Slow Intenet and Bad PopUps Please Help

lee42lee · 08-09-2008, 08:57 AM

Below is copy of the HJT log. Please review it and help. I am having a lot of pop ups and the connetion is very slow. Thanks in advance for any help.
-----------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:27 AM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\albqwtmk.dll",s
O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\lfquhxpu.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7821 bytes

lee42lee · 08-13-2008, 09:36 AM

Bump. Please help this is my office computer and I need help.

tetonbob · 08-13-2008, 09:47 AM

I'd like you to rename HijackThis.exe to peek.exe.

Navigate to C:\hjt\HijackThis.exe (or whereever the user has HJT located, as long as it's not in temp)
Right click on HijackThis.exe
Select 'Rename'
Type in peek.exe
Press Enter.

Now run a new scan with the renamed executable, save the log and post it.

Create an uninstall list:

With HiJackThis still open

Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

lee42lee · 08-13-2008, 10:09 AM

First I want to say thank you for the help. Since I posted the very first log I have installed Spybot Search and Destroy so I hope this didnt mess you up. Below is the new log and the uninstall list.
--------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1

20 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\peek.exe.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6BC03760-586E-4D52-9FCA-B4AC1415BF16} - C:\WINDOWS\system32\efcDWmJc.dll
O2 - BHO: (no name) - {73A4A159-2742-421B-AB8D-7CD7BE6EF817} - C:\WINDOWS\system32\hgGvuTMD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {BC45E1D3-0152-4916-8465-BE9C7D726E36} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\fnvpmhru.dll",b
O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\xxsiyndb.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EDUP WLan Utility.lnk = C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O20 - Winlogon Notify: efcDWmJc - C:\WINDOWS\SYSTEM32\efcDWmJc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9145 bytes
-------------------------------------------------------------

"AbiWord 2.4.1 (remove only)"
Adobe Flash Player Plugin
Adobe Shockwave Player
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Auction Client
AuctionGenerator
BigFix
BitComet 0.59
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Brother MFL-Pro Suite
Digital Media Reader
DivX
DivX Converter
DivX Player
DivX Web Player
EDUP IEEE 802.11 b+g Wireless LAN - USB
EndItAll 2.0
Foxit PDF Editor
Foxit Reader
Frazer Software for the Used Car Dealer
Frazer Software for the Used Car Dealer
Google Earth
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ieSpell
IncrediMail Xe
iRacing.com Race Simulation
iTunes
Jarte 3.2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Kaspersky Online Scanner
KODAK EASYSHARE Gallery Upload ActiveX Control
MGTEK dopisp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
MimoUSA POS Retail Browser
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nancy Drew: Danger by Design
Netscape Navigator (9.0.0.6)
Norton Security Center
Panda ActiveScan
Panda ActiveScan 2.0
PaperPort
Pet Vet (remove only)
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Roxio Media Manager
rsClient 10x
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Soft Data Fax Modem with SmartCP
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy
SpywareBlaster 4.1
Star Fax Cover Sheet Creator 2.25
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB953356)
Ventrilo
VIA/S3G Display Driver
Videora iPod Converter 2.25
Viewpoint Media Player
Weather Pulse 2.05 build 36
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742

tetonbob · 08-13-2008, 10:22 AM

It does just a little, only in that TeaTimer can be a roadblock in malware removal.

We will need to disable it for the duration of the fix. If, while we're working together, TeaTimer detects changes and reports it to you, allow them.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
See this link for a tutorial

=================================

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

lee42lee · 08-13-2008, 11:11 AM

I am on my way to get my daughter at school and I will be back in about 45 mins then I will continue.

lee42lee · 08-13-2008, 12:33 PM

Here is the Combofix log along with the new HJT log. Sorry it took so long.
-----------------------------------------------------------

ComboFix 08-08-12.01 - Owner 2008-08-13 15:05:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BM231aa6fd.txt
C:\WINDOWS\BM231aa6fd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\albqwtmk.dll
C:\WINDOWS\system32\aukvjp.dll
C:\WINDOWS\system32\bqjnkgov.dll
C:\WINDOWS\system32\cbshqv.dll
C:\WINDOWS\system32\DMTuvGgh.ini
C:\WINDOWS\system32\DMTuvGgh.ini2
C:\WINDOWS\system32\efcDWmJc.dll
C:\WINDOWS\system32\gccmqa.dll
C:\WINDOWS\system32\gveuhkrr.dll
C:\WINDOWS\system32\hgGvuTMD.dll
C:\WINDOWS\system32\hrmjdmco.dll
C:\WINDOWS\system32\jqqnsllo.dll
C:\WINDOWS\system32\kudvnose.dll
C:\WINDOWS\system32\lcgzuf.dll
C:\WINDOWS\system32\lszhth.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndhdiu.dll
C:\WINDOWS\system32\nfimxclp.ini
C:\WINDOWS\system32\okqimtrr.ini
C:\WINDOWS\system32\qordmbjt.ini
C:\WINDOWS\system32\qubeksee.ini
C:\WINDOWS\system32\qwcmtdpf.dll
C:\WINDOWS\system32\rdrpyduw.ini
C:\WINDOWS\system32\rrtmiqko.dll
C:\WINDOWS\system32\sprerkgq.dll
C:\WINDOWS\system32\upxhuqfl.ini
C:\WINDOWS\system32\urhmpvnf.ini
C:\WINDOWS\system32\wjyogwvn.ini
C:\WINDOWS\system32\wkvlwsjk.dll
C:\WINDOWS\system32\xxsiyndb.dll
C:\WINDOWS\system32\ykmhjbdm.dll

