Help!!!!!

[agib004]

Hello,

I am having problems with popups. Each time I bring up a page I get about 2 to 4 popups. I have ran CCleaner, SuperAntiSpyware, AVG, Registry Cleaner and more but, I am still recieving an enormous amount of popups that closes the webpages when I close them. Any assistance woud be greatlt apperciated.

[agib004]

Bump...

[forhockey]

Hi agib004,

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Close HiJackThis

--------------------------------------------------------------

First I need some more info before we move on....

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please

[agib004]

Hello Forhockey,

I have ran the hijack this scan but, I am getting an error whenever I attempt to run the Decker System Scanner. My hijack this file is enclosed below. In advance thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:35, on 2008-02-15
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {351691B5-062A-37DC-0A11-5200BDBA80B8} - (no file)
O2 - BHO: (no name) - {6612C1B2-5629-3D89-5711-5200BDBA8DBA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...amesplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnmklj - nnnmklj.dll (file missing)
O20 - Winlogon Notify: pzebndta - pzebndta.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE DSDM NetDDEdsdmNtLmSsp (NetDDEdsdmNtLmSsp) - Unknown owner - C:\WINNT\system32\arpn.exe (file missing)

--
End of file - 5316 bytes

[forhockey]

Hi agib004,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {351691B5-062A-37DC-0A11-5200BDBA80B8} - (no file)
O2 - BHO: (no name) - {6612C1B2-5629-3D89-5711-5200BDBA8DBA} - (no file)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} -
O20 - Winlogon Notify: nnnmklj - nnnmklj.dll (file missing)
O20 - Winlogon Notify: pzebndta - pzebndta.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Download Combofix from Here or Alternate link

**Save it directly to your desktop**

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\windows\system32\blank.htm

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Panda Online Scan Results
New HiJackThis Log

[agib004]

Forhockey,

I completed the tasks that you required but, I did not get any prompts during the Combofix process the program ran and completed but I did not get a prompt to get the combofix.txt file and I did not find it in C: after doing a search. I have a ComboDel file and a Combofix file so I will post those 2 files with the Activescan and Hijack this files. Thank you so much for your understanding and assistance.

Combofix file
ComboFix 08-02-16.2 - Administrator 2008-02-16 7:51:33.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.310 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


ComboDel file
Files to Move:
C:\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir|C:\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir
C:\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir|C:\QooBox\Quarantine\C\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir.vir
C:\WINNT\system32\drivers\core.cache.dsk|C:\QooBox\Quarantine\C\WINNT\system32\drivers\core.cache.dsk.vir
C:\WINNT\system32\drivers\DMusicc.sys|C:\QooBox\Quarantine\C\WINNT\system32\drivers\DMusicc.sys.vir
C:\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir|C:\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir
C:\WINNT\system32\drivers\core.cache.dsk|C:\QooBox\Quarantine\C\WINNT\system32\drivers\core.cache.dsk.vir
C:\WINNT\system32\drivers\DMusicc.sys|C:\QooBox\Quarantine\C\WINNT\system32\drivers\DMusicc.sys.vir
C:\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir|C:\QooBox\Quarantine\C\QooBox\Quarantine\C\QooBox\Quarantine\C\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir.vir


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.com
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Cookies\administrator@mediaplex[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\AOL 9.1\download\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\AOL 9.1\download\SmitfraudFix\restart.exe
Possible Virus. Not disinfected C:\Program Files\FaxTools\Install\Setup.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\Setup.exe
Potentially unwanted tool:Application/WinErrorFixer Not disinfected C:\QooBox\Quarantine\C\Program Files\installer\sfs.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Nircmd.exe
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\PSEXESVC.EXE
Virus:Rootkit/Booto.C Disinfected C:\WINNT\system32\drivers\Combo-Fix.sys
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\Process.exe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:12, on 2008-02-16
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...amesplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE DSDM NetDDEdsdmNtLmSsp (NetDDEdsdmNtLmSsp) - Unknown owner - C:\WINNT\system32\arpn.exe (file missing)

--
End of file - 4252 bytes

[forhockey]

Hi agib004,

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\kmd.exe /c C:\ComboFix\Combobatch.bat

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Then... Double click on ComboFix.exe on your desktop and it should run properly...

