Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Request for help, Dr. Watson Postmortem

This is a discussion on Request for help, Dr. Watson Postmortem within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi. I recently tried to update my Adobe Flash Player to the latest version, and found that whenever I try,


 
 
Thread Tools Search this Thread
Old 11-30-2009, 11:14 PM   #1
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Hi. I recently tried to update my Adobe Flash Player to the latest version, and found that whenever I try, I get an error pop-up saying Dr. Watson Postmortem Debugger needs to close Explorer. I've been Googling this and it seems to be a virus problem that noobs like me are not equipped to handle, so I'm seeking the advice of experts.

I use Windows XP on an HP Pavilion zv6000 laptop. I regularly run Avast Antivirus, SuperAntiSpyware, SpyBot, SpySweeper and Malware Bytes Anti-Malware, and before this my infection problems were limited to adware tracking cookies and the occasional trojan.

I've attached the ark and attach files as a zip as instructed, and the DDS log is posted below. I'd appreciate any help you guys can give me, and thank you in advance for it. If I've omitted anything or done something wrong, please let me know.



DDS (Ver_09-11-29.01) - NTFSx86
Run by Amber Gorby at 0:50:36.42 on Tue 12/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.223 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: avast! antivirus 4.8.1351 [VPS 091130-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Amber Gorby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: MyPoints Toolbar 2.0: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /0
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [CaAvTray] "c:\program files\yahoo!\antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\yahoo!\antivirus\CAVRID.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} - hxxp://makeover.ivillage.co.uk/save/makeover.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: nnnnKCuT - nnnnKCuT.dll
AppInit_DLLs: nlsikj.dll c:\windows\system32\lewowesa.dll c:\windows\system32\ c:\windows\system32\jijejeju.dll c:\windows\system32\vakimotu.dll c:\windows\system32\kohajawu.dll c:\windows\system32\wahayaga.dll c:\windows\system32\vevinaho.dll gujpgg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\jifopufo.dll c:\windows\system32\wahayaga.dll sokodewu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 74480]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2007-6-19 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2007-6-19 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2007-6-19 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2007-6-19 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-6-19 26787]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-10 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-11-24 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-8 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-10 352920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2007-6-19 108360]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2007-6-19 201840]
S3 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2007-6-19 259184]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [2005-11-20 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [2005-11-20 44256]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-11-24 235648]

=============== Created Last 30 ================

2009-11-30 15:51:57 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-29 19:31:55 0 d-----w- c:\program files\Webroot
2009-11-29 19:31:55 0 d-----w- c:\docume~1\amberg~1\applic~1\Webroot
2009-11-26 01:47:22 0 d-----w- c:\program files\MSXML 4.0
2009-11-26 0142 0 d-----w- c:\program files\MKVtoolnix
2009-11-24 15:51:40 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51:24 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51:06 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51:06 3078 ----a-r- c:\windows\system32\drivers\EAPPkt.inf
2009-11-24 15:51:04 0 d-----w- c:\windows\system32\RTL8187
2009-11-24 15:39:09 0 d-----w- c:\program files\IrfanView
2009-11-21 22:03:50 0 d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-11-11 19:05:50 118 ----a-w- c:\windows\system32\MRT.INI
2009-11-02 06:00:02 0 d-----w- c:\program files\Windows Installer Clean Up
2009-11-02 05:59:05 0 d-----w- c:\program files\MSECACHE

==================== Find3M ====================

2009-11-08 15:21:18 22352 ----a-w- c:\docume~1\amberg~1\applic~1\wklnhst.dat
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 00:07:14 19498 ----a-w- c:\windows\system32\ilicisoto.vbs
2009-10-07 00:07:14 17772 ----a-w- c:\windows\pynyxax.bin
2009-10-07 00:07:14 17106 ----a-w- c:\program files\common files\habe.lib
2009-10-07 00:07:14 10801 ----a-w- c:\windows\system32\yjogah.vbs
2009-10-07 00:07:13 19709 ----a-w- c:\docume~1\alluse~1\applic~1\ipocysyp.bat
2009-10-07 00:07:13 10295 ----a-w- c:\program files\common files\inupy.com
2009-10-07 00:07:11 16696 ----a-w- c:\windows\lefoq.com
2009-10-06 22:08:20 46 ----a-w- C:\p2hhr.bat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1(3).dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

============= FINISH: 0:51:35.65 ===============
Attached Files
File Type: zip Attach.zip (5.7 KB, 11 views)

__________________
Athlynne is offline  
Old 12-03-2009, 12:27 PM   #2
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. The logs that you will be posting can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


I notice that there is more than one antivirus program installed on your computer. This is very dangerous, as multiple antivirus programs can interfere with one another and actually allow MORE viruses to get through. When you have more than one antivirus program installed at the same time, they conflict with each other rendering the computer vulnerable or unusable.

It is NOT safe to have more than one anti-virus installed on a system, and doing so not only does NOT provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes!

Go to "Start -> Control Panel -> Add/Remove Programs" and uninstall AT&T Yahoo! Applications

===========================


Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

__________________
Carolyn is offline  
Old 12-04-2009, 07:27 AM   #3
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Thank you!

Before I run ComboFix, I thought I should tell you that I have tried to remove the AT&T antivirus program, many times. According to the add/remove program thing, only the base components of it are left, and when I try to remove them, nothing happens. Should I leave this alone for now and proceed with ComboFix, or do you know how I can get rid of the extra antivirus program?

Thank you for your help, a LOT. :)
__________________
Athlynne is offline  
Old 12-04-2009, 08:11 AM   #4
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



The AT&T antivirus program is actually comprised of CA Antivirus components.

Please click here to run the removal tool for CA Internet Security Suite 2007 / 2008.

After running the removal tool, please post a fresh DDS log for my review.
__________________
Carolyn is offline  
Old 12-04-2009, 04:22 PM   #5
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Um, I clicked on that link and my Avast came up and announced it found a trojan there. Are you sure this is safe? Sorry this is taking so long to get going...

