Hijaced to the point of unuseable

Question

Silverlobo 0 Newbie Poster

16 Years Ago

My wife's computerhas been hijacked and is now almost unuseable with the pop-ups and pop-unders. With the system idle and no browser running, 39 seperate bvrowser widows opened today. I can't even type a complete sentence here with out another window opening. It gets so bad that all the icons disappear from the desk top and the task bar disappears also and the only thing that will bring it back is a system restart.

Installed and ran AVG-AS and have run Webroot Spysweeper. AVG-as finds C:\\Windods\system32\nhakucda.exe on each restart and after selecting"Clean and Quarrntine", it commends a system restart endless loop).

Here's my reports:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:56:36 PM 12/10/2007

+ Scan result:

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1230\A0129370.dll -> Adware.BHO : Cleaned.
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj -> Adware.CoolWebSearch : Cleaned.
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 -> Adware.CoolWebSearch : Cleaned.
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer -> Adware.CoolWebSearch : Cleaned.
HKU\S-1-5-21-3374215969-839003739-643761851-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} -> Adware.CouponBar : Cleaned.
C:\WINDOWS\CouponBarIE.dll -> Adware.Coupons : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\T0CHD001.exe -> Not-A-Virus.Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1230\A0128423.exe -> Not-A-Virus.Adware.ZenoSearch : Cleaned.
C:\WINDOWS\system32\dwdsrngt.exe -> Not-A-Virus.Adware.ZenoSearch : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PE741E3\script-2[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned.
:mozilla.23:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@harpo.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@ads.adengage[2].txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.80:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@e-2dj6wjmiapajolp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@as-eu.falkag[2].txt[/email] -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@search.msn[2].txt[/email] -> TrackingCookie.Msn : Cleaned.
:mozilla.22:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@web4.realtracker[1].txt[/email] -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Cookies\elizabeth_rodgers@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.16:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.17:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.18:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.19:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.20:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.21:C:\Documents and Settings\Elizabeth Rodgers\Application Data\Mozilla\Firefox\Profiles\zkddadqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Elizabeth Rodgers\Local Settings\Temp\Cookies\elizabeth [email]rodgers@login.tracking101[1].txt[/email] -> TrackingCookie.Tracking101 : Cleaned.
[596] C:\WINDOWS\system32\nhakucda.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).

::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:44 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\winshow.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\nhakucda.exe
C:\Documents and Settings\Elizabeth Rodgers\Desktop\aaaaaa\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [e000e16c] rundll32.exe "C:\WINDOWS\system32\owygxjgr.dll",b
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\nhakucda.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10241 bytes

Spysweeper has found:
zenosearchasdsistant c:\windows\system32\msnav.ax
trojan-downloader-topinstalls HKLM\software\microsoft\widows nt\current version\windows\ || appinit_dlls

If I don't do something soon, she will toss this thing outthe window and take over mine.
Thanks

windows-virus

2 Contributors
8 Replies
199 Views
3 Days Discussion Span
Latest Post 16 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

16 Years Ago

Hi and welcome to Daniweb forums :).

Please download ComboFix by sUBs from HERE or HERE

Save it to your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

"%userprofile%\desktop\ComboFix.exe" /KillAll
[IMG]http://i5.photobucket.com/albums/y153/crunchie1/RunBox_KillAll.jpg[/IMG]
Click OK and this will start ComboFix.
When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

crunchie 990 Most Valuable Poster

16 Years Ago

How many times did you run Combofix?

==

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\nhakucda.exe
C:\WINDOWS\system32\sounewxt.exe

========

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Silverlobo 0 Newbie Poster · Answer 1 · 2007-12-11T17:23:15+00:00

Thanks, will do so this afternoon after work. I have disconnected her pc from our LAN as a precaution anyway.