Please post the results from C:\ComboFix.txt after it has completed.

[agib004]

Forhockey,

Here is the file you requested. In advance thank you.

omboFix 08-02-17.2 - Administrator 2008-02-17 2:20:51.8 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 02:20 . 08-02-17 02:20 1,597,661 --a------ C:\ComboFix.exe
2008-02-16 08:08 . 08-02-16 09:03 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-02-16 08:08 . 08-02-16 08:08 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-02-16 08:00 . 08-02-16 08:00 <DIR> d-------- C:\WINNT\35C03C043F1F42C2A989A757EE691F65.TMP
2008-02-15 16:21 . 08-02-15 16:21 4,506,256 --a------ C:\LimeWireWin.exe
2008-02-15 06:27 . 08-02-15 06:27 <DIR> d-------- C:\Deckard
2008-02-15 06:24 . 08-02-15 06:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 05:59 . 99-09-29 18:25 33,808 --a------ C:\WINNT\system32\drivers\lbrtfdc.sys
2008-02-15 05:59 . 99-09-29 18:25 33,808 --a--c--- C:\WINNT\system32\dllcache\lbrtfdc.sys
2008-02-15 05:59 . 99-09-27 19:29 7,536 --a------ C:\WINNT\system32\drivers\changer.sys
2008-02-15 05:59 . 99-09-27 19:29 7,536 --a--c--- C:\WINNT\system32\dllcache\changer.sys
2008-02-15 05:59 . 99-10-11 15:36 6,992 --a------ C:\WINNT\system32\drivers\sglfb.sys
2008-02-15 05:59 . 99-10-11 15:36 6,992 --a--c--- C:\WINNT\system32\dllcache\sglfb.sys
2008-02-10 08:40 . 08-02-10 10:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-10 08:36 . 08-02-10 08:36 33,624 --a------ C:\WINNT\system32\4CC.tmp
2008-02-10 08:30 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-02-10 08:29 . 08-02-10 08:29 33,624 --a------ C:\WINNT\system32\430.tmp
2008-02-10 08:29 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\exodtnihsado.sys
2008-02-09 19:12 . 08-02-09 19:12 258,048 --a------ C:\WINNT\system32\378.tmp
2008-02-09 18:47 . 08-02-16 08:08 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-09 18:47 . 08-02-16 08:08 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-07 20:15 . 08-02-07 20:15 <DIR> d-------- C:\Documents and Settings\Default User.WINNT\Application Data\AVG7
2008-02-07 20:11 . 08-02-17 01:33 <DIR> d-------- C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AVG7
2008-02-07 20:11 . 08-02-07 20:11 110,592 --a------ C:\WINNT\system32\avgfwafu.dll
2008-02-07 20:11 . 08-02-07 20:11 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2008-02-07 20:10 . 08-02-07 20:10 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2008-02-07 20:10 . 08-02-07 21:11 <DIR> d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\avg7
2008-02-07 20:09 . 08-02-07 20:09 59,054,032 --a------ C:\avg75iswt_516a1225.exe
2008-02-07 11:57 . 08-02-07 12:27 7,452 ---hs---- C:\WINNT\system32\xbadd.tmp
2008-02-07 06:14 . 08-02-07 06:14 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Rabio
2008-02-07 06:09 . 08-02-07 12:43 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-07 05:52 . 08-02-07 12:41 <DIR> d-------- C:\WINNT\system32\rp4
2008-02-07 05:52 . 08-02-07 05:52 <DIR> d-------- C:\WINNT\system32\ps5
2008-02-07 05:52 . 08-02-07 12:41 <DIR> d-------- C:\WINNT\system32\cz6
2008-02-07 05:52 . 08-02-07 19:25 <DIR> d-a------ C:\Program Files\RABCO
2008-01-31 11:43 . 08-01-31 11:47 <DIR> d-------- C:\Program Files\Click'N Design 3D
2008-01-29 21:27 . 08-01-29 21:27 <DIR> d-------- C:\WINNT\system32\95979993989B9
2008-01-28 17:17 . 08-01-28 17:17 <DIR> d-------- C:\WINNT\mkwz
2008-01-28 17:17 . 08-01-28 20:04 <DIR> d-------- C:\Program Files\Common Files\mkwz
2008-01-26 20:04 . 08-01-26 20:04 26,112 --a------ C:\Drama Essay.doc
2008-01-21 21:24 . 07-01-24 17:09 25 --a------ C:\WINNT\testing123.dat