Thank you.
__________________
Athlynne is offline  
Old 12-05-2009, 05:06 AM   #6
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Yes, it is safe. It is not unusual for security programs to flag the tools that we use due to the way they work. I would not ask you to run anything that was not safe.
__________________
Carolyn is offline  
Old 12-06-2009, 05:46 PM   #7
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Here's the new logs!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Amber Gorby at 20:41:55.18 on Sun 12/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.128 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091206-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amber Gorby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} -
TB: MyPoints Toolbar 2.0: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /0
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} - hxxp://makeover.ivillage.co.uk/save/makeover.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: nnnnKCuT - nnnnKCuT.dll
AppInit_DLLs: nlsikj.dll c:\windows\system32\lewowesa.dll c:\windows\system32\ c:\windows\system32\jijejeju.dll c:\windows\system32\vakimotu.dll c:\windows\system32\kohajawu.dll c:\windows\system32\wahayaga.dll c:\windows\system32\vevinaho.dll gujpgg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\jifopufo.dll c:\windows\system32\wahayaga.dll sokodewu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-10 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-11-24 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-8 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-10 352920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-11-24 235648]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [2005-11-20 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [2005-11-20 44256]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-12-07 01:31:28 1445888 ----a-w- c:\documents and settings\amber gorby\DesktopWinsockxpFix.exe
2009-12-07 01:30:37 186368 ----a-w- c:\documents and settings\amber gorby\DesktopLSPFix.exe
2009-12-07 01:30:32 36864 ----a-w- c:\documents and settings\amber gorby\DesktopSafeMSI.exe
2009-12-07 01:09:36 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-05 00:19:14 0 d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2009-12-02 20:11:13 0 d-----w- c:\program files\Siber Systems
2009-12-01 19:45:27 0 d-----w- c:\program files\CCleaner
2009-11-29 19:31:55 0 d-----w- c:\program files\Webroot
2009-11-29 19:31:55 0 d-----w- c:\docume~1\amberg~1\applic~1\Webroot
2009-11-26 01:47:22 0 d-----w- c:\program files\MSXML 4.0
2009-11-26 0142 0 d-----w- c:\program files\MKVtoolnix
2009-11-24 15:51:40 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51:24 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51:06 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51:06 3078 ----a-r- c:\windows\system32\drivers\EAPPkt.inf
2009-11-24 15:51:04 0 d-----w- c:\windows\system32\RTL8187
2009-11-24 15:39:09 0 d-----w- c:\program files\IrfanView
2009-11-21 22:03:50 0 d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-11-11 19:05:50 118 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-11-08 15:21:18 22352 ----a-w- c:\docume~1\amberg~1\applic~1\wklnhst.dat
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 00:07:14 19498 ----a-w- c:\windows\system32\ilicisoto.vbs
2009-10-07 00:07:14 17772 ----a-w- c:\windows\pynyxax.bin
2009-10-07 00:07:14 17106 ----a-w- c:\program files\common files\habe.lib
2009-10-07 00:07:14 10801 ----a-w- c:\windows\system32\yjogah.vbs
2009-10-07 00:07:13 19709 ----a-w- c:\docume~1\alluse~1\applic~1\ipocysyp.bat
2009-10-07 00:07:13 10295 ----a-w- c:\program files\common files\inupy.com
2009-10-07 00:07:11 16696 ----a-w- c:\windows\lefoq.com
2009-10-06 22:08:20 46 ----a-w- C:\p2hhr.bat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

============= FINISH: 20:42:53.25 ===============
Attached Files
File Type: zip Attach.zip (4.6 KB, 6 views)
__________________
Athlynne is offline  
Old 12-07-2009, 04:36 AM   #8
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Well done, Athlynne

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
__________________
Carolyn is offline  
Old 12-07-2009, 02:26 PM   #9
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Log is below!

Also, I don't know if this is important, but the AT&T antivirus you had me remove still seems to be there. The icon for it is still on my taskbar and it's still listed (and refusing to be banished) from my add/remove programs screen.

Thank you again!

--------------------------------------------------------------

ComboFix 09-12-07.01 - Amber Gorby 12/07/2009 16:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.219 [GMT -5:00]
Running from: c:\documents and settings\Amber Gorby\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091207-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ipocysyp.bat
c:\documents and settings\Krista Gorby\Application Data\iniasd.txt
c:\documents and settings\Krista Gorby\Local Settings\Application Data\amyfonule.vbs
c:\documents and settings\Krista Gorby\Local Settings\Application Data\suxy.inf
c:\documents and settings\Krista Gorby\Local Settings\Temporary Internet Files\exim.dll
C:\p2hhr.bat
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-2738528725-3377773627-2742169642-1003
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\temp\tn3
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Fonts\acrsec.fon
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_105300.htm
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_105300.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\comres(2)(2).dll
c:\windows\system32\ilicisoto.vbs
c:\windows\system32\JSvEffii.ini
c:\windows\system32\muzapp.exe
c:\windows\system32\olizezim.ini
c:\windows\system32\wEhiPqss.ini
c:\windows\system32\yjogah.vbs

