 21:02 . 2010-02-06 21:02 -------- d-----w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com
2010-02-06 21:01 . 2010-02-06 21:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-06 20:42 . 2010-02-06 20:42 -------- d-----w- c:\documents and settings\Cathy\Application Data\Malwarebytes
2010-02-06 20:41 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 20:41 . 2010-02-06 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 20:41 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 20:41 . 2010-02-06 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 00:55 . 2010-02-09 23:59 -------- d-----w- c:\documents and settings\Cathy\Application Data\LimeWire
2010-01-31 00:54 . 2010-01-31 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-31 00:54 . 2010-01-31 00:54 152576 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-31 00:53 . 2010-01-31 00:55 -------- d-----w- c:\program files\LimeWire
2010-01-30 20:47 . 2010-01-30 20:47 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-30 20:39 . 2010-01-30 20:43 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-30 20:39 . 2010-01-30 20:39 -------- d-----w- c:\windows\system32\LogFiles
2010-01-30 20:12 . 2010-01-30 20:12 -------- d-----w- c:\program files\Trend Micro
2010-01-27 00:03 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-24 20:23 . 2010-01-24 20:23 -------- d-sh--w- c:\documents and settings\Cathy\IECompatCache
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-11 21:48 . 2010-01-24 20:04 -------- d-----w- c:\program files\XoftSpySE6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 00:54 . 2005-10-03 00:19 -------- d-----w- c:\program files\Java
2010-01-31 00:47 . 2009-12-13 23:02 -------- d-----w- c:\program files\Norton Security Scan
2010-01-31 00:47 . 2009-11-10 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-31 00:47 . 2003-02-11 21:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-24 20:04 . 2005-09-05 00:16 -------- d-----w- c:\documents and settings\Cathy\Application Data\Lavasoft
2010-01-11 21:48 . 2005-07-24 00:44 24128 ----a-w- c:\documents and settings\Cathy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 18:46 . 2007-05-07 01:26 -------- d-----w- c:\program files\Apple Software Update
2009-12-21 19:14 . 2005-04-27 14:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 23:02 . 2009-11-10 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-12 04:57 . 2009-12-12 04:57 -------- d-----w- c:\program files\MSBuild
2009-12-12 04:57 . 2009-12-12 04:57 -------- d-----w- c:\program files\Reference Assemblies
2009-11-26 03:13 . 2009-11-26 03:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 03:13 . 2009-11-26 03:13 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 03:12 . 2009-11-26 03:12 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-26 03:12 . 2009-11-26 03:12 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 15:51 . 2003-02-11 19:28 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 03:33 . 2009-11-12 03:35 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-11-09 04:16 . 2009-11-09 04:16 60516 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-09 04:16 . 2009-11-09 04:16 49246 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-09 04:16 . 2009-11-09 04:16 165990 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"CHotkey"="mHotkey.exe" [2002-07-23 477184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-02-11 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-10 122880]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-10-23 4854040]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-31 149280]
c:\documents and settings\Cathy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2003-2-11 1730096]
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 03:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/25/2009 10:12 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/25/2009 10:13 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/25/2009 10:12 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/25/2009 10:12 PM 285392]
R2 BjsPort;Canon BJ Scanner Port Driver;c:\windows\system32\drivers\BjsPort.sys [11/30/2009 4:59 PM 14656]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\bkusbxp.sys --> c:\windows\system32\DRIVERS\bkusbxp.sys [?]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 4:58 PM 582424]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
2010-02-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.3\DriverRobot.exe [2009-11-29 20:20]
2010-02-08 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]
2010-01-11 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]
2010-02-07 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-10-23 21:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uLocal Page = \blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Search
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cathy\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
- - - - ORPHANS REMOVED - - - -
BHO-{C73FD00D-A099-405C-92B4-8997710D187D} - c:\windows\system32\win32extension.dll

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 21:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\GTGina.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-09 21:09:24
ComboFix-quarantined-files.txt 2010-02-10 02:09
Pre-Run: 68,523,851,776 bytes free
Post-Run: 68,853,256,192 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 337D48EE7B9838AACEC5E0E7B27189E3

**eddie5659** · 10-Feb-2010, 03:53 PM #9

For AVG, have a look here:

http://www.bleepingcomputer.com/forums/topic114351.html

At the very top of the list are the AVG's

Then, can you go to Control Panel | AddRemove, and uninstall this:

Viewpoint

Then, do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

eddie

krh977 · 10-Feb-2010, 08:21 PM **#10**

Here is the new post with the avg disabled. I also removed the viewpoint like you asked.

