TrackingCookie help. Internet not loading successfully

[griffery]

My computer now has a very difficult time loading internet sites. When I try and load a new site it will either:

1. Give me a notice that says

"WARNING! VIRUS DETECTED!
Attention, Erik!
Some dangerous viruses detected in your system. Microsoft Windown XP files corrupted your personal data at the reach of anyone's hand. Internet history records and other personal information (passwords, chat sessions logs, adult materials) easily reachable. Download protection software now!

Click OK to enable antispyware software. (Recommended)"

2. Tells me I tried to visit systemerroronline.com and sends me to OpenDNS guide.

3. Tells me i have downloaded porn videos and asks if I would like to open them.

4. Close all running internet explorer windows.

When I run AVG Anti-Spyware it always finds 3 threats that keep coming back. They are:

1. TrackingCookie.2o7
2. TrackingCookie.Adtech
3. TrackingCookie.Revsci

I've attached my logs, let me know if anything else is need. Thank you for your time, I greatly appreciate your expertise.


DDS (Version 1.1.0) - NTFSx86
Run by Erik at 23:47:06.62 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1049 [GMT -6:00]

============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Erik\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.popjustice.com/index.php?option=com_smf&Itemid=237
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: AmskerBar: {b05d1a1e-9f4c-4cce-91ad-db5cff9796dd} - c:\windows\system32\hozr.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_5_7_0.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [!AVG Anti-Spyware] "c:\progra~1\grisoft\avgant~1.5\avgas.exe" /minimized
mRun: [JeticoPFStartup] "c:\program files\jetico\jetico personal firewall\fwsrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {22548F62-DEB1-4742-AFE0-FE0C1713C52F} = 208.67.220.220,208.67.222.222
TCP: {2584F791-FCB3-4753-8A38-D1DD64BA600C} = 208.67.220.220,208.67.222.222
TCP: {372A730A-348D-4B2F-979C-011A61EB8182} = 208.67.220.220,208.67.222.222
TCP: {885E335C-F31E-48DF-AD73-AE08AF98268C} = 208.67.220.220,208.67.222.222
TCP: {D1483438-9EFA-42D0-9B25-BCF2145F997D} = 208.67.220.220,208.67.222.222
Notify: igfxcui - igfxsrvc.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
============= SERVICES / DRIVERS ===============
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2007-5-27 149376]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-4-10 10872]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-3-19 607576]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-3-5 201984]
R2 Tmntsrv;Trend NT Realtime Service;"c:\program files\trend micro\antivirus\Tmntsrv.exe" [2004-2-17 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2004-3-5 20864]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus\tmproxy.exe [2004-2-17 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-6-19 24652]
S0 Abaa33;Abaa33; []
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [2006-8-1 337216]
============== File Associations ===============
regfile="regedit.exe" "%1"
=============== Created Last 30 ================
2008-12-23 04:19 <DIR> --d----- c:\windows\system32\scripting
2008-12-23 04:18 <DIR> --d----- c:\windows\l2schemas
2008-12-23 04:18 <DIR> --d----- c:\windows\system32\en
2008-12-23 01:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 11:25 <DIR> --d----- C:\Deckard
2008-12-22 11:19 21,446 a------- c:\windows\system32\sf.ico
2008-12-22 11:19 13,942 a------- c:\windows\system32\m3.ico
2008-12-22 11:19 4,286 a------- c:\windows\system32\s.ico
2008-12-22 11:19 106,496 a------- c:\windows\system32\hozr.dll
2008-12-13 16:18 <DIR> --d----- c:\program files\WinAce
2008-12-07 21:44 49,536 a------- c:\windows\system32\drivers\tiehdusb.sys
2008-12-07 21:44 11,520 a------- c:\windows\system32\drivers\wdmstub.sys
2008-12-07 21:44 <DIR> --d----- c:\program files\common files\TI Shared
2008-12-07 21:43 194,362 a------- c:\windows\system32\drivers\windrvr6.sys
2008-12-07 21:43 102,400 a------- c:\windows\system32\wdapi811.dll
2008-12-07 21:43 17,424 a------- c:\windows\system32\drivers\ezusb.sys
2008-12-07 21:42 <DIR> --d----- c:\program files\common files\Vernier Software
2008-12-07 21:41 <DIR> --d----- c:\program files\Vernier Software
==================== Find3M ====================
2008-12-23 04:32 88,831 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2005-03-13 09:54 56 -c-shr-- c:\windows\system32\D7AB0254AA.sys
2005-03-13 09:54 1,890 ac-sh--- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 23:49:23.01 ===============