----- BITS: Possible infected sites -----

http://www.thenmnetwork.com
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-13 13:37 . 2008-08-13 13:46 <DIR> d-------- C:\Program Files\Ekahau
2008-08-13 12:40 . 2006-11-30 06:14 446,976 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-08-13 12:39 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-08-13 12:39 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-08-13 12:39 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys
2008-08-13 12:39 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll
2008-08-13 12:39 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe
2008-08-13 12:39 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-08-13 12:39 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-08-13 12:39 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS
2008-08-13 12:39 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL
2008-08-13 11:54 . 2008-08-13 11:54 <DIR> d-------- C:\VundoFix Backups
2008-08-13 11:23 . 2008-08-13 11:23 2,048 --a------ C:\WINDOWS\system32\ihimpnii.exe
2008-08-12 16:41 . 2008-08-12 16:41 <DIR> d-------- C:\Program Files\Panda Security
2008-08-12 16:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-12 14:48 . 2008-08-12 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-12 13:30 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 11:28 . 2008-08-12 11:28 2,048 --a------ C:\WINDOWS\system32\ldhfotsy.exe
2008-08-11 11:29 . 2008-08-11 11:29 2,048 --a------ C:\WINDOWS\system32\untvrrpc.exe
2008-08-11 11:14 . 2008-08-11 11:14 2,048 --a------ C:\WINDOWS\system32\wjqyjgav.exe
2008-08-09 11:09 . 2008-08-09 11:09 2,048 --a------ C:\WINDOWS\system32\fwvrhlns.exe
2008-08-08 09:27 . 2008-08-08 09:27 2,048 --a------ C:\WINDOWS\system32\wjajvfsl.exe
2008-07-31 12:32 . 2008-07-31 12:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-31 12:31 . 2008-07-31 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-31 12:28 . 2008-07-31 12:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-07-31 12:27 . 2008-07-31 12:27 <DIR> dr-h----- C:\MSOCache
2008-07-31 10:28 . 2008-07-31 10:28 <DIR> d-------- C:\Program Files\Jarte
2008-07-31 10:28 . 2008-07-31 10:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte
2008-07-29 10:39 . 2008-07-29 10:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop
2008-07-28 17:37 . 2008-07-28 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RIM Palm&PPC Upgrade Wizard
2008-07-28 16:45 . 2008-07-28 16:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion
2008-07-28 16:45 . 2008-07-29 18:20 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-28 16:34 . 2008-07-28 16:45 256 --a------ C:\Documents and Settings\Owner\pool.bin
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-28 16:31 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Roxio
2008-07-28 16:31 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-28 16:31 . 2008-07-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-28 16:30 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-28 16:25 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-28 16:19 . 2008-07-28 16:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-22 10:39 . 2008-07-22 10:40 <DIR> d-------- C:\Program Files\Auction Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 15:34 --------- d-----w C:\Program Files\LimeWire
2008-08-08 19:44 --------- d-----w C:\Program Files\Java
2008-08-07 14:58 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 14:56 --------- d-----w C:\Program Files\iRacing
2008-07-31 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-31 13:38 --------- d-----w C:\Program Files\palmOne
2008-07-28 21:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-15 19:24 --------- d-----w C:\Program Files\Netscape
2008-07-03 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ieSpell
2008-06-30 21:05 --------- d-----w C:\Program Files\Automotix
2008-06-28 16:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-06-23 15:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Automotix
2007-06-20 18:49 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6500.dat
2006-10-23 14:58 337 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-10-23 14:51 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-10-23 14:51 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2006-10-23 13:49 179,200 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-10-20 15:20 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9169.dat
2006-10-20 15:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5724.dat
2006-10-20 13:12 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8253.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
2006-10-20 13:07 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-10-20 13:07 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2005-12-02 17:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"LGBLiveUpdate"="C:\WINDOWS\system32\lgbpd.exe" [2008-07-09 12:58 1043456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-12 15:36 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--a------ 2004-11-11 22:00 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 15:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 14:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 02:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-15 13:04 966656 C:\WINDOWS\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 18:04 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-12 15:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-12-09 14:17 67584 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 06:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 20:33 147456 C:\WINDOWS\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\incredimail_install.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 iRacingService;iRacing helper service;C:\Program Files\iRacing\iRacingService.exe [2008-08-04 10:56]
S3 athrusb;Wireless LAN USB device driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 06:14]
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-29 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-20299561 - C:\WINDOWS\system32\fnvpmhru.dll
HKLM-Run-BM231aa6fd - C:\WINDOWS\system32\xxsiyndb.dll
MSConfigStartUp-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-BM231aa6fd - C:\WINDOWS\system32\pkrxmeaj.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-PC Connection Agent - C:\PROGRA~1\MICROS~4\wcescomm.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1122639952\EE\AOLHostManager.exe
MSConfigStartUp-IS CfgWiz - C:\Program Files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
MSConfigStartUp-URLLSTCK - C:\Program Files\Norton Internet Security\UrlLstCk.exe
MSConfigStartUp-_AntiSpyware - C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v8so1txu.default\

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 15:21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-13 15:28:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 19:28:48
ComboFix2.txt 2007-09-15 16:59:33

Pre-Run: 136,219,860,992 bytes free
Post-Run: 136,748,593,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

267
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:38 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\peek.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8377 bytes

tetonbob · 08-13-2008, 01:12 PM

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\ihimpnii.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- C:\WINDOWS\system32\lgbpd.exe

Additionally, please do this:

Please visit this site:

http://www.bleepingcomputer.com/subm...php?channel=28
In the Link to topic where this file was requested: area, copy and paste this

http://www.techsupportforum.com/security-center/hijackthis-log-help/278596-slow-intenet-bad-popups-please-help.html#post1647176
In the Browse to the file you want to submit: area, copy and paste this

C:\WINDOWS\system32\lgbpd.exe
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and let me know.

lee42lee · 08-13-2008, 01:47 PM

Ok here are the logs you asked for. Also it said my file was successfully submitted at Bleeping Computer. I wasn't sure if I needed to do another HJT log so if you need it just let me know.
-----------------------------------------------------------------
File ihimpnii.exe_ received on 08.13.2008 22:15:11 (CET)
Current status: finished
Result: 10/36 (27.78%)

ntivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.13 -
AntiVir 7.8.1.19 2008.08.13 -
Authentium 5.1.0.4 2008.08.13 -
Avast 4.8.1195.0 2008.08.13 -
AVG 8.0.0.161 2008.08.13 Generic11.GSA
BitDefender 7.2 2008.08.13 -
CAT-QuickHeal 9.50 2008.08.13 -
ClamAV 0.93.1 2008.08.13 -
DrWeb 4.44.0.09170 2008.08.13 Trojan.Starter.561
eSafe 7.0.17.0 2008.08.13 -
eTrust-Vet 31.6.6030 2008.08.13 -
Ewido 4.0 2008.08.13 -
F-Prot 4.4.4.56 2008.08.13 -
F-Secure 7.60.13501.0 2008.08.13 -
Fortinet 3.14.0.0 2008.08.13 W32/DELREG.Y!tr
GData 2.0.7306.1023 2008.08.13 -
Ikarus T3.1.1.34.0 2008.08.13 -
K7AntiVirus 7.10.413 2008.08.13 -
Kaspersky 7.0.0.125 2008.08.13 -
McAfee 5360 2008.08.13 Vundo
Microsoft 1.3807 2008.08.13 -
NOD32v2 3352 2008.08.13 Win32/Adware.Virtumonde
Norman 5.80.02 2008.08.13 W32/Virtumonde.YYQ
Panda 9.0.0.4 2008.08.13 Generic Malware
PCTools 4.4.2.0 2008.08.13 -
Prevx1 V2 2008.08.13 Malicious Software
Rising 20.57.22.00 2008.08.13 -
Sophos 4.32.0 2008.08.13 -
Sunbelt 3.1.1542.1 2008.08.13 -
Symantec 10 2008.08.13 -
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.13 TROJ_DELREG.Y
VBA32 3.12.8.3 2008.08.13 -
ViRobot 2008.8.13.1335 2008.08.13 Adware.Virtumonde.2048
VirusBuster 4.5.11.0 2008.08.13 -
Webwasher-Gateway 6.6.2 2008.08.13 -
Additional information
File size: 2048 bytes
MD5...: 134346acd9dd7fa8305cc02d66b86d31
SHA1..: 03fe880a81393f1f980c54e04407f410125feba5
SHA256: 86e6fb8fe2bfc9d553b1fa2c099dda8d7e60482c63e061528b5064d44def9ae2
SHA512: c5b036d78640041c544dc849d7bc209bac7a20f0d58882fe99430a132634a5c3
0c8283d04ed8fbfaf68daab149d1f4a0fe55a6e564e829dabb6c6778036cc1e5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x489708be (Mon Aug 04 13:48:46 2008)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x50 0x200 1.11 e7566cd9454a61459ccd93a3a805f22d
.rdata 0x2000 0xe6 0x200 2.51 dc53a6de5d8c044a32e6afe2e7f60b1d

( 1 imports )
> ADVAPI32.dll: RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramte...2E0700B79BCD14
ThreatExpert info: http://www.threatexpert.com/report.a...5cc02d66b86d31
-----------------------------------------------------------------