Silverlobo 0 Newbie Poster · Answer 2 · 2007-12-12T06:30:41+00:00

Ran Combo fix and HJT as requested logs follow:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:39 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\eMachines Bay  Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe
C:\Documents and Settings\Elizabeth Rodgers\Desktop\aaaaaa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.insightbb.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.emachines.com/[/url]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay  Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [url]http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab[/url]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [url]http://downloads.ewido.net/ewidoOnlineScan.cab[/url]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [url]http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab[/url]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - [url]http://zone.msn.com/bingame/pacz/default/pandaonline.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab[/url]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [url]http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab[/url]
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - [url]http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [url]http://www.worldwinner.com/games/shared/wwlaunch.cab[/url]
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - [url]http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab[/url]
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - [url]http://zone.msn.com/binGame/ZAxRcMgr.cab[/url]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [url]http://www.worldwinner.com/games/v67/swapit/swapit.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - [url]http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab[/url]
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - [url]http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab[/url]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [url]http://www.worldwinner.com/games/v43/paint/paint.cab[/url]
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - [url]http://zone.msn.com/bingame/gold/default/gf.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://www.popcap.com/games/popcaploader_v6.cab[/url]
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - [url]http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab[/url]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10374 bytes

log2:

ComboFix 07-12-09.1 - Elizabeth Rodgers 2007-12-11 18:02:43.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.494 [GMT -6:00]
Running from: C:\Documents and Settings\Elizabeth Rodgers\desktop\ComboFix.exe
Command switches used :: /KillAll
.

(((((((((((((((((((((((((   Files Created from 2007-11-12 to 2007-12-12  )))))))))))))))))))))))))))))))
.

2007-12-10 17:40 . 2007-12-10 17:40 74,304  --a------   C:\WINDOWS\system32\sounewxt.exe
2007-12-10 17:18 . 2007-12-10 17:18 <DIR>    d--------   C:\Documents and Settings\Elizabeth Rodgers\Application Data\Grisoft
2007-12-10 17:18 . 2007-12-10 17:18 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 17:18 . 2007-05-30 06:10 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-09 20:03 . 2007-12-09 20:03 <DIR>    d--------   C:\Documents and Settings\Elizabeth Rodgers\Application Data\Talkback
2007-12-09 17:41 . 2007-12-09 17:41 74,304  --a------   C:\WINDOWS\system32\nhakucda.exe
2007-12-08 16:52 . 2007-12-11 04:54 143 --a------   C:\WINDOWS\system32\mcrh.tmp
2007-12-08 12:50 . 2007-12-08 12:50 63  --a------   C:\WINDOWS\mdm.ini
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\vlt2
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\ripd1
2007-12-08 08:30 . 2007-12-09 16:20 <DIR>    d--------   C:\WINDOWS\system32\doc4
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\bbc5
2007-12-08 08:29 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\rex2
2007-12-08 08:29 . 2007-12-08 08:29 <DIR>    d--------   C:\WINDOWS\system32\daSgo02
2007-12-08 08:29 . 2007-12-08 08:29 <DIR>    d--------   C:\temp\bkR11
2007-12-08 08:27 . 2007-12-08 08:27 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-08 08:27 . 2007-12-08 08:27 1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-07 18:28 . 2007-12-07 19:16 <DIR>    d--------   C:\Program Files\Mystery Case Files - Madame Fate

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 23:22    ---------   d-----w C:\Program Files\iWin Games
2007-12-10 19:48    ---------   d-----w C:\Program Files\Audible
2007-12-10 18:12    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\MSN6
2007-12-10 12:44    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-10 12:44    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 18:26    ---------   d-----w C:\Program Files\iWin.com
2007-12-08 02:16    ---------   d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-04 14:56    93,264  ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55    94,544  ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53    23,152  ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51    42,912  ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49    26,624  ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:05    ---------   d-----w C:\Program Files\MSN Games
2007-11-25 18:35    ---------   d-----w C:\Program Files\PopCap Games
2007-11-24 20:35    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Friends Games
2007-11-23 14:37    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\Yahoo!
2007-11-10 23:02    ---------   d-----w C:\Program Files\Mystery Case Files - Ravenhearst
2007-11-09 23:35    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-31 02:31    ---------   d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-10-28 00:19    ---------   d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-28 00:07    ---------   d-----w C:\Program Files\bfgclient
2007-10-17 17:00    ---------   d-----w C:\Program Files\Shockwave.com
2007-10-16 01:55    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 23:11    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\Creative
2007-10-15 22:07    ---------   d-----w C:\Program Files\Creative
2007-10-15 21:53    ---------   d--h--w C:\Program Files\Creative Installation Information
2007-10-15 21:53    ---------   d-----w C:\Program Files\Common Files\Creative
2007-10-15 21:46    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Creative
.