[amateur]

Hello and welcome to TSF.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[griffery]

ComboFix 09-01-01.02 - Erik 2009-01-03 11:02:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1006 [GMT -6:00]
Running from: c:\documents and settings\Erik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Erik\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\s.ico
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wpdmtpus.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-28 23:50 . 2008-12-28 23:50 250 --a------ c:\windows\gmer.ini
2008-12-23 04:19 . 2008-12-23 04:19 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\l2schemas
2008-12-23 01:46 . 2008-12-23 01:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-22 11:25 . 2008-12-22 11:25 <DIR> d-------- C:\Deckard
2008-12-22 11:19 . 2008-12-22 11:19 106,496 --a------ c:\windows\SYSTEM32\hozr.dll
2008-12-22 11:19 . 2008-12-22 11:19 21,446 --a------ c:\windows\SYSTEM32\sf.ico
2008-12-22 11:19 . 2008-12-22 11:19 13,942 --a------ c:\windows\SYSTEM32\m3.ico
2008-12-13 16:18 . 2008-12-13 16:20 <DIR> d-------- c:\program files\WinAce
2008-12-07 21:44 . 2008-12-07 21:44 <DIR> d-------- c:\program files\Common Files\TI Shared
2008-12-07 21:44 . 2004-02-04 11:27 49,536 --a------ c:\windows\SYSTEM32\DRIVERS\tiehdusb.sys
2008-12-07 21:44 . 2003-11-14 15:53 11,520 --a------ c:\windows\SYSTEM32\DRIVERS\wdmstub.sys
2008-12-07 21:43 . 2007-06-08 13:15 194,362 --a------ c:\windows\SYSTEM32\DRIVERS\windrvr6.sys
2008-12-07 21:43 . 2007-06-08 13:15 102,400 --a------ c:\windows\SYSTEM32\wdapi811.dll
2008-12-07 21:43 . 2007-01-10 13:23 17,424 --a------ c:\windows\SYSTEM32\DRIVERS\ezusb.sys
2008-12-07 21:42 . 2008-12-07 21:43 <DIR> d-------- c:\program files\Common Files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d-------- c:\program files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-07 21:40 . 2008-12-07 21:40 <DIR> d-------- c:\documents and settings\Erik\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 04:40 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-27 03:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 04:52 --------- d-----w c:\documents and settings\Erik\Application Data\LimeWire
2008-12-23 07:43 --------- d-----w c:\program files\Java
2008-12-21 07:49 --------- d-----w c:\program files\DVDVideoSoft
2008-12-13 08:02 --------- d-----w c:\program files\VstPlugins
2008-12-06 21:08 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-11-25 01:33 --------- d-----w c:\program files\Viewpoint
2008-11-25 01:33 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-25 01:33 --------- d-----w c:\program files\AIM6
2008-11-25 01:33 --------- d-----w c:\program files\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-25 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-23 07:36 --------- d-----w c:\program files\iTunes
2008-11-23 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-23 07:35 --------- d-----w c:\program files\iPod
2008-11-23 07:35 --------- d-----w c:\program files\Common Files\Apple
2008-11-23 07:32 --------- d-----w c:\program files\QuickTime
2005-03-13 15:54 56 -csh--r c:\windows\SYSTEM32\D7AB0254AA.sys
2005-03-13 15:54 1,890 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 10:32 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B05D1A1E-9F4C-4CCE-91AD-DB5CFF9796DD}]
2008-12-22 11:19 106496 --a------ c:\windows\system32\hozr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"!AVG Anti-Spyware"="c:\progra~1\Grisoft\AVGANT~1.5\avgas.exe" [2007-06-11 6731312]
"JeticoPFStartup"="c:\program files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-02-10 10:51 118784 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-02-10 10:55 155648 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 19:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18680:TCP"= 18680:TCP:@xpsp2res.dll,-22005
"5551:TCP"= 5551:TCP:@xpsp2res.dll,-22005
"2810:TCP"= 2810:TCP:@xpsp2res.dll,-22005
"14881:TCP"= 14881:TCP:@xpsp2res.dll,-22005
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\DRIVERS\tffsport.sys [2007-05-27 149376]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-03-05 201984]
R2 Tmntsrv;Trend NT Realtime Service;"c:\program files\Trend Micro\Antivirus\Tmntsrv.exe" [2004-02-17 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2004-03-05 20864]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2004-02-17 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]
S0 Abaa33;Abaa33; []
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys [2006-08-01 337216]
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2004-08-07 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-Dell AIO Printer A920 - c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1107122554\ee\AOLSoftware.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_07\bin\jusched.exe
MSConfigStartUp-strtas - lock1.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.popjustice.com/index.php?option=com_smf&Itemid=237
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
TCP: {22548F62-DEB1-4742-AFE0-FE0C1713C52F} = 208.67.220.220,208.67.222.222
TCP: {2584F791-FCB3-4753-8A38-D1DD64BA600C} = 208.67.220.220,208.67.222.222
TCP: {372A730A-348D-4B2F-979C-011A61EB8182} = 208.67.220.220,208.67.222.222
TCP: {885E335C-F31E-48DF-AD73-AE08AF98268C} = 208.67.220.220,208.67.222.222
TCP: {D1483438-9EFA-42D0-9B25-BCF2145F997D} = 208.67.220.220,208.67.222.222
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 11:08:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-03 11:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 17:16:57
ComboFix2.txt 2008-06-19 07:43:37