2008-01-18 08:35 . 08-01-28 21:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 08:35 . 08-01-18 08:35 5,914,648 --a------ C:\SUPERAntiSpyware.exe
2008-01-18 08:34 . 08-01-18 08:34 50,688 --a------ C:\ATF-Cleaner.exe
2008-01-18 07:57 . 08-02-07 11:58 <DIR> d-------- C:\fixwareout
2008-01-18 07:32 . 08-01-18 07:32 178,304 --a------ C:\FixZotob.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 06:40 --------- d---a-w C:\Program Files\UltimateZip 2007
2008-02-16 13:56 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-16 13:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-16 13:46 --------- d-----w C:\Program Files\AOL 9.1
2008-02-15 21:32 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\LimeWire
2008-02-15 21:27 --------- d---a-w C:\Program Files\LimeWire
2008-02-10 13:35 --------- d---a-w C:\Program Files\Lexmark X1100 Series
2008-02-07 11:20 --------- d---a-w C:\Program Files\Accessories
2008-02-07 11:15 --------- d---a-w C:\Program Files\microsoft frontpage
2008-01-29 11:21 --------- d-----w C:\Program Files\installer
2008-01-18 13:36 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\SUPERAntiSpyware.com
2008-01-14 00:03 --------- d-----w C:\Program Files\Abexo
2008-01-13 23:59 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-13 23:59 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\NCH Swift Sound
2007-12-28 19:00 --------- d-----w C:\Program Files\NCH Software
2007-12-28 18:51 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\NCH Swift Sound
2007-12-28 18:44 --------- d---a-w C:\Program Files\QuickTime
2007-12-20 19:13 --------- d---a-w C:\Program Files\Common Files\McAfee
2007-12-20 19:13 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\McAfee
2007-12-20 00:07 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-19 23:48 --------- d-----w C:\Program Files\MSN Games
2007-12-07 00:03 8,200,750 ----a-w C:\VSE85P4.Zip
2007-12-06 23:53 21,161,832 ----a-w C:\VSE850LML.zip
2007-11-10 21:44 131 ----a-w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\mit.bat
2007-09-16 22:14 271 ---h--w C:\Program Files\desktop.ini
2007-09-16 22:14 21,952 ---h--w C:\Program Files\folder.htt
2007-04-18 22:30 384 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2007-04-18 21:12 18,432 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2007-04-18 21:11 194 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2006-03-18 13:59 36,465,208 ----a-w C:\Program Files\iTunesSetup.exe
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04-02-03 12:42 401491]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-12-28 13:44 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe" [07-05-25 12:16 42032]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03-08-19 10:43 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-02-07 20:10 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-12-28 13:44 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-02-07 20:10 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 04:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
ntdll.dll REG_MULTI_SZ msv1_0 C:\WINNT\system32\awtqo.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-02-07 20:11 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-10-11 15:36 ]
S2 NetDDEdsdmNtLmSsp;Network DDE DSDM NetDDEdsdmNtLmSsp;C:\WINNT\system32\arpn.exe srv []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 02:25:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2008-02-17 2:28:00 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-17 07:27:44
.
2007-09-30 06:00:25 --- E O F ---

