Cookiegal, need your help; lots of pop ups (HJT included)

[inglej]

Pop ups coming up every 30 seconds to 1 minute. Here's the scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:59 PM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SAV\sav.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe
C:\Documents and Settings\Owner\Desktop\Virus stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7027 bytes

 

[inglej]

Still need help please

 

[inglej]

Cookiegal,

great help before. Help needed again on a different computer. Here's the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:12 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SAV\sav.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Virus stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7028 bytes

 

[Cookiegal]

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

 

[inglej]

ComboFix 08-10-01.02 - Owner 2008-10-02 6:47:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\Virus stuff\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SAV
C:\Program Files\SoftwareOnline
C:\Program Files\spamblockerutility
C:\Redemption.ECF

.
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-09-19 14:35 . 2008-09-19 09:00 165,888 --a------ C:\WINDOWS\SYSTEM32\sav.cpl
2008-09-19 14:35 . 2008-09-19 14:35 125,956 --a------ C:\WINDOWS\SYSTEM32\msxml71.dll
2008-09-17 13:08 . 2008-09-17 13:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 20:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-09-26 00:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-09-19 21:39 --------- d-----w C:\Program Files\LimeWire
2008-08-19 04:27 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-19 04:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-17 01:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-17 01:55 --------- d-----w C:\Program Files\D-Link
2008-08-09 16:32 --------- d-----w C:\Program Files\Moraff's Maximum MahJongg
2008-08-09 16:27 --------- d-----w C:\Program Files\AOL Games
2008-08-09 16:26 --------- d-----w C:\Program Files\iWin.com Games
2008-08-09 16:25 --------- d-----w C:\Program Files\HP
2008-08-09 16:19 --------- d-----w C:\Program Files\MasqueGames
2008-08-09 16:17 --------- d-----w C:\Program Files\eGames
2008-08-09 16:12 --------- d-----w C:\Program Files\Yahoo!
2008-08-09 16:12 --------- d-----w C:\Program Files\SuperslotsCasino
2008-08-09 16:12 --------- d-----w C:\Program Files\NoAdware3
2008-08-09 16:11 --------- d-----w C:\Program Files\Modem Helper
2008-08-09 16:11 --------- d-----w C:\Program Files\Mahjong Towers Eternity
2008-08-09 16:11 --------- d-----w C:\Program Files\GameSpy Arcade
2008-08-09 16:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-09 16:10 --------- d-----w C:\Program Files\AOL Toolbar
2008-08-09 16:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-08-09 16:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-08-09 16:01 --------- d-----w C:\Documents and Settings\Diana King\Application Data\AOL
2008-08-09 15:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-02-13 22:13 3 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\347hfs.dat
2005-07-09 03:15 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-31 4617720]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 118784]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-08 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-27 180269]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-02 29744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-26 125624]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2008-08-16 14020608]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-02 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f614f82-6da8-11dd-9355-001b1159d421}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-Antivirus - C:\Program Files\SAV\sav.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\stg_drm.ocx

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Jewel%20Quest%203/Images/armhelper.ocx
C:\WINDOWS\Downloaded Program Files\armhelper.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 06:53:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-02 6:58:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-02 13:58:10

Pre-Run: 64,053,207,040 bytes free
Post-Run: 64,465,625,088 bytes free

129 --- E O F --- 2008-09-10 10:02:07

 

[inglej]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:33 AM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Virus stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/armhelper.ocx
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6244 bytes

 

[Cookiegal]

Open Notepad and copy and paste the text in the code box below into it:

http://forums.techguy.org/malware-removal-hijackthis-logs/753879-cookiegal-need-your-help-lots.html#post6171511

Collect::
C:\WINDOWS\SYSTEM32\sav.cpl
C:\WINDOWS\SYSTEM32\msxml71.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version (it's the fifith one down the list :

Java Runtime Environment (JRE) 6 Update 7


Instructions for Kaspersky scan:

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure the following is checked.
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

 

[inglej]

ComboFix is too long. Here's the HJT. Also, I'm not able to save the Kaspersky scan as a .txt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:18 PM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Virus stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jewel%20Quest%203/Images/armhelper.ocx
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6887 bytes

 

[inglej]

Cookiegal, this thread is still good. Two different computers with different problems. Still working the issue on this thread.

 

[Cookiegal]

Sorry, I don't know what happened.

Please upload the ComboFix log as an attachment.

What do you mean you can't save Kaspersky as a text file? It gives you that open at the end of the scan.

 

[inglej]

Cookiegal, the ComboFix scan is attached.

Regarding the Kasperky (sp?) Scan, when I conducted the scan, it didn't give me the option to save it as a .txt. The only option I had was to save it as an html. I'll run the scan again and see if I get a different result and keep you posted.