(((((((((((((((((((((((((((((   snapshot@2007-12-11_17.57.08.14   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 00:07:55   16,384  ----atw C:\WINDOWS\Temp\Perflib_Perfdata_568.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
            C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 20:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 09:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 23:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-01 12:47]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-02-23 09:14]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 wntpport;wntpport;C:\WINDOWS\system32\drivers\wntpport.sys
S2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
S3 busbcrw;USB Card Reader Writer driver;C:\WINDOWS\system32\Drivers\busbcrw.sys
S3 SydexFDD;Sydex Diskette Driver;\??\C:\WINDOWS\system32\Drivers\sydexfdd.sys
S3 wdpnp;WinDriver USB Client;C:\WINDOWS\system32\Drivers\wdpnp.sys

.
--------------------- DLLs Loaded Under Running Processes --------------------- 

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\bggjoefr5501.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-12-11 18:09:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-11 18:15:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 17:59
.
    --- E O F ---

Hopefully I can get this resolved soon with all your help.
Thanks

Silverlobo 0 Newbie Poster · Answer 3 · 2007-12-13T09:12:02+00:00

Sorry about the double run of combofix, i forgot to use the kill all command.
Here are the results of the file scans:

File nhakucda.exe received on 12.13.2007 03:15:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 19/32 (59.38%)
Loading server information...
Your file is queued in position: 11.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:  

Antivirus   Version     Last Update     Result
AhnLab-V3   2007.12.13.10   2007.12.12  Win-Trojan/Agent.74240.P
AntiVir 7.6.0.40    2007.12.12  ADSPY/Agent.74304
Authentium  4.93.8  2007.12.12  -
Avast   4.7.1098.0  2007.12.12  -
AVG 7.5.0.503   2007.12.12  BackDoor.Agent.PTA
BitDefender 7.2 2007.12.13  Trojan.Fotomoto.H
CAT-QuickHeal   9.00    2007.12.12  Backdoor.Agent.dbm
ClamAV  0.91.2  2007.12.12  -
DrWeb   4.44.0.09170    2007.12.12  Trojan.EzulaAd
eSafe   7.0.15.0    2007.12.12  Suspicious File
eTrust-Vet  31.3.5372   2007.12.12  Win32/Abetear.I
Ewido   4.0 2007.12.12  -
FileAdvisor 1   2007.12.13  -
Fortinet    3.14.0.0    2007.12.12  -
F-Prot  4.4.2.54    2007.12.12  W32/Backdoor2.DK
F-Secure    6.70.13030.0    2007.12.13  -
Ikarus  T3.1.1.12   2007.12.13  Trojan.Agent.AGBD
Kaspersky   7.0.0.125   2007.12.13  -
McAfee  5184    2007.12.12  -
Microsoft   1.3007  2007.12.13  -
NOD32v2 2720    2007.12.12  Win32/Adware.Ezula
Norman  5.80.02 2007.12.12  -
Panda   9.0.0.4 2007.12.12  Spyware/Virtumonde
Prevx1  V2  2007.12.13  ADWARE.FOTOMOTO.F
Rising  20.22.22.00 2007.12.12  Backdoor.Win32.Agent.czt
Sophos  4.24.0  2007.12.13  Troj/Virtum-Gen
Sunbelt 2.2.907.0   2007.12.13  -
Symantec    10  2007.12.13  Trojan.Vundo
TheHacker   6.2.9.157   2007.12.12  Backdoor/Agent.czt
VBA32   3.12.2.5    2007.12.10  -
VirusBuster 4.3.26:9    2007.12.12  Adware.Vundo.V.Gen
Webwasher-Gateway   6.6.2   2007.12.12  Ad-Spyware.Agent.74304
Additional information
File size: 74304 bytes
MD5: eaa7e704f10692c574c74816d3384ef3
SHA1: 2f921b523c6478839f997b4aa7b965db6e11e38d
PEiD: -
Prevx info: [url]http://info.prevx.com/aboutprogramtext.asp?PX5=82DC43EC40BC1C042247016360AA9D000250EA0D[/url]

File sounewxt.exe received on 12.13.2007 03:34:06 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED 