[forhockey]

Hi agib004,


Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINNT\system32\xbadd.tmp
Folder::
C:\Documents and Settings\All Users.WINNT\Application Data\Rabio
C:\Program Files\Drmupgds
C:\WINNT\system32\rp4
C:\WINNT\system32\ps5
C:\WINNT\system32\cz6
C:\Program Files\RABCO
DirLook::
C:\WINNT\system32\95979993989B9
C:\WINNT\mkwz
C:\Program Files\Common Files\mkwz

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[agib004]

Forhockey,

I copy and ran the program as instructed. the file is enclosed below. In advance thank you for your continued assistance.

ComboFix 08-02-17.2 - Administrator 02/17/2008 13:11:39.9 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.330 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\xbadd.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINNT\Application Data\Rabio
C:\Program Files\Drmupgds
C:\Program Files\RABCO
C:\Program Files\RABCO\RABCO.dll
C:\WINNT\system32\cz6
C:\WINNT\system32\ps5
C:\WINNT\system32\ps5\advcomms3.exe
C:\WINNT\system32\rp4
C:\WINNT\system32\xbadd.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 02:20 . 08-02-17 02:20 1,597,661 --a------ C:\ComboFix.exe
2008-02-16 08:08 . 08-02-16 09:03 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-02-16 08:08 . 08-02-16 08:08 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-02-16 08:00 . 08-02-16 08:00 <DIR> d-------- C:\WINNT\35C03C043F1F42C2A989A757EE691F65.TMP
2008-02-15 16:21 . 08-02-15 16:21 4,506,256 --a------ C:\LimeWireWin.exe
2008-02-15 06:24 . 08-02-15 06:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 05:59 . 99-09-29 18:25 33,808 --a------ C:\WINNT\system32\drivers\lbrtfdc.sys
2008-02-15 05:59 . 99-09-29 18:25 33,808 --a--c--- C:\WINNT\system32\dllcache\lbrtfdc.sys
2008-02-15 05:59 . 99-09-27 19:29 7,536 --a------ C:\WINNT\system32\drivers\changer.sys
2008-02-15 05:59 . 99-09-27 19:29 7,536 --a--c--- C:\WINNT\system32\dllcache\changer.sys
2008-02-15 05:59 . 99-10-11 15:36 6,992 --a------ C:\WINNT\system32\drivers\sglfb.sys
2008-02-15 05:59 . 99-10-11 15:36 6,992 --a--c--- C:\WINNT\system32\dllcache\sglfb.sys
2008-02-10 08:40 . 08-02-10 10:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-10 08:36 . 08-02-10 08:36 33,624 --a------ C:\WINNT\system32\4CC.tmp
2008-02-10 08:30 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-02-10 08:29 . 08-02-10 08:29 33,624 --a------ C:\WINNT\system32\430.tmp
2008-02-10 08:29 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\exodtnihsado.sys
2008-02-09 19:12 . 08-02-09 19:12 258,048 --a------ C:\WINNT\system32\378.tmp
2008-02-09 18:47 . 08-02-16 08:08 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-09 18:47 . 08-02-16 08:08 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-07 20:15 . 08-02-07 20:15 <DIR> d-------- C:\Documents and Settings\Default User.WINNT\Application Data\AVG7
2008-02-07 20:11 . 08-02-17 08:00 <DIR> d-------- C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AVG7
2008-02-07 20:11 . 08-02-07 20:11 110,592 --a------ C:\WINNT\system32\avgfwafu.dll
2008-02-07 20:11 . 08-02-07 20:11 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2008-02-07 20:10 . 08-02-07 20:10 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2008-02-07 20:10 . 08-02-07 21:11 <DIR> d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\avg7
2008-01-31 11:43 . 08-01-31 11:47 <DIR> d-------- C:\Program Files\Click'N Design 3D
2008-01-29 21:27 . 08-01-29 21:27 <DIR> d-------- C:\WINNT\system32\95979993989B9
2008-01-28 17:17 . 08-01-28 17:17 <DIR> d-------- C:\WINNT\mkwz
2008-01-28 17:17 . 08-01-28 20:04 <DIR> d-------- C:\Program Files\Common Files\mkwz
2008-01-21 21:24 . 07-01-24 17:09 25 --a------ C:\WINNT\testing123.dat
2008-01-18 08:35 . 08-01-28 21:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 14:50 --------- d---a-w C:\Program Files\UltimateZip 2007
2008-02-17 07:34 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-16 13:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-16 13:46 --------- d-----w C:\Program Files\AOL 9.1
2008-02-15 21:32 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\LimeWire
2008-02-15 21:27 --------- d---a-w C:\Program Files\LimeWire
2008-02-10 13:35 --------- d---a-w C:\Program Files\Lexmark X1100 Series
2008-02-07 11:20 --------- d---a-w C:\Program Files\Accessories
2008-02-07 11:15 --------- d---a-w C:\Program Files\microsoft frontpage
2008-01-29 11:21 --------- d-----w C:\Program Files\installer
2008-01-18 13:36 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\SUPERAntiSpyware.com
2008-01-14 00:03 --------- d-----w C:\Program Files\Abexo
2008-01-13 23:59 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-13 23:59 --------- d-----w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\NCH Swift Sound
2007-12-28 19:00 --------- d-----w C:\Program Files\NCH Software
2007-12-28 18:51 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\NCH Swift Sound
2007-12-28 18:44 --------- d---a-w C:\Program Files\QuickTime
2007-12-20 19:13 --------- d---a-w C:\Program Files\Common Files\McAfee
2007-12-20 19:13 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\McAfee
2007-12-20 00:07 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-19 23:48 --------- d-----w C:\Program Files\MSN Games
2007-12-07 00:03 8,200,750 ----a-w C:\VSE85P4.Zip
2007-12-06 23:53 21,161,832 ----a-w C:\VSE850LML.zip
2007-11-10 21:44 131 ----a-w C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\mit.bat
2007-09-16 22:14 271 ---h--w C:\Program Files\desktop.ini
2007-09-16 22:14 21,952 ---h--w C:\Program Files\folder.htt
2007-04-18 22:30 384 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2007-04-18 21:12 18,432 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2007-04-18 21:11 194 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2006-03-18 13:59 36,465,208 ----a-w C:\Program Files\iTunesSetup.exe
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Common Files\mkwz ----