File lgbpd.exe received on 08.13.2008 22:28:14 (CET)
Current status: finished
Result: 1/36 (2.78%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.13 -
AntiVir 7.8.1.19 2008.08.13 -
Authentium 5.1.0.4 2008.08.13 -
Avast 4.8.1195.0 2008.08.13 -
AVG 8.0.0.161 2008.08.13 -
BitDefender 7.2 2008.08.13 -
CAT-QuickHeal 9.50 2008.08.13 -
ClamAV 0.93.1 2008.08.13 -
DrWeb 4.44.0.09170 2008.08.13 -
eSafe 7.0.17.0 2008.08.13 -
eTrust-Vet 31.6.6030 2008.08.13 -
Ewido 4.0 2008.08.13 -
F-Prot 4.4.4.56 2008.08.13 -
F-Secure 7.60.13501.0 2008.08.13 -
Fortinet 3.14.0.0 2008.08.13 -
GData 2.0.7306.1023 2008.08.13 -
Ikarus T3.1.1.34.0 2008.08.13 -
K7AntiVirus 7.10.413 2008.08.13 -
Kaspersky 7.0.0.125 2008.08.13 -
McAfee 5360 2008.08.13 -
Microsoft 1.3807 2008.08.13 -
NOD32v2 3352 2008.08.13 -
Norman 5.80.02 2008.08.13 -
Panda 9.0.0.4 2008.08.13 -
PCTools 4.4.2.0 2008.08.13 -
Prevx1 V2 2008.08.13 -
Rising 20.57.22.00 2008.08.13 -
Sophos 4.32.0 2008.08.13 Sus/Uddo-B
Sunbelt 3.1.1542.1 2008.08.13 -
Symantec 10 2008.08.13 -
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.13 -
VBA32 3.12.8.3 2008.08.13 -
ViRobot 2008.8.13.1335 2008.08.13 -
VirusBuster 4.5.11.0 2008.08.13 -
Webwasher-Gateway 6.6.2 2008.08.13 -
Additional information
File size: 1043456 bytes
MD5...: 7b88f566591095968ce309b543dc8fbc
SHA1..: 7d35582d4cc0bbb39a9a6bfba6e321b2758724dc
SHA256: b440322e20aa2bcb719b14700256df1d27de34eded523f571b8614fae612a959
SHA512: 3735ad59c31c5f65394c1ecff6d829f5effd0b6e66d9db540d724f78bfb8950b
b1873619c8408666e941117ef3480cd89c955e7aaa50f2a13d3a561f635d5b1c
PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4d3d00
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0xd2e3c 0xd3000 6.54 5132214222e229755818d6501cd3af2b
DATA 0xd4000 0x3794 0x3800 5.26 c2b83609a794cf45f7bf24cf129feb47
BSS 0xd8000 0x1f55 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xda000 0x277e 0x2800 5.03 b280418ef88c48fb4b10c9bd7c6183e0
.tls 0xdd000 0x34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xde000 0x18 0x200 0.20 2d8e58bdda6b84564c2366de9c2e9bfd
.reloc 0xdf000 0xf58c 0xf600 6.62 5cef1f5c0aee4275fd1ed1eb245f0e2d
.rsrc 0xef000 0x16000 0x16000 4.84 5f891e109fcac90c201e9519924d548a

( 16 imports )
> kernel32.dll: GetACP, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges
> kernel32.dll: lstrcpyA, lstrcmpA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, MultiByteToWideChar, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileA, CreateEventA, CopyFileA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EnumFontFamiliesExA, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
> user32.dll: CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
> oleaut32.dll: GetErrorInfo, SysFreeString
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
> shell32.dll: Shell_NotifyIconA, ShellExecuteA, SHFileOperationA

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...e309b543dc8fbc

tetonbob · 08-13-2008, 02:16 PM

Just trying to pin down this one file a bit better; I don't think it's malicious, but I'd like a bit more info if possible.

Do you do online auctions, and have you ever had software from Live Global Bid installed? You can answer that in the next reply with the logs.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/278596-slow-intenet-bad-popups-please-help-post1647301.html#post1647301

Folder::
C:\VundoFix Backups

Collect::
C:\WINDOWS\system32\ihimpnii.exe
C:\WINDOWS\system32\ldhfotsy.exe
C:\WINDOWS\system32\untvrrpc.exe
C:\WINDOWS\system32\wjqyjgav.exe
C:\WINDOWS\system32\fwvrhlns.exe
C:\WINDOWS\system32\wjajvfsl.exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

lee42lee · 08-13-2008, 02:44 PM

I am doing the fix now but thought I would go ahead and let you know that I do do online auctions. I own a used car dealership and if I can't make it to a auction I will do it online.

lee42lee · 08-13-2008, 03:01 PM

Ok here are the logs. I am fixing to leave work so it will tomorrow morning before I will be able to do anything else. Thanks again for all the help so far.
----------------------------------------------------------------------------------

ComboFix 08-08-12.01 - Owner 2008-08-13 17:48:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.157 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\fwvrhlns.exe
C:\WINDOWS\system32\ihimpnii.exe
C:\WINDOWS\system32\ldhfotsy.exe
C:\WINDOWS\system32\untvrrpc.exe
C:\WINDOWS\system32\wjajvfsl.exe
C:\WINDOWS\system32\wjqyjgav.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-13 16:02 . 2008-08-13 16:02 <DIR> d-------- C:\Program Files\EDUP Technology Corporation
2008-08-13 13:37 . 2008-08-13 13:46 <DIR> d-------- C:\Program Files\Ekahau
2008-08-13 12:40 . 2006-11-30 06:14 446,976 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-08-13 12:39 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-08-13 12:39 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-08-13 12:39 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys
2008-08-13 12:39 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll
2008-08-13 12:39 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe
2008-08-13 12:39 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-08-13 12:39 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-08-13 12:39 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS
2008-08-13 12:39 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL
2008-08-12 16:41 . 2008-08-12 16:41 <DIR> d-------- C:\Program Files\Panda Security
2008-08-12 16:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-12 14:48 . 2008-08-12 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-12 13:30 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 12:32 . 2008-07-31 12:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-31 12:31 . 2008-07-31 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-31 12:28 . 2008-07-31 12:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-07-31 12:27 . 2008-07-31 12:27 <DIR> dr-h----- C:\MSOCache
2008-07-31 10:28 . 2008-07-31 10:28 <DIR> d-------- C:\Program Files\Jarte
2008-07-31 10:28 . 2008-07-31 10:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte
2008-07-29 10:39 . 2008-07-29 10:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop
2008-07-28 17:37 . 2008-07-28 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RIM Palm&PPC Upgrade Wizard
2008-07-28 16:45 . 2008-07-28 16:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion
2008-07-28 16:45 . 2008-07-29 18:20 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-28 16:34 . 2008-07-28 16:45 256 --a------ C:\Documents and Settings\Owner\pool.bin
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-28 16:31 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Roxio
2008-07-28 16:31 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-28 16:31 . 2008-07-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-28 16:30 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-28 16:25 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-28 16:19 . 2008-07-28 16:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-22 10:39 . 2008-07-22 10:40 <DIR> d-------- C:\Program Files\Auction Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 15:34 --------- d-----w C:\Program Files\LimeWire
2008-08-08 19:44 --------- d-----w C:\Program Files\Java
2008-08-07 14:58 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 14:56 --------- d-----w C:\Program Files\iRacing
2008-07-31 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-31 13:38 --------- d-----w C:\Program Files\palmOne
2008-07-28 21:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-15 19:24 --------- d-----w C:\Program Files\Netscape
2008-07-09 16:58 86,016 ----a-w C:\WINDOWS\system32\lgbsysinfo.dll
2008-07-09 16:58 1,043,456 ----a-w C:\WINDOWS\system32\lgbpd.exe
2008-07-03 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ieSpell
2008-06-30 21:05 --------- d-----w C:\Program Files\Automotix
2008-06-28 16:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-06-23 15:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Automotix
2007-06-20 18:49 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6500.dat
2006-10-23 14:58 337 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-10-23 14:51 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-10-23 14:51 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2006-10-23 13:49 179,200 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-10-20 15:20 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9169.dat
2006-10-20 15:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5724.dat
2006-10-20 13:12 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8253.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
2006-10-20 13:07 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-10-20 13:07 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2005-12-02 17:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-13_15.28.32.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 17:44:14 477,696 ----a-w C:\WINDOWS\system32\drivers\ZD1211BU.sys
+ 2006-08-24 09:44:14 477,696 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\ZD11BUXP.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"LGBLiveUpdate"="C:\WINDOWS\system32\lgbpd.exe" [2008-07-09 12:58 1043456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-12 15:36 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EDUP WLan Utility.lnk - C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe [2008-08-13 16:02:18 499712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--a------ 2004-11-11 22:00 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 15:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 14:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 02:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-15 13:04 966656 C:\WINDOWS\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 18:04 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-12 15:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-12-09 14:17 67584 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 06:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 20:33 147456 C:\WINDOWS\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\incredimail_install.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 iRacingService;iRacing helper service;C:\Program Files\iRacing\iRacingService.exe [2008-08-04 10:56]
R3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 athrusb;Wireless LAN USB device driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 06:14]
S3 ZD1211BU(EDUP);EDUP IEEE 802.11 b+g Wireless LAN Driver (USB)(EDUP);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-29 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 17:51:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\Owner\LOCALS~1\Temp\TMP4352$.TMP

**************************************************************************
.
Completion time: 2008-08-13 17:54:00
ComboFix-quarantined-files.txt 2008-08-13 21:52:57
ComboFix2.txt 2008-08-13 19:28:52
ComboFix3.txt 2007-09-15 16:59:33

Pre-Run: 136,680,734,720 bytes free
Post-Run: 136,669,065,216 bytes free

198
------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:30 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\peek.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EDUP WLan Utility.lnk = C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8500 bytes

tetonbob · 08-13-2008, 05:34 PM

Quote:

Originally Posted by lee42lee

but thought I would go ahead and let you know that I do do online auctions. I own a used car dealership and if I can't make it to a auction I will do it online.

Thanks, that correlates with the limited info I was able to garner about the file.

I should think the machine is bahaving much better now.

Thanks for uploading the file. Please delete [4]-Submit_2008-08-13@17.48.zip from your desktop.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java(TM) 6 Update 3
Java(TM) 6 Update 5

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 7 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Let me know how the machine is behaving.

lee42lee · 08-14-2008, 10:41 AM

When I try to use IE it runs very slow like the connection is slow but if I use Netscape the connection is fine. Other than that the system is a lot better. I have not done the scan yet but I am going to now. I use this computer as a access point for a wireless connection. Do I need to turn it off before I do the scan?

tetonbob · 08-14-2008, 10:52 AM

Do you mean, will other machines get scanned through the Wireless Access Point? Truthfully, I'm not sure, but I don't think so unless the other machines have mapped network drives on yours. If the other machines can be without connection for the duration of the scan (perhaps an hour or more, depending on the size of the drives and number of files), then go ahead and disable the WAP connection. Might be interesting to see what happens if you leave it enabled, though.

lee42lee · 08-14-2008, 11:09 AM

I will leave it connected to see what it does and then I can do it again if you need me to.

lee42lee · 08-14-2008, 01:42 PM

Ok here is the scan log and I also did a HJT log.
-------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 19:17:39
Records in database: 1093719

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics
Files scanned 69133
Threat name 5
Infected objects 9
Suspicious objects 0
Duration of the scan 01:29:34

File name Threat name Threats count
C:\Documents and Settings\Owner\Shared\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.k 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jqqnsllo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\lcgzuf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\lszhth.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ndhdiu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1

C:\QooBox\Quarantine\C\WINDOWS\system32\qwcmtdpf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ykmhjbdm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1

C:\WINDOWS\system32\setup9x.exe Infected: Trojan-Downloader.Win32.VB.fbr 1

D:\i386\Apps\App03130\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.
-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:44 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\W32BRG55.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\peek.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EDUP WLan Utility.lnk = C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8646 bytes

tetonbob · 08-14-2008, 02:18 PM

Hi again -

Using the same method as before...

Can you upload this file

C:\WINDOWS\system32\setup9x.exe

to to following site please?

http://www.bleepingcomputer.com/subm...php?channel=28

I'll know when it arrives.

lee42lee · 08-14-2008, 03:10 PM

Ok I have uploaded the file. I wont be back in the office until tomorrow around 3:00est so I will do the next step then. Just so you know I am not having and pop ups at all but the computer just seems to run slower than normal.

tetonbob · 08-14-2008, 03:34 PM

Thanks for uploading the file.

Using Windows Explorer, or Windows Search, locate and delete the following files:

"C:\Documents and Settings\Owner\Shared\Eighties classic.wma"
"C:\WINDOWS\system32\setup9x.exe"

A slow machine is not always a product of infection.

Please see this sticky topic, and see if the information there helps.

http://www.techsupportforum.com/secu...ning-slow.html

From a malware perspective, we should be done.

We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

08-09-2008, 08:57 AM	#1 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Slow Intenet and Bad PopUps Please Help Below is copy of the HJT log. Please review it and help. I am having a lot of pop ups and the connetion is very slow. Thanks in advance for any help. ----------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:44:27 AM, on 8/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iRacing\iRacingService.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\lgbpd.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\albqwtmk.dll",s O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\lfquhxpu.dll",b O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 7821 bytes

08-13-2008, 09:36 AM	#2 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help Bump. Please help this is my office computer and I need help.

08-13-2008, 09:47 AM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Re: Slow Intenet and Bad PopUps Please Help I'd like you to rename HijackThis.exe to peek.exe. Navigate to C:\hjt\HijackThis.exe (or whereever the user has HJT located, as long as it's not in temp) Right click on HijackThis.exe Select 'Rename' Type in peek.exe Press Enter. Now run a new scan with the renamed executable, save the log and post it. Create an uninstall list: With HiJackThis still open Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-13-2008, 10:09 AM	#4 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help First I want to say thank you for the help. Since I posted the very first log I have installed Spybot Search and Destroy so I hope this didnt mess you up. Below is the new log and the uninstall list. -------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 120 PM, on 8/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iRacing\iRacingService.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\lgbpd.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe C:\Program Files\Netscape\Navigator 9\navigator.exe C:\Program Files\Trend Micro\HijackThis\peek.exe.exe O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6BC03760-586E-4D52-9FCA-B4AC1415BF16} - C:\WINDOWS\system32\efcDWmJc.dll O2 - BHO: (no name) - {73A4A159-2742-421B-AB8D-7CD7BE6EF817} - C:\WINDOWS\system32\hgGvuTMD.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {BC45E1D3-0152-4916-8465-BE9C7D726E36} - (no file) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\fnvpmhru.dll",b O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\xxsiyndb.dll",s O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: EDUP WLan Utility.lnk = C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O20 - Winlogon Notify: efcDWmJc - C:\WINDOWS\SYSTEM32\efcDWmJc.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 9145 bytes ------------------------------------------------------------- "AbiWord 2.4.1 (remove only)" Adobe Flash Player Plugin Adobe Shockwave Player AOL You've Got Pictures Screensaver Apple Mobile Device Support Apple Software Update Auction Client AuctionGenerator BigFix BitComet 0.59 BlackBerry Desktop Software 4.3 BlackBerry Desktop Software 4.3 Brother MFL-Pro Suite Digital Media Reader DivX DivX Converter DivX Player DivX Web Player EDUP IEEE 802.11 b+g Wireless LAN - USB EndItAll 2.0 Foxit PDF Editor Foxit Reader Frazer Software for the Used Car Dealer Frazer Software for the Used Car Dealer Google Earth HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB909394) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) ieSpell IncrediMail Xe iRacing.com Race Simulation iTunes Jarte 3.2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Kaspersky Online Scanner KODAK EASYSHARE Gallery Upload ActiveX Control MGTEK dopisp Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional 2007 Microsoft Office Professional 2007 Trial Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft User-Mode Driver Framework Feature Pack 1.0 MimoUSA POS Retail Browser MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 6.0 Parser (KB933579) Nancy Drew: Danger by Design Netscape Navigator (9.0.0.6) Norton Security Center Panda ActiveScan Panda ActiveScan 2.0 PaperPort Pet Vet (remove only) QuickTime RealPlayer Realtek AC'97 Audio REALTEK Gigabit and Fast Ethernet NIC Driver Roxio Media Manager rsClient 10x Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB929969) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB950749) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Soft Data Fax Modem with SmartCP Spelling Dictionaries For Adobe Reader Package Spybot - Search & Destroy SpywareBlaster 4.1 Star Fax Cover Sheet Creator 2.25 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB925720) Update for Windows XP (KB925876) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB953356) Ventrilo VIA/S3G Display Driver Videora iPod Converter 2.25 Viewpoint Media Player Weather Pulse 2.05 build 36 Windows Backup Utility Windows Genuine Advantage v1.3.0254.0 Windows Imaging Component Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 10 Hotfix - KB894476 Windows Media Player 11 Windows Media Player 11 Windows Presentation Foundation Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742

08-13-2008, 10:22 AM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Re: Slow Intenet and Bad PopUps Please Help It does just a little, only in that TeaTimer can be a roadblock in malware removal. We will need to disable it for the duration of the fix. If, while we're working together, TeaTimer detects changes and reports it to you, allow them. Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. See this link for a tutorial ================================= Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. If you have any questions along the way, STOP and ask them before proceeding. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-13-2008, 11:11 AM	#6 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help I am on my way to get my daughter at school and I will be back in about 45 mins then I will continue.

08-13-2008, 01:47 PM	#9 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help Ok here are the logs you asked for. Also it said my file was successfully submitted at Bleeping Computer. I wasn't sure if I needed to do another HJT log so if you need it just let me know. ----------------------------------------------------------------- File ihimpnii.exe_ received on 08.13.2008 22:15:11 (CET) Current status: finished Result: 10/36 (27.78%) ntivirus Version Last Update Result AhnLab-V3 2008.8.13.0 2008.08.13 - AntiVir 7.8.1.19 2008.08.13 - Authentium 5.1.0.4 2008.08.13 - Avast 4.8.1195.0 2008.08.13 - AVG 8.0.0.161 2008.08.13 Generic11.GSA BitDefender 7.2 2008.08.13 - CAT-QuickHeal 9.50 2008.08.13 - ClamAV 0.93.1 2008.08.13 - DrWeb 4.44.0.09170 2008.08.13 Trojan.Starter.561 eSafe 7.0.17.0 2008.08.13 - eTrust-Vet 31.6.6030 2008.08.13 - Ewido 4.0 2008.08.13 - F-Prot 4.4.4.56 2008.08.13 - F-Secure 7.60.13501.0 2008.08.13 - Fortinet 3.14.0.0 2008.08.13 W32/DELREG.Y!tr GData 2.0.7306.1023 2008.08.13 - Ikarus T3.1.1.34.0 2008.08.13 - K7AntiVirus 7.10.413 2008.08.13 - Kaspersky 7.0.0.125 2008.08.13 - McAfee 5360 2008.08.13 Vundo Microsoft 1.3807 2008.08.13 - NOD32v2 3352 2008.08.13 Win32/Adware.Virtumonde Norman 5.80.02 2008.08.13 W32/Virtumonde.YYQ Panda 9.0.0.4 2008.08.13 Generic Malware PCTools 4.4.2.0 2008.08.13 - Prevx1 V2 2008.08.13 Malicious Software Rising 20.57.22.00 2008.08.13 - Sophos 4.32.0 2008.08.13 - Sunbelt 3.1.1542.1 2008.08.13 - Symantec 10 2008.08.13 - TheHacker 6.3.0.3.046 2008.08.13 - TrendMicro 8.700.0.1004 2008.08.13 TROJ_DELREG.Y VBA32 3.12.8.3 2008.08.13 - ViRobot 2008.8.13.1335 2008.08.13 Adware.Virtumonde.2048 VirusBuster 4.5.11.0 2008.08.13 - Webwasher-Gateway 6.6.2 2008.08.13 - Additional information File size: 2048 bytes MD5...: 134346acd9dd7fa8305cc02d66b86d31 SHA1..: 03fe880a81393f1f980c54e04407f410125feba5 SHA256: 86e6fb8fe2bfc9d553b1fa2c099dda8d7e60482c63e061528b5064d44def9ae2 SHA512: c5b036d78640041c544dc849d7bc209bac7a20f0d58882fe99430a132634a5c3 0c8283d04ed8fbfaf68daab149d1f4a0fe55a6e564e829dabb6c6778036cc1e5 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x489708be (Mon Aug 04 13:48:46 2008) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x50 0x200 1.11 e7566cd9454a61459ccd93a3a805f22d .rdata 0x2000 0xe6 0x200 2.51 dc53a6de5d8c044a32e6afe2e7f60b1d ( 1 imports ) > ADVAPI32.dll: RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramte...2E0700B79BCD14 ThreatExpert info: http://www.threatexpert.com/report.a...5cc02d66b86d31 ----------------------------------------------------------------- File lgbpd.exe received on 08.13.2008 22:28:14 (CET) Current status: finished Result: 1/36 (2.78%) Antivirus Version Last Update Result AhnLab-V3 2008.8.13.0 2008.08.13 - AntiVir 7.8.1.19 2008.08.13 - Authentium 5.1.0.4 2008.08.13 - Avast 4.8.1195.0 2008.08.13 - AVG 8.0.0.161 2008.08.13 - BitDefender 7.2 2008.08.13 - CAT-QuickHeal 9.50 2008.08.13 - ClamAV 0.93.1 2008.08.13 - DrWeb 4.44.0.09170 2008.08.13 - eSafe 7.0.17.0 2008.08.13 - eTrust-Vet 31.6.6030 2008.08.13 - Ewido 4.0 2008.08.13 - F-Prot 4.4.4.56 2008.08.13 - F-Secure 7.60.13501.0 2008.08.13 - Fortinet 3.14.0.0 2008.08.13 - GData 2.0.7306.1023 2008.08.13 - Ikarus T3.1.1.34.0 2008.08.13 - K7AntiVirus 7.10.413 2008.08.13 - Kaspersky 7.0.0.125 2008.08.13 - McAfee 5360 2008.08.13 - Microsoft 1.3807 2008.08.13 - NOD32v2 3352 2008.08.13 - Norman 5.80.02 2008.08.13 - Panda 9.0.0.4 2008.08.13 - PCTools 4.4.2.0 2008.08.13 - Prevx1 V2 2008.08.13 - Rising 20.57.22.00 2008.08.13 - Sophos 4.32.0 2008.08.13 Sus/Uddo-B Sunbelt 3.1.1542.1 2008.08.13 - Symantec 10 2008.08.13 - TheHacker 6.3.0.3.046 2008.08.13 - TrendMicro 8.700.0.1004 2008.08.13 - VBA32 3.12.8.3 2008.08.13 - ViRobot 2008.8.13.1335 2008.08.13 - VirusBuster 4.5.11.0 2008.08.13 - Webwasher-Gateway 6.6.2 2008.08.13 - Additional information File size: 1043456 bytes MD5...: 7b88f566591095968ce309b543dc8fbc SHA1..: 7d35582d4cc0bbb39a9a6bfba6e321b2758724dc SHA256: b440322e20aa2bcb719b14700256df1d27de34eded523f571b8614fae612a959 SHA512: 3735ad59c31c5f65394c1ecff6d829f5effd0b6e66d9db540d724f78bfb8950b b1873619c8408666e941117ef3480cd89c955e7aaa50f2a13d3a561f635d5b1c PEiD..: BobSoft Mini Delphi -> BoB / BobSoft PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4d3d00 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 8 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0x1000 0xd2e3c 0xd3000 6.54 5132214222e229755818d6501cd3af2b DATA 0xd4000 0x3794 0x3800 5.26 c2b83609a794cf45f7bf24cf129feb47 BSS 0xd8000 0x1f55 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .idata 0xda000 0x277e 0x2800 5.03 b280418ef88c48fb4b10c9bd7c6183e0 .tls 0xdd000 0x34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rdata 0xde000 0x18 0x200 0.20 2d8e58bdda6b84564c2366de9c2e9bfd .reloc 0xdf000 0xf58c 0xf600 6.62 5cef1f5c0aee4275fd1ed1eb245f0e2d .rsrc 0xef000 0x16000 0x16000 4.84 5f891e109fcac90c201e9519924d548a ( 16 imports ) > kernel32.dll: GetACP, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle > user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA > advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey > oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen > kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA > advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges > kernel32.dll: lstrcpyA, lstrcmpA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, MultiByteToWideChar, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileA, CreateEventA, CopyFileA, CompareStringA, CloseHandle > version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA > gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EnumFontFamiliesExA, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt > user32.dll: CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout > kernel32.dll: Sleep > oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit > ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize > oleaut32.dll: GetErrorInfo, SysFreeString > comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls > shell32.dll: Shell_NotifyIconA, ShellExecuteA, SHFileOperationA ( 0 exports ) ThreatExpert info: http://www.threatexpert.com/report.a...e309b543dc8fbc