Result: 19/32 (59.38%)
Loading server information... 
Your file is queued in position: 9.
Estimated start time is between 63 and 90 seconds.
Do not close the window until scan is complete. 
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file. 
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated. 
 Compact Print results  
Your file has expired or does not exists. 
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. 
 Email:  


Antivirus Version Last Update Result 
AhnLab-V3 2007.12.13.10 2007.12.12 Win-Trojan/Agent.74240.P 
AntiVir 7.6.0.40 2007.12.12 ADSPY/Agent.74304 
Authentium 4.93.8 2007.12.12 - 
Avast 4.7.1098.0 2007.12.12 - 
AVG 7.5.0.503 2007.12.12 BackDoor.Agent.PTA 
BitDefender 7.2 2007.12.13 Trojan.Fotomoto.H 
CAT-QuickHeal 9.00 2007.12.12 Backdoor.Agent.dbm 
ClamAV 0.91.2 2007.12.12 - 
DrWeb 4.44.0.09170 2007.12.12 Trojan.EzulaAd 
eSafe 7.0.15.0 2007.12.12 Suspicious File 
eTrust-Vet 31.3.5372 2007.12.12 Win32/Abetear.I 
Ewido 4.0 2007.12.12 - 
FileAdvisor 1 2007.12.13 - 
Fortinet 3.14.0.0 2007.12.12 - 
F-Prot 4.4.2.54 2007.12.12 W32/Backdoor2.DK 
F-Secure 6.70.13030.0 2007.12.13 - 
Ikarus T3.1.1.12 2007.12.13 Trojan.Agent.AGBD 
Kaspersky 7.0.0.125 2007.12.13 - 
McAfee 5184 2007.12.12 - 
Microsoft 1.3007 2007.12.13 - 
NOD32v2 2720 2007.12.12 Win32/Adware.Ezula 
Norman 5.80.02 2007.12.12 - 
Panda 9.0.0.4 2007.12.12 Spyware/Virtumonde 
Prevx1 V2 2007.12.13 ADWARE.FOTOMOTO.F 
Rising 20.22.22.00 2007.12.12 Backdoor.Win32.Agent.czt 
Sophos 4.24.0 2007.12.13 Troj/Virtum-Gen 
Sunbelt 2.2.907.0 2007.12.13 - 
Symantec 10 2007.12.13 Trojan.Vundo 
TheHacker 6.2.9.157 2007.12.12 Backdoor/Agent.czt 
VBA32 3.12.2.5 2007.12.10 - 
VirusBuster 4.3.26:9 2007.12.12 Adware.Vundo.V.Gen 
Webwasher-Gateway 6.6.2 2007.12.12 Ad-Spyware.Agent.74304 
Additional information 
File size: 74304 bytes 
MD5: eaa7e704f10692c574c74816d3384ef3 
SHA1: 2f921b523c6478839f997b4aa7b965db6e11e38d 
PEiD: - 
Prevx info: [url]http://info.prevx.com/aboutprogramtext.asp?PX5=82DC43EC40BC1C042247016360AA9D000250EA0D[/url] 

And the HJT after the fixes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:35 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eMachines Bay  Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Elizabeth Rodgers\Desktop\aaaaaa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.insightbb.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.emachines.com/[/url]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay  Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [url]http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab[/url]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [url]http://downloads.ewido.net/ewidoOnlineScan.cab[/url]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [url]http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab[/url]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - [url]http://zone.msn.com/bingame/pacz/default/pandaonline.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab[/url]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [url]http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab[/url]
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - [url]http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [url]http://www.worldwinner.com/games/shared/wwlaunch.cab[/url]
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - [url]http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab[/url]
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - [url]http://zone.msn.com/binGame/ZAxRcMgr.cab[/url]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [url]http://www.worldwinner.com/games/v67/swapit/swapit.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - [url]http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab[/url]
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - [url]http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab[/url]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [url]http://www.worldwinner.com/games/v43/paint/paint.cab[/url]
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - [url]http://zone.msn.com/bingame/gold/default/gf.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://www.popcap.com/games/popcaploader_v6.cab[/url]
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - [url]http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab[/url]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10052 bytes

As a side note: something has helped, have been connected to the net for a couple of hours and no pop-ups/pop-unders

Thanks a lot.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2007-12-13T12:59:18+00:00