08-01-28 17:18 0 --a------ C:\Program Files\Common Files\mkwz\mkwzl.lck
08-01-28 17:17 0 --a------ C:\Program Files\Common Files\mkwz\mkwzm.lck
08-01-28 17:17 0 --a------ C:\Program Files\Common Files\mkwz\mkwza.lck
04-04-19 21:26 4933375 --a------ C:\Program Files\Common Files\mkwz\mkwzd\class-barrel
04-04-19 21:26 1234193 --a------ C:\Program Files\Common Files\mkwz\mkwzd\vocabulary

---- Directory of C:\WINNT\mkwz ----

08-01-28 17:20 4411 --a------ C:\WINNT\mkwz\mkwz.dat
02-07-26 17:02 153088 --a------ C:\WINNT\mkwz\wu

---- Directory of C:\WINNT\system32\95979993989B9 ----

08-02-07 17:46 13988 --a------ C:\WINNT\system32\95979993989B9\E6E8EAE4E9ECE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04-02-03 12:42 401491]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-12-28 13:44 286720]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [07-10-12 05:49 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe" [07-05-25 12:16 42032]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03-08-19 10:43 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-02-07 20:10 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-12-28 13:44 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-02-07 20:10 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 04:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
ntdll.dll REG_MULTI_SZ msv1_0 C:\WINNT\system32\awtqo.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-02-07 20:11 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-10-11 15:36 ]
S2 NetDDEdsdmNtLmSsp;Network DDE DSDM NetDDEdsdmNtLmSsp;C:\WINNT\system32\arpn.exe srv []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:17:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-02-17 13:21:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 18:21:20
ComboFix2.txt 2008-02-17 07:28:00
.
2007-09-30 06:00:25 --- E O F ---

[forhockey]

Hi agib004,

You're welcome, and I hope you're seeing some improvements with your system? We just have a few more things to cleanup, but first I want to scan the following two files for viruses...