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Legacy_TDSSSERV.SYS
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-07 01:31 . 2009-12-07 01:31 1445888 ----a-w- c:\documents and settings\Amber Gorby\DesktopWinsockxpFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 186368 ----a-w- c:\documents and settings\Amber Gorby\DesktopLSPFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 36864 ----a-w- c:\documents and settings\Amber Gorby\DesktopSafeMSI.exe
2009-12-07 01:27 . 2009-12-07 01:27 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2009-12-07 01:27 . 2009-12-07 01:27 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2009-12-07 01:26 . 2009-12-07 01:27 357640 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2009-12-07 01:24 . 2009-12-07 01:26 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2009-12-07 01:09 . 2009-12-07 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-05 00:19 . 2009-12-07 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-12-02 20:18 . 2009-12-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-12-02 20:11 . 2009-12-02 20:11 -------- d-----w- c:\program files\Siber Systems
2009-12-01 19:45 . 2009-12-01 19:45 -------- d-----w- c:\program files\CCleaner
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\program files\Webroot
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Webroot
2009-11-29 19:23 . 2009-11-29 19:29 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Lavasoft
2009-11-26 01:47 . 2009-11-26 01:47 -------- d-----w- c:\program files\MSXML 4.0
2009-11-26 01:06 . 2009-11-26 01:07 -------- d-----w- c:\program files\MKVtoolnix
2009-11-24 20:24 . 2009-11-24 20:24 152576 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 18:28 . 2009-11-24 20:24 79488 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 15:51 . 2009-11-24 15:51 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51 . 2007-05-21 07:29 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51 . 2006-11-15 21:23 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51 . 2009-11-24 15:51 -------- d-----w- c:\windows\system32\RTL8187
2009-11-24 15:50 . 2009-11-24 15:50 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\InstallShield
2009-11-24 15:39 . 2009-11-24 15:39 -------- d-----w- c:\program files\IrfanView
2009-11-24 15:38 . 2009-11-24 15:38 -------- d-----w- c:\documents and settings\Krista Gorby\Local Settings\Application Data\SpiralfrogClient
2009-11-21 22:03 . 2009-11-24 15:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-11-10 12:50 . 2009-11-10 12:50 1408800 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 06:55 . 2009-07-21 15:42 117760 ----a-w- c:\documents and settings\Krista Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-07 01:08 . 2009-09-10 15:05 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-08 14:32 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-11 14:29 -------- d-----w- c:\documents and settings\finngorby\Application Data\mjusbsp
2009-12-03 18:03 . 2009-05-23 00:51 117760 ----a-w- c:\documents and settings\Amber Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 05:45 . 2007-12-31 23:21 -------- d-----w- c:\program files\WinAVI Video Capture
2009-12-03 05:41 . 2005-12-12 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 05:29 . 2009-06-10 02:04 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-03 05:29 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 05:23 . 2009-06-10 02:04 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-02 16:20 . 2009-05-29 23:25 1 ----a-w- c:\documents and settings\Amber Gorby\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-01 19:49 . 2005-12-12 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 19:20 . 2009-05-22 20:59 -------- d-----w- c:\program files\LimeWire
2009-11-29 23:47 . 2008-09-16 21:05 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\LimeWire
2009-11-29 19:04 . 2008-11-28 20:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 23:54 . 2008-12-10 18:02 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-10 18:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-10 18:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-10 18:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-10 18:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-10 18:03 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-10 18:03 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-10 18:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-10 18:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 20:26 . 2005-05-12 03:39 -------- d-----w- c:\program files\Java
2009-11-21 22:04 . 2005-05-12 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 09:30 . 2009-10-14 17:55 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\LimeWire
2009-11-11 06:21 . 2005-10-07 00:36 7368 -c--a-w- c:\documents and settings\Krista Gorby\Application Data\wklnhst.dat
2009-11-10 12:51 . 2007-09-29 22:19 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks
2009-11-10 12:51 . 2009-08-06 09:40 127325 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\uninstall.exe
2009-11-10 12:51 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-08 15:21 . 2008-05-29 04:47 22352 ----a-w- c:\documents and settings\Amber Gorby\Application Data\wklnhst.dat
2009-11-04 02:14 . 2009-11-04 02:14 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497
2009-11-04 02:13 . 2009-11-04 02:13 -------- d-----w- c:\documents and settings\finngorby\Application Data\FCTB000060497
2009-11-02 14:11 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-02 06:00 . 2009-11-02 06:00 3584 ----a-r- c:\documents and settings\Krista Gorby\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 06:00 . 2009-11-02 06:00 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-02 05:59 . 2009-11-02 05:59 -------- d-----w- c:\program files\MSECACHE
2009-11-02 04:12 . 2009-11-02 04:12 593920 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...190-0-main.dll
2009-11-02 04:11 . 2009-11-02 04:11 319488 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-11-01 14:50 . 2009-11-04 02:14 72551 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-04 02:14 1432576 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-04 02:14 242688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-11-01 14:51 72551 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-01 14:51 1432576 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-01 14:51 242688 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-10-31 11:46 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-10-31 14:58 . 2009-10-31 11:59 -------- d-----w- c:\program files\AIM
2009-10-31 14:47 . 2009-10-31 14:47 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\FCTB000060497
2009-10-31 12:00 . 2009-10-31 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-31 11:59 . 2005-10-04 08:29 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 11:48 . 2009-10-31 11:48 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497
2009-10-31 00:28 . 2009-10-31 00:28 -------- d-----w- c:\documents and settings\finngorby\Application Data\SUPERAntiSpyware.com
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\SpywareBlaster
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\Instant RAM Booster
2009-10-30 15:36 . 2007-05-25 20:23 -------- d--h--w- c:\documents and settings\Krista Gorby\Application Data\Move Networks
2009-10-30 15:36 . 2005-05-12 04:07 -------- d-----w- c:\program files\QuickTime
2009-10-13 02:31 . 2009-11-04 02:14 371200 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-13 02:31 . 2009-11-01 14:51 371200 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-11 09:17 . 2008-11-24 22:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 00:07 . 2009-10-07 00:07 17772 ----a-w- c:\windows\pynyxax.bin
2009-10-07 00:07 . 2009-10-07 00:07 17106 ----a-w- c:\program files\Common Files\habe.lib
2009-10-07 00:07 . 2009-10-07 00:07 10905 ----a-w- c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
2009-10-07 00:07 . 2009-10-07 00:07 10905 ----a-w- c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
2009-10-07 00:07 . 2009-10-07 00:07 10295 ----a-w- c:\program files\Common Files\inupy.com
2009-10-07 00:07 . 2009-10-07 00:07 15467 ----a-w- c:\documents and settings\Krista Gorby\Local Settings\Application Data\vavefadi.com
2009-10-07 00:07 . 2009-10-07 00:07 16696 ----a-w- c:\windows\lefoq.com
2009-10-05 22:00 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 22:00 . 2009-10-05 22:00 1407680 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-05 21:39 . 2009-10-05 21:39 64000 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-05 21:39 . 2009-10-05 21:39 52288 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 50688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 114688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-10-03 02:41 . 2009-11-04 02:14 290816 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-03 02:41 . 2009-11-01 14:51 290816 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-01 02:11 . 2009-11-04 02:14 399872 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-10-01 02:11 . 2009-11-01 14:51 399872 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-09-23 04:11 . 2009-09-23 04:10 17204720 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\rp\.exe
2009-09-23 04:10 . 2009-09-23 04:10 8406648 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-23 04:09 . 2009-09-23 04:08 10309448 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-23 04:06 . 2009-09-23 04:06 488968 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\setup.exe
2009-09-11 14:30 . 2009-09-11 14:29 7621144 ---h--w- c:\documents and settings\finngorby\Application Data\mjusbsp\ar00000\upgrade.exe
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-05-25 19:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-05-25 19:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 23:32 . 2009-11-04 02:14 207360 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\SearchComponent.dll
2009-09-08 23:32 . 2009-11-01 14:51 207360 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\SearchComponent.dll
2008-12-08 19:58 . 2008-12-08 19:58 1543089 -csh--w- c:\windows\system32\olizezim.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Family Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2009-11-01 14:50 1432576 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-27 3660848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-29 2001648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-06-28 3209728]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-12-02 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-15 132624]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2009-01-14 113680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-24 794624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 14:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-16 02:12 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2000-06-07 20:32 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"=
"c:\\Program Files\\Samsung\\Samsung Media Studio 5\\SMSTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\finngorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Nancy Gorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Krista Gorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/10/2008 1:03 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 4:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 4:22 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2008 1:03 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/24/2009 10:51 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/8/2008 11:31 AM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/24/2009 10:51 AM 235648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 4:22 PM 7408]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [11/20/2005 5:30 AM 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [11/20/2005 5:30 AM 44256]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
Notify-nnnnKCuT - nnnnKCuT.dll
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-Blubster - c:\program files\Blubster\blubster.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-SpiralFrog - c:\program files\SpiralFrog\Spiralfrog.exe
AddRemove-Microsoft Interactive Training - c:\windows\IsUninst.exe -fc:\windows\orun32.isu
AddRemove-SBC Self Support Tool - c:\progra~1\SBCSEL~1\CustomUninstall.exe
AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe
AddRemove-Xvid_is1 - c:\program files\Xvid\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\AMBERG~1\LOCALS~1\Temp\mc22.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,07,a3,88,32,90,0f,49,83,1e,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,07,a3,88,32,90,0f,49,83,1e,5e,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-12-07 17:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 22:14

Pre-Run: 27,119,136,768 bytes free
Post-Run: 27,127,607,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=9 Default=9 Failed=8 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 42C69495C39D80B964135AF30535CBA2
__________________
Athlynne is offline  
Old 12-08-2009, 03:16 PM   #10
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hi,

At the moment, the important thing is that the AT&T antivirus is no longer running. What happens if you left click on the icon in the task bar?