 

[inglej]

Cookiegal,

here's the Kaspersky Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 04, 2008 19:09:24
Records in database: 1369646
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 102723
Threat name: 44
Infected objects: 104
Suspicious objects: 0
Duration of the scan: 02:18:07


File name / Threat name / Threats count
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00000.VBN Infected: Trojan.Win32.Small.cy 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00001.VBN Infected: Trojan.Win32.Small.cy 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00002.VBN Infected: Trojan.Win32.Agent.aezk 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00002.VBN Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00003.VBN Infected: Trojan.Win32.Agent.aezk 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00003.VBN Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00004.VBN Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00005.VBN Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FC00006.VBN Infected: Trojan.Win32.Small.cy 1
C:\Documents and Settings\Owner\Application Data\BFGTOOLBAR\bfgtoolbarDLL.zip Infected: not-a-virus:AdWare.Win32.MegaSearch.u 1
C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\GameFiesta\Toolbar\gf-toolbar.dll Infected: not-a-virus:AdWare.Win32.Eztracks.a 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\00910266.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\01502A45.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\01B6204D.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\07B25461.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\09751C1C.exe Infected: Trojan.Win32.Stervis.c 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0CE06644.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D475C4B.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED2265D.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\11841631.exe Infected: not-a-virus:AdWare.Win32.Lop.l 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\16016E3D.exe Infected: not-a-virus:AdWare.Win32.Lop.l 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\18D7184A.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1D134A55.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\20EB6F8E.dll Infected: not-a-virus:AdWare.Win32.Sahat.w 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\20FC0A21.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\24331C51.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\24675449.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DC11BC.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2A2E79A5.dll Infected: not-a-virus:AdWare.Win32.Sahat.w 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2FF81047.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\305E064F.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\33C3499D.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\33C3499D.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B884C46.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B884C46.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3BEE424E.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47180845.exe Infected: not-a-virus:AdWare.Win32.Lop.l 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\477E7E4C.exe Infected: Trojan-Downloader.Win32.Intexp.e 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EEC22B0.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EEC22B0.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EEF4CAD.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EF276A9.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ae 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EF620A5.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EF620A5.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EF94AA2.dll Infected: not-a-virus:AdWare.Win32.WinAD.be 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EF94AA2.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.b 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EFC749E.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.l 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F107089.exe Infected: Trojan.Win32.Small.cy 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F131A85.exe Infected: not-a-virus:AdWare.Win32.ImiBar.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F164481.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F3D7A1C.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.j 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4FA37023.exe Infected: not-a-virus:AdWare.Win32.BetterInternet 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\525B4581.exe Infected: not-a-virusownloader.Win32.Agent.c 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\52A94443.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\530F3A4B.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\553B2ECB.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\553F58C8.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\553F58C8.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\554202C4.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55452CC1.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\554856BD.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\554C00B9.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\554F2AB6.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ae 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\554F2AB6.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\555254B2.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55557EAF.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.y 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55557EAF.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55557EAF.tmp Infected: not-a-virus:AdWare.Win32.ClearSearch.y 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\555928AB.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\555C52A7.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\555C52A7.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\555F7CA4.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\556226A0.exe Infected: Trojan-Downloader.Win32.Swizzor.fg 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5566509D.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.y 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5566509D.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aa 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55697A99.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\556C2495.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55704E92.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5573788E.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\56754401.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\56754401.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\577164EC.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\577164EC.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5847730F.exe Infected: Trojan-Downloader.Win32.Swizzor.fg 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\658155CA.exe Infected: Trojan.Win32.Agent.ay 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A2F3248.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\74C83AFE.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75C06E47.exe Infected: not-a-virus:AdWare.Win32.Lop.bb 1
C:\Program Files\SBITPlugin\120108.exe Infected: Trojan-Downloader.Win32.Tibsem.b 1
C:\Program Files\Zango Games\Wind Words\ZangoInstaller.exe Infected: not-a-virus:AdWare.Win32.180Solutions.k 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP669\A0070285.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.u 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP674\A0071333.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071948.exe Infected: not-a-virus:FraudTool.Win32.SystemAntivirus.a 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071953.dll Infected: not-a-virus:AdWare.Win32.HotBar.an 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071955.dll Infected: not-a-virus:AdWare.Win32.HotBar.ar 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071956.dll Infected: not-a-virus:AdWare.Win32.HotBar.be 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071959.exe Infected: not-a-virus:AdWare.Win32.Shopper.c 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071960.exe Infected: not-a-virus:AdWare.Win32.HotBar.bg 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071966.dll Infected: not-a-virus:AdWare.Win32.Hotbar.an 1
C:\System Volume Information\_restore{BB7D5D5B-4491-4596-8BA8-CFA10895B505}\RP687\A0071969.exe Infected: not-a-virusownloader.Win32.ImLoader.b 1

The selected area was scanned.

 

[Cookiegal]

Open Notepad and copy and paste the text in the code box below into it:

File::
C:\Documents and Settings\Owner\Application Data\BFGTOOLBAR\bfgtoolbarDLL.zip

Folder::
C:\Program Files\GameFiesta
C:\Program Files\SBITPlugin
C:\Program Files\Zango Games

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

 

[inglej]

The ComboFix and HJT scans are attached

 

[Cookiegal]

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\VPC32.INI

Folder::
c:\documents and settings\Owner\Application Data\BFGTOOLBAR

DirLook::
c:\program files\Axxrpw

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.