ComboFix 10-02-10.01 - Cathy 02/10/2010 18:41:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.148 [GMT -5:00]
Running from: c:\documents and settings\Cathy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cathy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-07 02:11 . 2010-02-07 02:11 293376 ----a-w- C:\w6oxvyfg.exe
2010-02-06 21:03 . 2010-02-06 21:03 52224 ----a-w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-06 21:03 . 2010-02-06 21:03 117760 ----a-w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-06 21:03 . 2010-02-06 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-06 21:02 . 2010-02-06 21:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-06 21:02 . 2010-02-06 21:02 -------- d-----w- c:\documents and settings\Cathy\Application Data\SUPERAntiSpyware.com
2010-02-06 21:01 . 2010-02-06 21:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-06 20:42 . 2010-02-06 20:42 -------- d-----w- c:\documents and settings\Cathy\Application Data\Malwarebytes
2010-02-06 20:41 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 20:41 . 2010-02-06 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 20:41 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 20:41 . 2010-02-06 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 00:55 . 2010-02-10 22:56 -------- d-----w- c:\documents and settings\Cathy\Application Data\LimeWire
2010-01-31 00:54 . 2010-01-31 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-31 00:54 . 2010-01-31 00:54 152576 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-31 00:53 . 2010-01-31 00:55 -------- d-----w- c:\program files\LimeWire
2010-01-30 20:47 . 2010-01-30 20:47 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-30 20:39 . 2010-01-30 20:43 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-30 20:39 . 2010-01-30 20:39 -------- d-----w- c:\windows\system32\LogFiles
2010-01-30 20:12 . 2010-01-30 20:12 -------- d-----w- c:\program files\Trend Micro
2010-01-27 00:03 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-24 20:23 . 2010-01-24 20:23 -------- d-sh--w- c:\documents and settings\Cathy\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 00:54 . 2005-10-03 00:19 -------- d-----w- c:\program files\Java
2010-01-31 00:47 . 2009-12-13 23:02 -------- d-----w- c:\program files\Norton Security Scan
2010-01-31 00:47 . 2009-11-10 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-31 00:47 . 2003-02-11 21:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-24 20:04 . 2005-09-05 00:16 -------- d-----w- c:\documents and settings\Cathy\Application Data\Lavasoft
2010-01-24 20:04 . 2010-01-11 21:48 -------- d-----w- c:\program files\XoftSpySE6
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-11 21:48 . 2005-07-24 00:44 24128 ----a-w- c:\documents and settings\Cathy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2003-02-11 19:29 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 18:46 . 2007-05-07 01:26 -------- d-----w- c:\program files\Apple Software Update
2009-12-21 19:14 . 2005-04-27 14:54 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2003-02-11 20:42 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-02-11 19:28 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-13 23:02 . 2009-11-10 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-08 19:27 . 2003-02-11 19:29 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2003-02-11 19:29 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2003-02-11 21:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2003-02-11 21:42 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2003-02-11 19:29 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-02-11 19:29 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-02-11 19:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-26 03:13 . 2009-11-26 03:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 03:13 . 2009-11-26 03:13 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 03:12 . 2009-11-26 03:12 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-26 03:12 . 2009-11-26 03:12 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 15:51 . 2003-02-11 19:28 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 03:33 . 2009-11-12 03:35 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-11-09 04:16 . 2009-11-09 04:16 60516 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-09 04:16 . 2009-11-09 04:16 49246 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-09 04:16 . 2009-11-09 04:16 165990 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"CHotkey"="mHotkey.exe" [2002-07-23 477184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-02-11 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-10 122880]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-10-23 4854040]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-31 149280]
c:\documents and settings\Cathy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2003-2-11 1730096]
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 03:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/25/2009 10:12 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/25/2009 10:13 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/25/2009 10:12 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/25/2009 10:12 PM 285392]
R2 BjsPort;Canon BJ Scanner Port Driver;c:\windows\system32\drivers\BjsPort.sys [11/30/2009 4:59 PM 14656]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
R3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 4:58 PM 582424]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\bkusbxp.sys --> c:\windows\system32\DRIVERS\bkusbxp.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
2010-02-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.3\DriverRobot.exe [2009-11-29 20:20]
2010-02-10 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]
2010-01-11 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]
2010-02-07 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-10-23 21:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uLocal Page = \blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Search
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cathy\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Cathy\Application Data\Mozilla\Firefox\Profiles\9401zx0g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 18:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\GTGina.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 18:58:48
ComboFix-quarantined-files.txt 2010-02-10 23:58
ComboFix2.txt 2010-02-10 02:09
Pre-Run: 68,769,267,712 bytes free
Post-Run: 68,776,022,016 bytes free
- - End Of File - - 789D5F44B99476FA452445B589282788

**eddie5659** · 11-Feb-2010, 03:11 PM **#11**

Thanks, its just that sometimes having them running can cause problems with removal of malware

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

eddie

krh977 · 11-Feb-2010, 10:01 PM **#12**

Here is the OTL log first. I had to attach it because it was too long. Hope thats not a problem.

krh977 · 11-Feb-2010, 10:03 PM **#13**

Here is the Extras log file you asked for which I also sent as an attachement.

**eddie5659** · 12-Feb-2010, 10:29 PM **#14**

Its not a problem

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
Click on the Go Advanced button for the uploading options at the bottom of this page (in the picture below

)[/list]

In there, at the bottom, click on the button Manage Attachments (in the picture below .
A window will appear, and then Browse to RootRepeal.txt on your Desktop.
Click Upload, and when uploaded click Close this Window
Then, in the previous window, click on Add Reply

krh977 · 13-Mar-2010, 09:41 PM **#15**

Sorry about the delay here is the logfile included in my post. I have also just run into a facebook virus and not sure what to do about that. Thanks for your help in advance and again sorry about the delay.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/13 18:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED85B000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BF5000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEBD8F000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\$avg\$chjw\047c1149-ec91-4b33-8678-526478d2b527
Status: Size mismatch (API: 1069692, Raw: 1062452)
Path: c:\$avg\$chjw\8324abc4-9a25-4abb-bbf5-435461f0d26d
Status: Size mismatch (API: 634340, Raw: 628940)
Path: C:\Documents and Settings\Cathy\Local Settings\Temp\JET4E59.tmp
Status: Invisible to the Windows API!
Path: c:\documents and settings\cathy\local settings\temp\~dfbbae.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\cathy\local settings\temp\~dfc722.tmp
Status: Allocation size mismatch (API: 81920, Raw: 16384)
Path: C:\Documents and Settings\Cathy\Local Settings\Temporary Internet Files\Content.IE5\XPUFARWL\drugndrop[1].js
Status: Visible to the Windows API, but not on disk.
SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xee6a9320
==EOF==

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!