=========================

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/2480794-post9.html

Collect::
c:\windows\pynyxax.bin
c:\program files\Common Files\habe.lib
c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
c:\program files\Common Files\inupy.com
c:\documents and settings\Krista Gorby\Local Settings\Application Data\vavefadi.com
c:\windows\lefoq.com

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\finngorby\\Application Data\\mjusbsp\\magicJack.exe"=-
"c:\\Documents and Settings\\Nancy Gorby\\Application Data\\mjusbsp\\magicJack.exe"=-
"c:\\Documents and Settings\\Krista Gorby\\Application Data\\mjusbsp\\magicJack.exe"=-

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

FixCSet::
Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

=========================

Remove Programs
Please Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

J2SE Runtime Environment 5.0 Update 2

If some programs listed are not present, please do not panic

=========================

Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with the ComboFix log and a description of how your computer is now behaving.
__________________
Carolyn is offline  
Old 12-09-2009, 01:19 PM   #11
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



The logs are below! Thank you.

The computer is behaving okay, I guess. The only weird, recurring thing is that SuperAntiSpyware keeps popping up an alert that something tried to change my homepage (from google.com to google.com, weirdly enough), and asks me to either accept or lock the change. I always block it just in case. Scans sometimes pick up adware or spyware, but nothing related to this, it seems.

As for the old antivirus icon in my taskbar, nothing happens when I left-click it. If I right-click it I can bring up AT&T Yahoo Protection, which wants me to update it even though I haven't used it in years. How stubborn.

COMBOFIX LOG

ComboFix 09-12-08.07 - Amber Gorby 12/09/2009 10:35:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.191 [GMT -5:00]
Running from: c:\documents and settings\Amber Gorby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amber Gorby\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091208-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
file zipped: c:\documents and settings\Krista Gorby\Local Settings\Application Data\vavefadi.com
file zipped: c:\program files\Common Files\habe.lib
file zipped: c:\program files\Common Files\inupy.com
file zipped: c:\windows\lefoq.com
file zipped: c:\windows\pynyxax.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Krista Gorby\Application Data\ecyqafoxeg.dll
c:\documents and settings\Krista Gorby\Local Settings\Application Data\vavefadi.com
c:\program files\Common Files\habe.lib
c:\program files\Common Files\inupy.com
c:\windows\lefoq.com
c:\windows\pynyxax.bin

.
((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-07 01:31 . 2009-12-07 01:31 1445888 ----a-w- c:\documents and settings\Amber Gorby\DesktopWinsockxpFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 186368 ----a-w- c:\documents and settings\Amber Gorby\DesktopLSPFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 36864 ----a-w- c:\documents and settings\Amber Gorby\DesktopSafeMSI.exe
2009-12-07 01:09 . 2009-12-07 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-05 00:19 . 2009-12-07 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-12-02 20:18 . 2009-12-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-12-02 20:11 . 2009-12-02 20:11 -------- d-----w- c:\program files\Siber Systems
2009-12-01 19:45 . 2009-12-01 19:45 -------- d-----w- c:\program files\CCleaner
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\program files\Webroot
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Webroot
2009-11-29 19:23 . 2009-11-29 19:29 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Lavasoft
2009-11-26 01:47 . 2009-11-26 01:47 -------- d-----w- c:\program files\MSXML 4.0
2009-11-26 01:06 . 2009-11-26 01:07 -------- d-----w- c:\program files\MKVtoolnix
2009-11-24 15:51 . 2009-11-24 15:51 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51 . 2007-05-21 07:29 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51 . 2006-11-15 21:23 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51 . 2009-11-24 15:51 -------- d-----w- c:\windows\system32\RTL8187
2009-11-24 15:50 . 2009-11-24 15:50 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\InstallShield
2009-11-24 15:39 . 2009-11-24 15:39 -------- d-----w- c:\program files\IrfanView
2009-11-24 15:38 . 2009-11-24 15:38 -------- d-----w- c:\documents and settings\Krista Gorby\Local Settings\Application Data\SpiralfrogClient
2009-11-21 22:03 . 2009-11-24 15:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 01:08 . 2009-09-10 15:05 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-08 14:32 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-11 14:29 -------- d-----w- c:\documents and settings\finngorby\Application Data\mjusbsp
2009-12-03 05:45 . 2007-12-31 23:21 -------- d-----w- c:\program files\WinAVI Video Capture
2009-12-03 05:41 . 2005-12-12 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 05:29 . 2009-06-10 02:04 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-03 05:29 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 05:23 . 2009-06-10 02:04 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-01 19:49 . 2005-12-12 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 19:20 . 2009-05-22 20:59 -------- d-----w- c:\program files\LimeWire
2009-11-29 23:47 . 2008-09-16 21:05 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\LimeWire
2009-11-29 19:04 . 2008-11-28 20:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 23:54 . 2008-12-10 18:02 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-10 18:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-10 18:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-10 18:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-10 18:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-10 18:03 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-10 18:03 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-10 18:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-10 18:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 20:26 . 2005-05-12 03:39 -------- d-----w- c:\program files\Java
2009-11-21 22:04 . 2005-05-12 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 09:30 . 2009-10-14 17:55 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\LimeWire
2009-11-11 06:21 . 2005-10-07 00:36 7368 -c--a-w- c:\documents and settings\Krista Gorby\Application Data\wklnhst.dat
2009-11-10 12:51 . 2007-09-29 22:19 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks
2009-11-08 15:21 . 2008-05-29 04:47 22352 ----a-w- c:\documents and settings\Amber Gorby\Application Data\wklnhst.dat
2009-11-04 02:14 . 2009-11-04 02:14 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497
2009-11-04 02:13 . 2009-11-04 02:13 -------- d-----w- c:\documents and settings\finngorby\Application Data\FCTB000060497
2009-11-02 14:11 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-02 06:00 . 2009-11-02 06:00 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-02 05:59 . 2009-11-02 05:59 -------- d-----w- c:\program files\MSECACHE
2009-11-01 14:50 . 2009-10-31 11:46 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-10-31 14:58 . 2009-10-31 11:59 -------- d-----w- c:\program files\AIM
2009-10-31 14:47 . 2009-10-31 14:47 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\FCTB000060497
2009-10-31 12:00 . 2009-10-31 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-31 11:59 . 2005-10-04 08:29 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 11:48 . 2009-10-31 11:48 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497
2009-10-31 00:28 . 2009-10-31 00:28 -------- d-----w- c:\documents and settings\finngorby\Application Data\SUPERAntiSpyware.com
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\SpywareBlaster
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\Instant RAM Booster
2009-10-30 15:36 . 2007-05-25 20:23 -------- d--h--w- c:\documents and settings\Krista Gorby\Application Data\Move Networks
2009-10-30 15:36 . 2005-05-12 04:07 -------- d-----w- c:\program files\QuickTime
2009-10-11 09:17 . 2008-11-24 22:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-05-25 19:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-05-25 19:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-12-08 19:58 . 2008-12-08 19:58 1543089 -csh--w- c:\windows\system32\olizezim.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Family Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2009-11-01 14:50 1432576 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-27 3660848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-29 2001648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-06-28 3209728]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-12-02 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-15 132624]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2009-01-14 113680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-24 794624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 14:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-16 02:12 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2000-06-07 20:32 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"=
"c:\\Program Files\\Samsung\\Samsung Media Studio 5\\SMSTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\Nancy Gorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/10/2008 1:03 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 4:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 4:22 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2008 1:03 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/24/2009 10:51 AM 38144]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/24/2009 10:51 AM 235648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 4:22 PM 7408]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [11/20/2005 5:30 AM 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [11/20/2005 5:30 AM 44256]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 10:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\AMBERG~1\LOCALS~1\Temp\mc22.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(468)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-12-09 11:03:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 16:03
ComboFix2.txt 2009-12-07 22:14