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\nhakucda.exe
C:\WINDOWS\system32\sounewxt.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Silverlobo 0 Newbie Poster · Answer 5 · 2007-12-14T08:27:21+00:00

Here are the logs from CF and HJT

ComboFix 07-12-09.1 - Elizabeth Rodgers 2007-12-13 19:58:26.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.464 [GMT -6:00]
Running from: C:\Documents and Settings\Elizabeth Rodgers\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Elizabeth Rodgers\Desktop\CFScript.txt
* Created a new restore point


FILE
C:\WINDOWS\system32\nhakucda.exe
C:\WINDOWS\system32\sounewxt.exe
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\nhakucda.exe
C:\WINDOWS\system32\sounewxt.exe


.
(((((((((((((((((((((((((   Files Created from 2007-11-14 to 2007-12-14  )))))))))))))))))))))))))))))))
.


2007-12-13 15:15 . 2007-12-13 15:19 <DIR>    d--------   C:\Documents and Settings\Elizabeth Rodgers\Application Data\Aveyond II
2007-12-10 17:18 . 2007-12-10 17:18 <DIR>    d--------   C:\Documents and Settings\Elizabeth Rodgers\Application Data\Grisoft
2007-12-10 17:18 . 2007-12-10 17:18 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 17:18 . 2007-05-30 06:10 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-09 20:03 . 2007-12-09 20:03 <DIR>    d--------   C:\Documents and Settings\Elizabeth Rodgers\Application Data\Talkback
2007-12-08 16:52 . 2007-12-11 04:54 143 --a------   C:\WINDOWS\system32\mcrh.tmp
2007-12-08 12:50 . 2007-12-08 12:50 63  --a------   C:\WINDOWS\mdm.ini
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\vlt2
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\ripd1
2007-12-08 08:30 . 2007-12-09 16:20 <DIR>    d--------   C:\WINDOWS\system32\doc4
2007-12-08 08:30 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\bbc5
2007-12-08 08:29 . 2007-12-08 08:30 <DIR>    d--------   C:\WINDOWS\system32\rex2
2007-12-08 08:29 . 2007-12-08 08:29 <DIR>    d--------   C:\WINDOWS\system32\daSgo02
2007-12-08 08:29 . 2007-12-08 08:29 <DIR>    d--------   C:\temp\bkR11
2007-12-08 08:27 . 2007-12-08 08:27 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-08 08:27 . 2007-12-08 08:27 1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-07 18:28 . 2007-12-07 19:16 <DIR>    d--------   C:\Program Files\Mystery Case Files - Madame Fate


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 00:10    ---------   d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-10 23:22    ---------   d-----w C:\Program Files\iWin Games
2007-12-10 19:48    ---------   d-----w C:\Program Files\Audible
2007-12-10 18:12    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\MSN6
2007-12-10 12:44    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-10 12:44    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 18:26    ---------   d-----w C:\Program Files\iWin.com
2007-12-04 14:56    93,264  ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55    94,544  ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53    23,152  ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51    42,912  ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49    26,624  ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:05    ---------   d-----w C:\Program Files\MSN Games
2007-12-04 13:04    837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54    95,608  ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-25 18:35    ---------   d-----w C:\Program Files\PopCap Games
2007-11-24 20:35    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Friends Games
2007-11-23 14:37    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\Yahoo!
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 23:02    ---------   d-----w C:\Program Files\Mystery Case Files - Ravenhearst
2007-11-09 23:35    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-31 02:31    ---------   d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-10-29 22:43    1,287,680   ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:19    ---------   d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-28 00:07    ---------   d-----w C:\Program Files\bfgclient
2007-10-27 23:40    227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 17:00    ---------   d-----w C:\Program Files\Shockwave.com
2007-10-16 01:55    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 23:11    ---------   d-----w C:\Documents and Settings\Elizabeth Rodgers\Application Data\Creative
2007-10-15 22:07    ---------   d-----w C:\Program Files\Creative
2007-10-15 21:53    ---------   d--h--w C:\Program Files\Creative Installation Information
2007-10-15 21:53    ---------   d-----w C:\Program Files\Common Files\Creative
2007-10-15 21:46    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Creative
.


(((((((((((((((((((((((((((((   snapshot@2007-12-11_17.57.08.14   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-29 22:35:13   1,287,680   ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36   14,048  ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41   213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34   22,752  ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51   371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-10 23:47:27   124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:47:27   214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:47:27   132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:47:27   63,488  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47   70,656  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:47:27   153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:47:27   230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20   161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:28:12   2,455,488   ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:47:27   383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:47:27   388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:47:27   6,067,200   ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:47:27   44,544  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:47:27   267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47   13,824  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56   625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:47:28   27,648  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:47:28   459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:47:28   52,224  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:48:49   3,593,216   ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:47:28   478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:47:28   193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:47:28   671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:47:28   102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:47:28   105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:47:29   1,162,240   ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:47:29   233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:47:29   825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36   14,048  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41   213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:34   22,752  ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:23:51   371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46   60,416  ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36   14,048  ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41   213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34   22,752  ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51   371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-13 08:47:45   20,480  ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36   14,048  ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41   213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34   22,752  ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51   371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
+ 2007-08-20 10:04:34   124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34   214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34   132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34   63,488  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54   63,488  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34   153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35   230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25   161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35   383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35   384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37   6,058,496   -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38   44,544  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38   267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54   13,824  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21   625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39   27,648  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39   459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39   52,224  -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41   3,584,512   -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41   477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41   193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42   671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42   102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41   213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51   371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42   105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42   1,152,000   -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42   232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43   824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-08-20 10:04:34   124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51   124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-20 10:04:34   124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51   124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34   214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51   214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34   132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51   132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 10:04:34   63,488  -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:55:51   63,488  -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:20:54   63,488  -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40   70,656  -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34   153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51   153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35   230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51   230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25   161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55   161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35   383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52   383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 10:04:35   384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52   384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:37   6,058,496   -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54   6,065,664   -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 10:04:38   44,544  -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55   44,544  -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 10:04:38   267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55   267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:20:54   13,824  -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40   13,824  -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10:21:21   625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52   625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39   27,648  -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56   27,648  -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-20 10:04:39   459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56   459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04:39   52,224  -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56   52,224  -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04:41   3,584,512   -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28   3,590,656   -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41   477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58   478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41   193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58   193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42   671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59   671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42   102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59   102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:03   1,287,680   -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42   105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59   105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42   1,152,000   -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00   1,159,680   -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42   232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00   232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43   824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00   824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2004-08-11 07:45:04   229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 23:40:06   227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2007-08-20 10:04:34   214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51   214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34   132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51   132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34   63,488  ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51   63,488  ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54   63,488  ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40   70,656  ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34   153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51   153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35   230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51   230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25   161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55   161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35   383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52   383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35   384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52   384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37   6,058,496   ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54   6,065,664   ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38   44,544  ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55   44,544  ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38   267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55   267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54   13,824  ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40   13,824  ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39   27,648  ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56   27,648  ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57   18,238,072  ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05   18,684,536  ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39   459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56   459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39   52,224  ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56   52,224  ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 10:04:41   3,584,512   ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28   3,590,656   ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41   477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58   478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41   193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58   193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42   671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59   671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42   102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59   102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-07-18 12:42:22   60,416  ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11   60,416  ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42   105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59   105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42   1,152,000   ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00   1,159,680   ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42   232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00   232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43   824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00   824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-12-13 11:58:47   16,384  ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 20:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 09:06]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 23:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-01 12:47]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54]


R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 wntpport;wntpport;C:\WINDOWS\system32\drivers\wntpport.sys
S2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
S3 busbcrw;USB Card Reader Writer driver;C:\WINDOWS\system32\Drivers\busbcrw.sys
S3 SydexFDD;Sydex Diskette Driver;\??\C:\WINDOWS\system32\Drivers\sydexfdd.sys
S3 wdpnp;WinDriver USB Client;C:\WINDOWS\system32\Drivers\wdpnp.sys


.
**************************************************************************


catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 20:03:27
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


**************************************************************************
.
Completion time: 2007-12-13 20:05:37
C:\ComboFix2.txt ... 2007-12-11 18:15
C:\ComboFix3.txt ... 2007-12-11 17:59
.
--- E O F ---

.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:13 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eMachines Bay  Reader\shwiconem.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Elizabeth Rodgers\Desktop\aaaaaa\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay  Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 9538 bytes

Her computer has been on all day and connected to the lan with NO, NONE, NADA, ZIP, ZERO pop-ups. I do believe it's miller time you you!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2007-12-14T13:52:55+00:00

Hopefully your window is still intact then :D.

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.