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINNT\mkwz\mkwz.dat
  
  
• Then click the "Send File" button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

Repeat the same set of instructions, but for the following file:

C:\WINNT\system32\95979993989B9\E6E8EAE4E9ECE


-------------------------------------------

Please reply back with the following:

Results from VirusTotal
Update on system behaviour?

[agib004]

Forhockey,

The system is running a little slower but, I do not have any popups coming up anymore. I will take that. I would like to know do I need to reload the Spyblaster and AVG antivirus programs since it did not stop the popups/virus. The information requested is enclosed below. Again thank you.

File mkwz.dat received on 02.17.2008 22:46:08 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.16.10 2008.02.15 -
AntiVir 7.6.0.67 2008.02.15 -
Authentium 4.93.8 2008.02.17 -
Avast 4.7.1098.0 2008.02.17 -
AVG 7.5.0.516 2008.02.17 -
BitDefender 7.2 2008.02.17 -
CAT-QuickHeal None 2008.02.16 -
ClamAV 0.92.1 2008.02.17 -
DrWeb 4.44.0.09170 2008.02.17 -
eSafe 7.0.15.0 2008.02.17 -
eTrust-Vet 31.3.5541 2008.02.15 -
Ewido 4.0 2008.02.17 -
FileAdvisor 1 2008.02.17 -
Fortinet 3.14.0.0 2008.02.17 -
F-Prot 4.4.2.54 2008.02.17 -
F-Secure 6.70.13260.0 2008.02.17 -
Ikarus T3.1.1.20 2008.02.17 -
Kaspersky 7.0.0.125 2008.02.17 -
McAfee 5231 2008.02.15 -
Microsoft 1.3204 2008.02.17 -
NOD32v2 2881 2008.02.17 -
Norman 5.80.02 2008.02.15 -
Panda 9.0.0.4 2008.02.17 -
Prevx1 V2 2008.02.17 -
Rising 20.31.50.00 2008.02.16 -
Sophos 4.26.0 2008.02.17 -
Sunbelt 2.2.907.0 2008.02.16 -
Symantec 10 2008.02.17 -
TheHacker 6.2.9.222 2008.02.16 -
VBA32 3.12.6.1 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.17 -
Webwasher-Gateway 6.6.2 2008.02.15 -
Additional information
File size: 4411 bytes
MD5: dee7639aa4f1cde0c8023a48d8513d28
SHA1: dae7863672eca6301f4e92ad4eb7fb2ce4038571
PEiD: -


File E6E8EAE4E9ECE_ received on 02.17.2008 23:00:53 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.16.10 2008.02.15 -
AntiVir 7.6.0.67 2008.02.15 -
Authentium 4.93.8 2008.02.17 -
Avast 4.7.1098.0 2008.02.17 -
AVG 7.5.0.516 2008.02.17 -
BitDefender 7.2 2008.02.17 -
CAT-QuickHeal None 2008.02.16 -
ClamAV 0.92.1 2008.02.17 -
DrWeb 4.44.0.09170 2008.02.17 -
eSafe 7.0.15.0 2008.02.17 -
eTrust-Vet 31.3.5541 2008.02.15 -
Ewido 4.0 2008.02.17 -
FileAdvisor 1 2008.02.17 -
Fortinet 3.14.0.0 2008.02.17 -
F-Prot 4.4.2.54 2008.02.17 -
F-Secure 6.70.13260.0 2008.02.17 -
Ikarus T3.1.1.20 2008.02.17 -
Kaspersky 7.0.0.125 2008.02.17 -
McAfee 5231 2008.02.15 -
Microsoft 1.3204 2008.02.17 -
NOD32v2 2881 2008.02.17 -
Norman 5.80.02 2008.02.15 -
Panda 9.0.0.4 2008.02.17 -
Prevx1 V2 2008.02.17 -
Rising 20.31.50.00 2008.02.16 -
Sophos 4.26.0 2008.02.17 -
Sunbelt 2.2.907.0 2008.02.16 -
Symantec 10 2008.02.17 -
TheHacker 6.2.9.222 2008.02.16 -
VBA32 3.12.6.1 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.17 -
Webwasher-Gateway 6.6.2 2008.02.15 -
Additional information
File size: 13988 bytes
MD5: 78458086c57d97cbec832f948af0f687
SHA1: 4ab47fca6f680a54bea71a6cff3df03af522158a
PEiD: -

[forhockey]

Hi agib004,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

swreg query "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa" >C:\LSA.txt
notepad C:\LSA.txt
exit

Save this as LSA.bat Choose to "Save type as - All Files"
It should look like this:
Double click on LSA.bat & allow it to run


Please reply back with the results from C:\LSA.txt

[agib004]

Forhockey,

Enclosed below is the LSA.txt as you requested. Thank you.


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Bounds REG_BINARY 0030000000200000
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
LsaPid REG_DWORD 232 (0xe8)
SecureBoot REG_DWORD 1 (0x1)
auditbaseobjects REG_DWORD 0 (0x0)
crashonauditfail REG_DWORD 0 (0x0)
fullprivilegeauditing REG_BINARY 00
lmcompatibilitylevel REG_DWORD 0 (0x0)
restrictanonymous REG_DWORD 0 (0x0)
Notification Packages REG_MULTI_SZ scecli\0\0
ntdll.dll REG_MULTI_SZ msv1_0\0C:\WINNT\system32\awtqo.dll\0\0
enabledcom REG_SZ y
limitblankpassworduse REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

[forhockey]

Hi agib004,

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"ntdll.dll"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

----------------------------------------------------------------

Run CCleaner

1. Open the program and the "Cleaner" button should be active.
2. Click on "Run Cleaner"
3. Once thats done it will clean out the TEMP folder.
4. Now click on "Registry" and then "Scan for Issues"
5. Once it's done checkmark ALL it finds and click "Fix Selected Issues"
6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back.

Close the program.

--------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

Kaspersky Online Scan Results
New HiJackThis Log

[agib004]

Enclosed are the results as requested. Thank you.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 18, 2008 5:02:17 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 572476
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 37225
Number of viruses found: 2
Number of infected objects: 0
Number of suspicious objects: 3
Duration of the scan process: 00:48:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AOL\C_AOL 9.1\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AOL\C_AOL 9.1\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AOL\C_AOL 9.1\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AOL\C_AOL 9.1\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Application Data\AOL\C_AOL 9.1\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.A-K6U8BICKF2PPR\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\idb\Agib004\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\idb\Agib004\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\organize\agib004 Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\organize\agib004.abi Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\organize\agib004.aby Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\AOL\C_AOL 9.1\organize\CACHE\agib001 Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\AvgFwLog.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\AvgFwLog.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\Abexo\afrc\restore\20080207185327.reg Suspicious: Exploit.HTML.Mht skipped
C:\WINNT\$_hpcst$.hpc Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:15 PM, on 2/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1189990295\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...amesplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE DSDM NetDDEdsdmNtLmSsp (NetDDEdsdmNtLmSsp) - Unknown owner - C:\WINNT\system32\arpn.exe (file missing)

--
End of file - 4169 bytes

[forhockey]

agib004,

Well done, your logs are clean! There are just a few more things I would like you to do.

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Personal Firewall
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• How Did I Get Infected In The First Place?.
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[agib004]

Forhockey,

No more pop-ups. I loaded some of the programs as instructed. Thank you so much for your time and assistance.

[forhockey]

Was my pleasure. Safe surfing