Pre-Run: 26,968,719,360 bytes free
Post-Run: 26,937,106,432 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 66AFF11863A76FC70453A409464815F7


KASPERSKY LOG

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 9, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 09, 2009 11:12:15
Records in database: 3346997
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 89923
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:56:20


File name / Threat / Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP26\A0032140.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Selected area has been scanned.
__________________
Athlynne is offline  
Old 12-11-2009, 09:29 AM   #12
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hello again,

I apologize for not replying sooner.

Uninstaller for Yahoo Online Protection

Please download and run this tool, yaxclean.exe. Follow the prompts and be sure to reboot the computer when asked to do so. I understand that you may need to reboot the computer twice.

Next, please scan with ComboFix once more and post the resulting log for my review. Also, please let me know if the tray icon and add/remove program entry for Yahoo Online Protection have been removed.
__________________
Carolyn is offline  
Old 12-11-2009, 10:55 AM   #13
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Actually, you've been responding very promptly, thank you.

Done and done! Log is below. There's been no change in the AT&T antivirus, the icon is still there and so is the add/remove entry for it. I tried to remove it again that way, but it still says the base components can't be removed because other programs are using them. I don't know what programs they mean, I can't think of any other Yahoo programs I have.

COMBOFIX LOG:

ComboFix 09-12-08.07 - Amber Gorby 12/11/2009 13:21:22.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.196 [GMT -5:00]
Running from: c:\documents and settings\Amber Gorby\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-10 18:05 . 2006-10-06 14:35 90112 ----a-w- c:\windows\system32\lfjbg13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 73728 ----a-w- c:\windows\system32\lffax13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 453120 ----a-w- c:\windows\system32\ltkrn13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 445440 ----a-w- c:\windows\system32\ltimg13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 388608 ----a-w- c:\windows\system32\lfcmp13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 265216 ----a-w- c:\windows\system32\ltdis13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 246272 ----a-w- c:\windows\system32\lfj2k13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 206848 ----a-w- c:\windows\system32\ltefx13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 1693696 ----a-w- c:\windows\system32\ltclr13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 154112 ----a-w- c:\windows\system32\ltfil13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 142848 ----a-w- c:\windows\system32\lftif13n.dll
2009-12-10 17:33 . 2009-12-10 18:05 -------- d-----w- c:\program files\MFInstall
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-07 01:31 . 2009-12-07 01:31 1445888 ----a-w- c:\documents and settings\Amber Gorby\DesktopWinsockxpFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 186368 ----a-w- c:\documents and settings\Amber Gorby\DesktopLSPFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 36864 ----a-w- c:\documents and settings\Amber Gorby\DesktopSafeMSI.exe
2009-12-07 01:27 . 2009-12-07 01:27 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2009-12-07 01:27 . 2009-12-07 01:27 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2009-12-07 01:26 . 2009-12-07 01:27 357640 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2009-12-07 01:24 . 2009-12-07 01:26 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2009-12-07 01:09 . 2009-12-07 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-05 00:19 . 2009-12-07 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-12-02 20:18 . 2009-12-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-12-02 20:11 . 2009-12-02 20:11 -------- d-----w- c:\program files\Siber Systems
2009-12-01 19:45 . 2009-12-01 19:45 -------- d-----w- c:\program files\CCleaner
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\program files\Webroot
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Webroot
2009-11-29 19:23 . 2009-11-29 19:29 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Lavasoft
2009-11-26 01:47 . 2009-11-26 01:47 -------- d-----w- c:\program files\MSXML 4.0
2009-11-26 01:06 . 2009-11-26 01:07 -------- d-----w- c:\program files\MKVtoolnix
2009-11-24 20:24 . 2009-11-24 20:24 152576 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 18:28 . 2009-11-24 20:24 79488 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 15:51 . 2009-11-24 15:51 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51 . 2007-05-21 07:29 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51 . 2006-11-15 21:23 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51 . 2009-11-24 15:51 -------- d-----w- c:\windows\system32\RTL8187
2009-11-24 15:50 . 2009-11-24 15:50 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\InstallShield
2009-11-24 15:39 . 2009-11-24 15:39 -------- d-----w- c:\program files\IrfanView
2009-11-24 15:38 . 2009-11-24 15:38 -------- d-----w- c:\documents and settings\Krista Gorby\Local Settings\Application Data\SpiralfrogClient
2009-11-21 22:03 . 2009-11-24 15:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 16:10 . 2005-05-12 03:39 -------- d-----w- c:\program files\Java
2009-12-09 15:22 . 2009-05-23 00:51 117760 ----a-w- c:\documents and settings\Amber Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-07 06:55 . 2009-07-21 15:42 117760 ----a-w- c:\documents and settings\Krista Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-07 01:08 . 2009-09-10 15:05 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-08 14:32 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-11 14:29 -------- d-----w- c:\documents and settings\finngorby\Application Data\mjusbsp
2009-12-03 05:45 . 2007-12-31 23:21 -------- d-----w- c:\program files\WinAVI Video Capture
2009-12-03 05:41 . 2005-12-12 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 05:29 . 2009-06-10 02:04 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-03 05:29 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 05:23 . 2009-06-10 02:04 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-02 16:20 . 2009-05-29 23:25 1 ----a-w- c:\documents and settings\Amber Gorby\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-01 19:49 . 2005-12-12 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 19:20 . 2009-05-22 20:59 -------- d-----w- c:\program files\LimeWire
2009-11-29 23:47 . 2008-09-16 21:05 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\LimeWire
2009-11-29 19:04 . 2008-11-28 20:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 23:54 . 2008-12-10 18:02 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-10 18:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-10 18:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-10 18:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-10 18:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-10 18:03 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-10 18:03 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-10 18:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-10 18:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 22:04 . 2005-05-12 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 09:30 . 2009-10-14 17:55 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\LimeWire
2009-11-11 06:21 . 2005-10-07 00:36 7368 -c--a-w- c:\documents and settings\Krista Gorby\Application Data\wklnhst.dat
2009-11-10 12:51 . 2007-09-29 22:19 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks
2009-11-10 12:51 . 2009-08-06 09:40 127325 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\uninstall.exe
2009-11-10 12:51 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-10 12:50 . 2009-11-10 12:50 1408800 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-08 15:21 . 2008-05-29 04:47 22352 ----a-w- c:\documents and settings\Amber Gorby\Application Data\wklnhst.dat
2009-11-04 02:14 . 2009-11-04 02:14 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497
2009-11-04 02:13 . 2009-11-04 02:13 -------- d-----w- c:\documents and settings\finngorby\Application Data\FCTB000060497
2009-11-02 14:11 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-02 06:00 . 2009-11-02 06:00 3584 ----a-r- c:\documents and settings\Krista Gorby\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 06:00 . 2009-11-02 06:00 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-02 05:59 . 2009-11-02 05:59 -------- d-----w- c:\program files\MSECACHE
2009-11-02 04:12 . 2009-11-02 04:12 593920 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...190-0-main.dll
2009-11-02 04:11 . 2009-11-02 04:11 319488 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-11-01 14:50 . 2009-11-04 02:14 72551 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-04 02:14 1432576 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-04 02:14 242688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-11-01 14:51 72551 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-01 14:51 1432576 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-01 14:51 242688 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-10-31 11:46 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-10-31 14:58 . 2009-10-31 11:59 -------- d-----w- c:\program files\AIM
2009-10-31 14:47 . 2009-10-31 14:47 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\FCTB000060497