Pre-Run: 4,147,109,888 bytes free
Post-Run: 4,213,272,576 bytes free

217 --- E O F --- 2008-12-24 09:04:13

[amateur]

Hi griffery,

You have some installed programs that I would like to address first:

Ask Toolbar: This program is not malware, but it may report on your surfing behavior and is considered undesirable, see here for more information. If you actually use this program, consider a safe alternative such as Google toolbar.
I recommend you remove this program, to do so open Start->Control Panel->Add/Remove Programs, find Ask Toolbar and select Remove

AVG Anti-Spyware 7.5: It's a defunct program, not supported any longer; as good as not having any. You might as well uninstall it while you're at the Add/Remove Programs

LimeWire: It's a p2p file sharing program. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel before we continue, as suggested in our pre-posting sticky.

Java(TM) 6 Update 6
Java(TM) 6 Update 7

These are old versions of Java which have some vulnerabilities. Please remove them via Add or Remove Programs also, but leave Java(TM) 6 Update 11 alone, as it's the latest version.

==================================

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/328939-trackingcookie-help-internet-not-loading-successfully.html
KILLALL::

Collect::
c:\windows\SYSTEM32\hozr.dll
c:\windows\SYSTEM32\sf.ico
c:\windows\SYSTEM32\m3.ico

folder::
c:\documents and settings\Erik\Application Data\LimeWire
C:\Deckard

DirLook::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Driver::
Abaa33

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next post.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to

http://www.bleepingcomputer.com/subm....php?channel=4

[griffery]

Hello, thank you for your quick response!

Previously to my original post I had already uninstalled limewire from my add/remove programs, and it is no longer there. Is there another place where I need to uninstall it or something?

I submitted my zipped folder to bleeping computer, and here is my new combo fix log:

ComboFix 09-01-01.02 - Erik 2009-01-03 11:02:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1006 [GMT -6:00]
Running from: c:\documents and settings\Erik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Erik\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\s.ico
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wpdmtpus.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-28 23:50 . 2008-12-28 23:50 250 --a------ c:\windows\gmer.ini
2008-12-23 04:19 . 2008-12-23 04:19 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\l2schemas
2008-12-23 01:46 . 2008-12-23 01:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-22 11:25 . 2008-12-22 11:25 <DIR> d-------- C:\Deckard
2008-12-22 11:19 . 2008-12-22 11:19 106,496 --a------ c:\windows\SYSTEM32\hozr.dll
2008-12-22 11:19 . 2008-12-22 11:19 21,446 --a------ c:\windows\SYSTEM32\sf.ico
2008-12-22 11:19 . 2008-12-22 11:19 13,942 --a------ c:\windows\SYSTEM32\m3.ico
2008-12-13 16:18 . 2008-12-13 16:20 <DIR> d-------- c:\program files\WinAce
2008-12-07 21:44 . 2008-12-07 21:44 <DIR> d-------- c:\program files\Common Files\TI Shared
2008-12-07 21:44 . 2004-02-04 11:27 49,536 --a------ c:\windows\SYSTEM32\DRIVERS\tiehdusb.sys
2008-12-07 21:44 . 2003-11-14 15:53 11,520 --a------ c:\windows\SYSTEM32\DRIVERS\wdmstub.sys
2008-12-07 21:43 . 2007-06-08 13:15 194,362 --a------ c:\windows\SYSTEM32\DRIVERS\windrvr6.sys
2008-12-07 21:43 . 2007-06-08 13:15 102,400 --a------ c:\windows\SYSTEM32\wdapi811.dll
2008-12-07 21:43 . 2007-01-10 13:23 17,424 --a------ c:\windows\SYSTEM32\DRIVERS\ezusb.sys
2008-12-07 21:42 . 2008-12-07 21:43 <DIR> d-------- c:\program files\Common Files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d-------- c:\program files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-07 21:40 . 2008-12-07 21:40 <DIR> d-------- c:\documents and settings\Erik\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 04:40 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-27 03:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 04:52 --------- d-----w c:\documents and settings\Erik\Application Data\LimeWire
2008-12-23 07:43 --------- d-----w c:\program files\Java
2008-12-21 07:49 --------- d-----w c:\program files\DVDVideoSoft
2008-12-13 08:02 --------- d-----w c:\program files\VstPlugins
2008-12-06 21:08 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-11-25 01:33 --------- d-----w c:\program files\Viewpoint
2008-11-25 01:33 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-25 01:33 --------- d-----w c:\program files\AIM6
2008-11-25 01:33 --------- d-----w c:\program files\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-25 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-23 07:36 --------- d-----w c:\program files\iTunes
2008-11-23 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-23 07:35 --------- d-----w c:\program files\iPod
2008-11-23 07:35 --------- d-----w c:\program files\Common Files\Apple
2008-11-23 07:32 --------- d-----w c:\program files\QuickTime
2005-03-13 15:54 56 -csh--r c:\windows\SYSTEM32\D7AB0254AA.sys
2005-03-13 15:54 1,890 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 10:32 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B05D1A1E-9F4C-4CCE-91AD-DB5CFF9796DD}]
2008-12-22 11:19 106496 --a------ c:\windows\system32\hozr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"!AVG Anti-Spyware"="c:\progra~1\Grisoft\AVGANT~1.5\avgas.exe" [2007-06-11 6731312]
"JeticoPFStartup"="c:\program files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-02-10 10:51 118784 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-02-10 10:55 155648 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 19:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18680:TCP"= 18680:TCP:@xpsp2res.dll,-22005
"5551:TCP"= 5551:TCP:@xpsp2res.dll,-22005
"2810:TCP"= 2810:TCP:@xpsp2res.dll,-22005
"14881:TCP"= 14881:TCP:@xpsp2res.dll,-22005
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\DRIVERS\tffsport.sys [2007-05-27 149376]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-03-05 201984]
R2 Tmntsrv;Trend NT Realtime Service;"c:\program files\Trend Micro\Antivirus\Tmntsrv.exe" [2004-02-17 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2004-03-05 20864]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2004-02-17 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]
S0 Abaa33;Abaa33; []
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys [2006-08-01 337216]
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2004-08-07 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-Dell AIO Printer A920 - c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1107122554\ee\AOLSoftware.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_07\bin\jusched.exe
MSConfigStartUp-strtas - lock1.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.popjustice.com/index.php?option=com_smf&Itemid=237
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
TCP: {22548F62-DEB1-4742-AFE0-FE0C1713C52F} = 208.67.220.220,208.67.222.222
TCP: {2584F791-FCB3-4753-8A38-D1DD64BA600C} = 208.67.220.220,208.67.222.222
TCP: {372A730A-348D-4B2F-979C-011A61EB8182} = 208.67.220.220,208.67.222.222
TCP: {885E335C-F31E-48DF-AD73-AE08AF98268C} = 208.67.220.220,208.67.222.222
TCP: {D1483438-9EFA-42D0-9B25-BCF2145F997D} = 208.67.220.220,208.67.222.222
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 11:08:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-03 11:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 17:16:57
ComboFix2.txt 2008-06-19 07:43:37

Pre-Run: 4,147,109,888 bytes free
Post-Run: 4,213,272,576 bytes free

217 --- E O F --- 2008-12-24 09:04:13

[amateur]

Hi,

You posted the same log. Please post the latest. It should be located at C:\Combofix.txt.

[griffery]

Woops

ComboFix 09-01-01.02 - Erik 2009-01-03 14:44:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1069 [GMT -6:00]
Running from: c:\documents and settings\Erik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Erik\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Deckard
c:\documents and settings\Erik\Application Data\LimeWire
c:\documents and settings\Erik\Application Data\LimeWire\.AppSpecialShare\Akon - Freedom Full Album.torrent.bak
c:\documents and settings\Erik\Application Data\LimeWire\.AppSpecialShare\P!nk - Funhouse (2008) DivXNL-Team.torrent.bak
c:\documents and settings\Erik\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\Erik\Application Data\LimeWire\414splashfree.png
c:\documents and settings\Erik\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Erik\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Erik\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Erik\Application Data\LimeWire\filters.props
c:\documents and settings\Erik\Application Data\LimeWire\gnutella.net
c:\documents and settings\Erik\Application Data\LimeWire\installation.props
c:\documents and settings\Erik\Application Data\LimeWire\library.dat
c:\documents and settings\Erik\Application Data\LimeWire\limewire.props
c:\documents and settings\Erik\Application Data\LimeWire\mojito.props
c:\documents and settings\Erik\Application Data\LimeWire\questions.props
c:\documents and settings\Erik\Application Data\LimeWire\responses.cache
c:\documents and settings\Erik\Application Data\LimeWire\simpp.xml
c:\documents and settings\Erik\Application Data\LimeWire\spam.dat
c:\documents and settings\Erik\Application Data\LimeWire\tables.props
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\splashpro.png
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Erik\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Erik\Application Data\LimeWire\ttree.cache
c:\documents and settings\Erik\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Erik\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Erik\Application Data\LimeWire\version.xml
c:\documents and settings\Erik\Application Data\LimeWire\xml\data\audio.sxml
c:\documents and settings\Erik\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Erik\Application Data\LimeWire\xml\data\video.sxml
c:\documents and settings\Erik\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Erik\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Erik\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Erik\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Erik\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Erik\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Erik\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Erik\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Erik\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Erik\Application Data\LimeWire\xml\schemas\video.xsd
c:\windows\SYSTEM32\hozr.dll
c:\windows\SYSTEM32\m3.ico
c:\windows\SYSTEM32\sf.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABAA33
-------\Service_Abaa33


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-28 23:50 . 2008-12-28 23:50 250 --a------ c:\windows\gmer.ini
2008-12-23 04:19 . 2008-12-23 04:19 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-23 04:18 . 2008-12-23 04:18 <DIR> d-------- c:\windows\l2schemas
2008-12-23 01:46 . 2008-12-23 01:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-13 16:18 . 2008-12-13 16:20 <DIR> d-------- c:\program files\WinAce
2008-12-07 21:44 . 2008-12-07 21:44 <DIR> d-------- c:\program files\Common Files\TI Shared
2008-12-07 21:44 . 2004-02-04 11:27 49,536 --a------ c:\windows\SYSTEM32\DRIVERS\tiehdusb.sys
2008-12-07 21:44 . 2003-11-14 15:53 11,520 --a------ c:\windows\SYSTEM32\DRIVERS\wdmstub.sys
2008-12-07 21:43 . 2007-06-08 13:15 194,362 --a------ c:\windows\SYSTEM32\DRIVERS\windrvr6.sys
2008-12-07 21:43 . 2007-06-08 13:15 102,400 --a------ c:\windows\SYSTEM32\wdapi811.dll
2008-12-07 21:43 . 2007-01-10 13:23 17,424 --a------ c:\windows\SYSTEM32\DRIVERS\ezusb.sys
2008-12-07 21:42 . 2008-12-07 21:43 <DIR> d-------- c:\program files\Common Files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d-------- c:\program files\Vernier Software
2008-12-07 21:41 . 2008-12-07 21:41 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-07 21:40 . 2008-12-07 21:40 <DIR> d-------- c:\documents and settings\Erik\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 20:33 --------- d-----w c:\program files\Java
2009-01-02 04:40 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-27 03:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 07:49 --------- d-----w c:\program files\DVDVideoSoft
2008-12-13 08:02 --------- d-----w c:\program files\VstPlugins
2008-12-06 21:08 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-11-25 01:33 --------- d-----w c:\program files\Viewpoint
2008-11-25 01:33 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-25 01:33 --------- d-----w c:\program files\AIM6
2008-11-25 01:33 --------- d-----w c:\program files\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-25 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-25 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-23 07:36 --------- d-----w c:\program files\iTunes
2008-11-23 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-23 07:35 --------- d-----w c:\program files\iPod
2008-11-23 07:35 --------- d-----w c:\program files\Common Files\Apple
2008-11-23 07:32 --------- d-----w c:\program files\QuickTime
2005-03-13 15:54 56 -csh--r c:\windows\SYSTEM32\D7AB0254AA.sys
2005-03-13 15:54 1,890 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ----

2008-07-04 13:35 54632 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2008-04-24 08:25 11168 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
2008-04-17 13:12 319456 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
2008-04-17 13:12 2761 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
2008-04-17 13:12 15464 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
2008-04-17 13:12 107368 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"JeticoPFStartup"="c:\program files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-02-10 10:51 118784 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-02-10 10:55 155648 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 19:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18680:TCP"= 18680:TCP:@xpsp2res.dll,-22005
"5551:TCP"= 5551:TCP:@xpsp2res.dll,-22005
"2810:TCP"= 2810:TCP:@xpsp2res.dll,-22005
"14881:TCP"= 14881:TCP:@xpsp2res.dll,-22005
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\DRIVERS\tffsport.sys [2007-05-27 149376]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-03-05 201984]
R2 Tmntsrv;Trend NT Realtime Service;"c:\program files\Trend Micro\Antivirus\Tmntsrv.exe" [2004-02-17 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2004-03-05 20864]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2004-02-17 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys [2006-08-01 337216]
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2004-08-07 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B05D1A1E-9F4C-4CCE-91AD-DB5CFF9796DD} - c:\windows\system32\hozr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.popjustice.com/index.php?option=com_smf&Itemid=237
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
TCP: {22548F62-DEB1-4742-AFE0-FE0C1713C52F} = 208.67.220.220,208.67.222.222
TCP: {2584F791-FCB3-4753-8A38-D1DD64BA600C} = 208.67.220.220,208.67.222.222
TCP: {372A730A-348D-4B2F-979C-011A61EB8182} = 208.67.220.220,208.67.222.222
TCP: {885E335C-F31E-48DF-AD73-AE08AF98268C} = 208.67.220.220,208.67.222.222
TCP: {D1483438-9EFA-42D0-9B25-BCF2145F997D} = 208.67.220.220,208.67.222.222
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 14:50:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-03 14:56:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 20:56:17
ComboFix2.txt 2009-01-03 17:17:39
ComboFix3.txt 2008-06-19 07:43:37

Pre-Run: 4,172,046,336 bytes free
Post-Run: 4,240,924,672 bytes free

264 --- E O F --- 2008-12-24 09:04:13

[amateur]

Hi again,

Quote:

I had already uninstalled limewire from my add/remove programs

That's good.

Quote:

I submitted my zipped folder to bleeping computer

Received. Thank you.

This log looks good. Let's have an online scan to make sure nothing else is hiding around.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post the Kaspersky report and let me know how the computer is running now.

[griffery]

Hello again,

The computer is running great now. The internet is running just like before, no more pop-ups. Everything appears to be fine. Here is the Kaspersky scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 04, 2009 19:08:12
Records in database: 1559474
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 72150
Threat name: 12
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 02:34:39


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Documents and Settings\Erik\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-669fc3f3 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Erik\Application Data\Sun\Java\Deployment\cache\6.0\43\65cc22eb-1388e9e9 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Incomplete\T-3515161-up in here.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\bhangra my own way.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\donnie klang- dr. love .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\drop dead gorgeus sexy girl has shaking orgasm during sex.mp3 Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\if you seek amy britney spears - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\internationalude matt pokora .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Lily Allen - Everyone's At It .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Lily Allen - Everyone's At It(1).wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Natasha Bedingfield - Tricky Angel.wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\outsider jessie malakouti MTV.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\return favor keri hilson.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\so what pink .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Vanessa Carlton - White Houses.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\wonderful lady gaga.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\13.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\19.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\8.tmp Infected: EICAR-Test-File 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-03@14.44.zip Infected: Trojan.Win32.Agent.azdu 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1128\A0379754.exe Infected: Packed.Win32.PolyCrypt.m 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1132\A0380177.dll Infected: Trojan.Win32.Agent.azdu 1

The selected area was scanned.

[amateur]

Hi,

Quote:

The computer is running great now. The internet is running just like before, no more pop-ups. Everything appears to be fine.

Good to hear that.

Please empty the Quarantine Folder of TrendMicro:

C:\Program Files\Trend Micro\Antivirus\QUARANTINE<===== delete the contents of this folder.

======================

Next, go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Under Temporary Internet Files, click the Settings button.
Click the Delete Files... button below. Make sure next are checked:
Applications and Applets
Trace and Log Files
Click OK on Delete Temporary Files Window.

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

===========================

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Folder::
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\toolbar
C:\Documents and Settings\Erik\My Documents\LimeWire

File::
C:\Documents and Settings\Erik\My Documents\LimeWire\Incomplete\T-3515161-up in here.wma
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\bhangra my own way.wma
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\donnie klang- dr. love .mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\drop dead gorgeus sexy girl has shaking orgasm during sex.mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\if you seek amy britney spears - greatest hits.wma
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\internationalude matt pokora .mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Lily Allen - Everyone's At It .mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Lily Allen - Everyone's At It(1).wma
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Natasha Bedingfield - Tricky Angel.wma
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\outsider jessie malakouti MTV.mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\return favor keri hilson.mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\so what pink .mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\Vanessa Carlton - White Houses.mp3
C:\Documents and Settings\Erik\My Documents\LimeWire\Saved\wonderful lady gaga.mp3

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post that log in your next reply.

[griffery]

I attached the new one. I hope it works.

[amateur]

Hi,

If you have no further malware issues, you're all set to go. As you may have observed, the source of the problem was most likely the downloaded programs via LimeWire. Please stay away from p2p file sharing in future.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

[griffery]

Alright, it's uninstalled!

Thank you so much for your help!

[amateur]

You're welcome. Glad we could help. Stay safe!