08-13-2008, 02:44 PM	#11 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help I am doing the fix now but thought I would go ahead and let you know that I do do online auctions. I own a used car dealership and if I can't make it to a auction I will do it online.

08-14-2008, 10:41 AM	#14 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help When I try to use IE it runs very slow like the connection is slow but if I use Netscape the connection is fine. Other than that the system is a lot better. I have not done the scan yet but I am going to now. I use this computer as a access point for a wireless connection. Do I need to turn it off before I do the scan?

08-14-2008, 10:52 AM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Re: Slow Intenet and Bad PopUps Please Help Do you mean, will other machines get scanned through the Wireless Access Point? Truthfully, I'm not sure, but I don't think so unless the other machines have mapped network drives on yours. If the other machines can be without connection for the duration of the scan (perhaps an hour or more, depending on the size of the drives and number of files), then go ahead and disable the WAP connection. Might be interesting to see what happens if you leave it enabled, though. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-14-2008, 11:09 AM	#16 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help I will leave it connected to see what it does and then I can do it again if you need me to.

08-14-2008, 01:42 PM	#17 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help Ok here is the scan log and I also did a HJT log. ------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, August 14, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, August 14, 2008 19:17:39 Records in database: 1093719 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ G:\ H:\ I:\ J:\ Scan statistics Files scanned 69133 Threat name 5 Infected objects 9 Suspicious objects 0 Duration of the scan 01:29:34 File name Threat name Threats count C:\Documents and Settings\Owner\Shared\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.k 1 C:\QooBox\Quarantine\C\WINDOWS\system32\jqqnsllo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clf 1 C:\QooBox\Quarantine\C\WINDOWS\system32\lcgzuf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clf 1 C:\QooBox\Quarantine\C\WINDOWS\system32\lszhth.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1 C:\QooBox\Quarantine\C\WINDOWS\system32\ndhdiu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1 C:\QooBox\Quarantine\C\WINDOWS\system32\qwcmtdpf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1 C:\QooBox\Quarantine\C\WINDOWS\system32\ykmhjbdm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1 C:\WINDOWS\system32\setup9x.exe Infected: Trojan-Downloader.Win32.VB.fbr 1 D:\i386\Apps\App03130\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 The selected area was scanned. ------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:39:44 PM, on 8/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\lgbpd.exe C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\W32BRG55.EXE C:\Program Files\Netscape\Navigator 9\navigator.exe C:\Program Files\Trend Micro\HijackThis\peek.exe.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: EDUP WLan Utility.lnk = C:\Program Files\EDUP Technology Corporation\EDUP_802.11g_Utility\ZDWlan.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8646 bytes

08-14-2008, 02:18 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Re: Slow Intenet and Bad PopUps Please Help Hi again - Using the same method as before... Can you upload this file C:\WINDOWS\system32\setup9x.exe to to following site please? http://www.bleepingcomputer.com/subm...php?channel=28 I'll know when it arrives. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-14-2008, 03:10 PM	#19 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help Ok I have uploaded the file. I wont be back in the office until tomorrow around 3:00est so I will do the next step then. Just so you know I am not having and pop ups at all but the computer just seems to run slower than normal.

08-14-2008, 03:34 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Re: Slow Intenet and Bad PopUps Please Help Thanks for uploading the file. Using Windows Explorer, or Windows Search, locate and delete the following files: "C:\Documents and Settings\Owner\Shared\Eighties classic.wma" "C:\WINDOWS\system32\setup9x.exe" A slow machine is not always a product of infection. Please see this sticky topic, and see if the information there helps. http://www.techsupportforum.com/secu...ning-slow.html From a malware perspective, we should be done. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.