2009-10-31 12:00 . 2009-10-31 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-31 11:59 . 2005-10-04 08:29 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 11:48 . 2009-10-31 11:48 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497
2009-10-31 00:28 . 2009-10-31 00:28 -------- d-----w- c:\documents and settings\finngorby\Application Data\SUPERAntiSpyware.com
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\SpywareBlaster
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\Instant RAM Booster
2009-10-30 15:36 . 2007-05-25 20:23 -------- d--h--w- c:\documents and settings\Krista Gorby\Application Data\Move Networks
2009-10-30 15:36 . 2005-05-12 04:07 -------- d-----w- c:\program files\QuickTime
2009-10-29 07:45 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 02:31 . 2009-11-04 02:14 371200 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-13 02:31 . 2009-11-01 14:51 371200 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-11-24 22:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 22:00 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 22:00 . 2009-10-05 22:00 1407680 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-05 21:39 . 2009-10-05 21:39 64000 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-05 21:39 . 2009-10-05 21:39 52288 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 50688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 114688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-10-03 02:41 . 2009-11-04 02:14 290816 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-03 02:41 . 2009-11-01 14:51 290816 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-01 02:11 . 2009-11-04 02:14 399872 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-10-01 02:11 . 2009-11-01 14:51 399872 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-09-23 04:11 . 2009-09-23 04:10 17204720 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\rp\.exe
2009-09-23 04:10 . 2009-09-23 04:10 8406648 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-23 04:09 . 2009-09-23 04:08 10309448 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-23 04:06 . 2009-09-23 04:06 488968 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\setup.exe
2008-12-08 19:58 . 2008-12-08 19:58 1543089 -csh--w- c:\windows\system32\olizezim.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-12-07_21.56.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-11 18:16 . 2009-12-11 18:16 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2009-12-11 18:16 . 2009-12-11 18:16 16384 c:\windows\Temp\Perflib_Perfdata_420.dat
+ 2004-08-07 13:10 . 2009-12-11 16:16 54010 c:\windows\system32\perfc009.dat
- 2004-08-07 13:10 . 2009-11-05 15:23 54010 c:\windows\system32\perfc009.dat
- 2009-03-08 08:31 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 08:00 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
- 2004-08-04 08:00 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2009-07-22 13:04 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-07-22 13:04 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 79872 c:\windows\system32\dllcache\raschap.dll
- 2009-07-29 05:40 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-07-29 05:40 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-03-08 08:33 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 08:33 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 12800 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
+ 2004-08-04 08:00 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
- 2004-08-07 13:10 . 2009-11-05 15:23 383822 c:\windows\system32\perfh009.dat
+ 2004-08-07 13:10 . 2009-12-11 16:16 383822 c:\windows\system32\perfh009.dat
- 2004-08-04 08:00 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
+ 2004-08-04 08:00 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
- 2009-03-08 08:32 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
+ 2009-03-08 08:32 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
+ 2004-08-04 08:00 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 08:00 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 08:00 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 08:00 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 08:00 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
- 2004-08-04 08:00 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
- 2008-04-21 06:44 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-21 06:44 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 149504 c:\windows\system32\dllcache\rastls.dll
- 2009-03-08 08:34 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 08:34 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-10-13 10:30 . 2009-10-13 10:30 270336 c:\windows\system32\dllcache\oakley.dll
- 2009-07-29 05:40 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-29 05:40 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-07-22 13:04 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-22 13:04 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-03-08 08:31 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-03-08 08:31 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 18:09 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 18:09 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 08:32 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2009-03-08 08:32 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2009-12-10 19:12 . 2009-08-29 08:08 916480 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2009-12-10 19:12 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2009-12-10 19:12 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2009-12-10 19:12 . 2009-08-29 08:08 206848 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 246272 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 184320 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 387584 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2009-12-10 19:12 . 2009-08-28 10:35 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2004-08-04 08:00 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
- 2004-08-04 08:00 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-04 08:00 . 2009-10-29 07:45 5940736 c:\windows\system32\mshtml.dll
- 2009-03-08 08:32 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
+ 2009-03-08 08:32 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
- 2008-06-26 08:15 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-26 08:15 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-21 06:44 . 2009-10-29 07:45 5940736 c:\windows\system32\dllcache\mshtml.dll
- 2009-07-22 13:04 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-07-22 13:04 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 1208832 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2009-12-10 19:12 . 2009-10-22 09:19 5939712 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 1985536 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
+ 2009-10-29 15:06 . 2009-12-01 20:06 25966024 c:\windows\system32\MRT.exe
+ 2009-03-08 08:39 . 2009-10-29 07:45 11069952 c:\windows\system32\ieframe.dll
+ 2009-07-22 13:04 . 2009-10-29 07:45 11069952 c:\windows\system32\dllcache\ieframe.dll
+ 2009-12-10 19:12 . 2009-08-29 08:08 11069440 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Family Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2009-11-01 14:50 1432576 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-01 1432576]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-27 3660848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-29 2001648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-06-28 3209728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-15 132624]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2009-01-14 113680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-24 794624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 14:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-16 02:12 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2000-06-07 20:32 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-05-12 04:07 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"=
"c:\\Program Files\\Samsung\\Samsung Media Studio 5\\SMSTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\Nancy Gorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/10/2008 1:03 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 4:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 4:22 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2008 1:03 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/24/2009 10:51 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/8/2008 11:31 AM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 4:22 PM 7408]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [11/20/2005 5:30 AM 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [11/20/2005 5:30 AM 44256]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/24/2009 10:51 AM 235648]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 13:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(416)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-11 13:35:23
ComboFix-quarantined-files.txt 2009-12-11 18:35
ComboFix2.txt 2009-12-09 16:03
ComboFix3.txt 2009-12-07 22:14

Pre-Run: 26,212,102,144 bytes free
Post-Run: 26,261,168,128 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 4115200EC59634D9FA9D7B73E0D8D28B
__________________
Athlynne is offline  
Old 12-13-2009, 10:17 AM   #14
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hello Athlynne

Quote:
it still says the base components can't be removed because other programs are using them. I don't know what programs they mean, I can't think of any other Yahoo programs I have.
Perhaps it is Yahoo! Toolbar that is causing the problem. I see that program is installed.

Remove Yahoo! Toolbar
Please Click Start > Control Panel > Add/Remove Programs
Remove this program by clicking Remove

Yahoo! Toolbar

===========

Next, Please try running yaxclean.exe once again. Reboot your computer and let me know if the uninstall of Yahoo! Online Protection was successful this time.

===========

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code:
FixCSet::
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please reboot your computer twice, then run one more CFScript...

2. Open notepad and copy/paste the text in the codebox below into it:

Code:
SkipFix::
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Please post the second ComboFix log for my review.
__________________
Carolyn is offline  
Old 12-14-2009, 08:41 AM   #15
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Hi. Combofix seems to be offline at the moment, so my second scan will have to wait, but I'll keep checking and get it to you ASAP.

In the meantime, there's no entry for Yahoo Toolbar under my add/remove programs. Should I try going into the Programs folder under My Computer and deleting it there?

Thanks.
__________________
Athlynne is offline  
Old 12-14-2009, 03:42 PM   #16
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Let's just hold off on dealing with the Yahoo! applications.

Do you still have Combofix.exe on your desktop?
__________________
Carolyn is offline  
Old 12-14-2009, 05:26 PM   #17
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Okay.

Yes, it's there, but when I try to use it I get a message saying "ComboFix is Offline.
Please visit http://download.bleepingcomputer.com/sUBs/ComboFix.html" And the site says it's offline and to wait for it to become available again.
__________________
Athlynne is offline  
Old 12-17-2009, 11:27 AM   #18
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hello again,

Please download ComboFix from HERE and follow the instructions in my earlier post (post #14) for running it.
__________________
Carolyn is offline  
Old 12-18-2009, 01:30 PM   #19
Registered Member
 
Join Date: Nov 2009
Posts: 22
OS: Win XP



Whew, thank you! Done, here's the log:


ComboFix 09-12-17.03 - Amber Gorby 12/18/2009 16:19:41.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -5:00]
Running from: c:\documents and settings\Amber Gorby\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Amber Gorby\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091218-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2009-12-10 18:05 . 2006-10-06 14:35 90112 ----a-w- c:\windows\system32\lfjbg13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 73728 ----a-w- c:\windows\system32\lffax13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 453120 ----a-w- c:\windows\system32\ltkrn13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 445440 ----a-w- c:\windows\system32\ltimg13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 388608 ----a-w- c:\windows\system32\lfcmp13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 265216 ----a-w- c:\windows\system32\ltdis13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 246272 ----a-w- c:\windows\system32\lfj2k13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 206848 ----a-w- c:\windows\system32\ltefx13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 1693696 ----a-w- c:\windows\system32\ltclr13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 154112 ----a-w- c:\windows\system32\ltfil13n.dll
2009-12-10 18:05 . 2006-10-06 14:35 142848 ----a-w- c:\windows\system32\lftif13n.dll
2009-12-10 17:33 . 2009-12-10 18:05 -------- d-----w- c:\program files\MFInstall
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-07 21:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-07 01:31 . 2009-12-07 01:31 1445888 ----a-w- c:\documents and settings\Amber Gorby\DesktopWinsockxpFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 186368 ----a-w- c:\documents and settings\Amber Gorby\DesktopLSPFix.exe
2009-12-07 01:30 . 2009-12-07 01:30 36864 ----a-w- c:\documents and settings\Amber Gorby\DesktopSafeMSI.exe
2009-12-07 01:27 . 2009-12-07 01:27 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2009-12-07 01:27 . 2009-12-07 01:27 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2009-12-07 01:26 . 2009-12-07 01:27 357640 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2009-12-07 01:24 . 2009-12-07 01:26 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2009-12-07 01:09 . 2009-12-07 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-05 00:19 . 2009-12-07 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-12-02 20:18 . 2009-12-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-12-02 20:11 . 2009-12-02 20:11 -------- d-----w- c:\program files\Siber Systems
2009-12-01 19:45 . 2009-12-01 19:45 -------- d-----w- c:\program files\CCleaner
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\program files\Webroot
2009-11-29 19:31 . 2009-11-29 19:31 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Webroot
2009-11-29 19:23 . 2009-11-29 19:29 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\Lavasoft
2009-11-26 01:47 . 2009-11-26 01:47 -------- d-----w- c:\program files\MSXML 4.0
2009-11-26 01:06 . 2009-11-26 01:07 -------- d-----w- c:\program files\MKVtoolnix
2009-11-24 20:24 . 2009-11-24 20:24 152576 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 18:28 . 2009-11-24 20:24 79488 ----a-w- c:\documents and settings\Amber Gorby\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 15:51 . 2009-11-24 15:51 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-24 15:51 . 2007-05-21 07:29 235648 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2009-11-24 15:51 . 2006-11-15 21:23 38144 ----a-r- c:\windows\system32\drivers\EAPPkt.sys
2009-11-24 15:51 . 2009-11-24 15:51 -------- d-----w- c:\windows\system32\RTL8187
2009-11-24 15:50 . 2009-11-24 15:50 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\InstallShield
2009-11-24 15:39 . 2009-11-24 15:39 -------- d-----w- c:\program files\IrfanView
2009-11-24 15:38 . 2009-11-24 15:38 -------- d-----w- c:\documents and settings\Krista Gorby\Local Settings\Application Data\SpiralfrogClient
2009-11-21 22:03 . 2009-11-24 15:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 14:49 . 2009-05-23 00:51 117760 ----a-w- c:\documents and settings\Amber Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-12 08:26 . 2009-07-21 15:42 117760 ----a-w- c:\documents and settings\Krista Gorby\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-11 22:04 . 2009-05-29 23:25 1 ----a-w- c:\documents and settings\Amber Gorby\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-09 16:10 . 2005-05-12 03:39 -------- d-----w- c:\program files\Java
2009-12-07 01:08 . 2009-09-10 15:05 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-08 14:32 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\mjusbsp
2009-12-07 01:08 . 2009-09-11 14:29 -------- d-----w- c:\documents and settings\finngorby\Application Data\mjusbsp
2009-12-03 05:45 . 2007-12-31 23:21 -------- d-----w- c:\program files\WinAVI Video Capture
2009-12-03 05:41 . 2005-12-12 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 05:29 . 2009-06-10 02:04 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-03 05:29 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 05:23 . 2009-06-10 02:04 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-01 19:49 . 2005-12-12 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 19:20 . 2009-05-22 20:59 -------- d-----w- c:\program files\LimeWire
2009-11-29 23:47 . 2008-09-16 21:05 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\LimeWire
2009-11-29 19:04 . 2008-11-28 20:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 23:54 . 2008-12-10 18:02 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-10 18:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-10 18:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-10 18:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-10 18:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-10 18:03 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-10 18:03 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-10 18:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-10 18:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 22:04 . 2005-05-12 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 09:30 . 2009-10-14 17:55 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\LimeWire
2009-11-11 06:21 . 2005-10-07 00:36 7368 -c--a-w- c:\documents and settings\Krista Gorby\Application Data\wklnhst.dat
2009-11-10 12:51 . 2007-09-29 22:19 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks
2009-11-10 12:51 . 2009-08-06 09:40 127325 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\uninstall.exe
2009-11-10 12:51 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-10 12:50 . 2009-11-10 12:50 1408800 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-08 15:21 . 2008-05-29 04:47 22352 ----a-w- c:\documents and settings\Amber Gorby\Application Data\wklnhst.dat
2009-11-04 02:14 . 2009-11-04 02:14 -------- d-----w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497
2009-11-04 02:13 . 2009-11-04 02:13 -------- d-----w- c:\documents and settings\finngorby\Application Data\FCTB000060497
2009-11-02 14:11 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-02 06:00 . 2009-11-02 06:00 3584 ----a-r- c:\documents and settings\Krista Gorby\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 06:00 . 2009-11-02 06:00 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-02 05:59 . 2009-11-02 05:59 -------- d-----w- c:\program files\MSECACHE
2009-11-02 04:12 . 2009-11-02 04:12 593920 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...190-0-main.dll
2009-11-02 04:11 . 2009-11-02 04:11 319488 ----a-w- c:\documents and settings\Krista Gorby\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-11-01 14:50 . 2009-11-04 02:14 72551 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-04 02:14 1432576 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-04 02:14 242688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-11-01 14:51 72551 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Uninst.exe
2009-11-01 14:50 . 2009-11-01 14:51 1432576 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Toolbar.dll
2009-11-01 14:50 . 2009-11-01 14:51 242688 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\Helper.dll
2009-11-01 14:50 . 2009-10-31 11:46 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-10-31 14:58 . 2009-10-31 11:59 -------- d-----w- c:\program files\AIM
2009-10-31 14:47 . 2009-10-31 14:47 -------- d-----w- c:\documents and settings\Amber Gorby\Application Data\FCTB000060497
2009-10-31 12:00 . 2009-10-31 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-31 11:59 . 2005-10-04 08:29 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 11:48 . 2009-10-31 11:48 -------- d-----w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497
2009-10-31 00:28 . 2009-10-31 00:28 -------- d-----w- c:\documents and settings\finngorby\Application Data\SUPERAntiSpyware.com
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\SpywareBlaster
2009-10-30 15:36 . 2009-10-30 15:36 -------- d-----w- c:\program files\Instant RAM Booster
2009-10-30 15:36 . 2007-05-25 20:23 -------- d--h--w- c:\documents and settings\Krista Gorby\Application Data\Move Networks
2009-10-30 15:36 . 2005-05-12 04:07 -------- d-----w- c:\program files\QuickTime
2009-10-29 07:45 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 02:31 . 2009-11-04 02:14 371200 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-13 02:31 . 2009-11-01 14:51 371200 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RSSReader_plugin.dll
2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-11-24 22:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 22:00 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 22:00 . 2009-10-05 22:00 1407680 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-05 21:39 . 2009-10-05 21:39 64000 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-05 21:39 . 2009-10-05 21:39 52288 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 50688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-05 21:39 . 2009-10-05 21:39 114688 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-10-03 02:41 . 2009-11-04 02:14 290816 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-03 02:41 . 2009-11-01 14:51 290816 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\msgboxplugin.dll
2009-10-01 02:11 . 2009-11-04 02:14 399872 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-10-01 02:11 . 2009-11-01 14:51 399872 ----a-w- c:\documents and settings\Krista Gorby\Application Data\FCTB000060497\Toolbar\RadioPlugin.dll
2009-09-23 04:11 . 2009-09-23 04:10 17204720 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\rp\.exe
2009-09-23 04:10 . 2009-09-23 04:10 8406648 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-23 04:09 . 2009-09-23 04:08 10309448 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-23 04:06 . 2009-09-23 04:06 488968 ----a-w- c:\documents and settings\Nancy Gorby\Application Data\Real\Update\setup\setup.exe
2008-12-08 19:58 . 2008-12-08 19:58 1543089 -csh--w- c:\windows\system32\olizezim.tmp
.

((((((((((((((((((((((((((((( SnapShot_2009-12-11_18.30.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-18 21:11 . 2009-12-18 21:11 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2009-12-18 21:11 . 2009-12-18 21:11 16384 c:\windows\Temp\Perflib_Perfdata_424.dat
+ 2004-08-07 13:10 . 2009-12-15 04:30 54010 c:\windows\system32\perfc009.dat
- 2004-08-07 13:10 . 2009-12-11 16:16 54010 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2009-12-15 04:30 383822 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2009-12-11 16:16 383822 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Family Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-29 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-10 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-15 132624]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2009-01-14 113680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-24 794624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-01 14:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-16 02:12 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2000-06-07 20:32 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-05-12 04:07 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-06-28 22:16 3209728 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-09-27 03:14 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"=
"c:\\Program Files\\Samsung\\Samsung Media Studio 5\\SMSTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\Nancy Gorby\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/10/2008 1:03 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 4:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 4:22 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2008 1:03 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/24/2009 10:51 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/8/2008 11:31 AM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 4:22 PM 7408]
S1 cpqdap011;cpqdap011;c:\windows\system32\drivers\cpqdap011.sys --> c:\windows\system32\drivers\cpqdap011.sys [?]
S3 PentaxUsb;PENTAX Optio 60 on USB;c:\windows\system32\drivers\CoachUsb.sys [11/20/2005 5:30 AM 50976]
S3 PentaxVc;PENTAX Optio 60 Video Capture;c:\windows\system32\drivers\CoachVc.sys [11/20/2005 5:30 AM 44256]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/24/2009 10:51 AM 235648]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(412)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-18 16:26:59
ComboFix-quarantined-files.txt 2009-12-18 21:26
ComboFix2.txt 2009-12-18 21:06
ComboFix3.txt 2009-12-14 16:22
ComboFix4.txt 2009-12-11 18:35
ComboFix5.txt 2009-12-18 21:18

Pre-Run: 25,931,206,656 bytes free
Post-Run: 25,892,012,032 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 8CFBEF75FBC6C2B021BD89E55ACCAB72
__________________
Athlynne is offline  
Old 12-18-2009, 03:32 PM   #20
Security Team
Analyst
 
Carolyn's Avatar
 
Join Date: Mar 2007
Posts: 232
OS: XP & Vista



Hi,

Did you run the first CFScript (the one with FixCSet::)?

__________________
Carolyn is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 09:17 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts