Solve : Multiple IE windows opening, appears to be adware/malware, now

1.	Solve : Multiple IE windows opening, appears to be adware/malware, now IE won't connect?
Answer» We started noticing all the problems when about 25 IE windows were open on my wife's laptop last Saturday morning when we got up. Not sure what was downloaded that started all of this. I've run thru all of the "Malware Removal Steps". I've attached the 3 logs you've requested to get this started. At the moment I am unable to connect to the internet with IE. I can ping various websites just can't get the browser to connect to any of them. Get dnserror. Having to post all of this on another computer. Thanks for you help! [recovering disk space -- attachment deleted by admin]Welcome to CH. Download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account or an account with Administrative rights Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. . Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log. Thanks for the quick reply. Here's the next logfiles... ======================================= SDFix: Version 1.220 Run by Julie on Tue 09/02/2008 at 11:01 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\atsxyzd.sys - Deleted C:\WINDOWS\system32\comsa32.sys - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-02 23:32:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized APPLICATION Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe::Enabled:TrueVector Service" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe::Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe::Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 11 May 1998 93,880 ..SH. --- "C:\COMMAND.COM" THU 21 Apr 2005 101,376 A..H. --- "C:\MPC-Backup\docs on Derrek's Trading Computer 1 (Dbtrading1)\~WRL3518.tmp" Wed 17 Oct 2007 145,920 ..SHR --- "C:\Program Files\Sprint music manager\Setup.exe" Wed 1 Aug 2007 53,248 A.SHR --- "C:\Program Files\Sprint music manager\_Setupx.dll" Mon 2 Jan 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 21 Apr 2005 101,376 A..H. --- "C:\MPC-Backup\11-07-06-backup\docs\~WRL3518.tmp" Sun 24 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Sun 17 Jul 2005 26,624 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL0549.tmp" Tue 26 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL0750.tmp" Sun 17 Jul 2005 26,624 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1032.tmp" Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1113.tmp" Sun 17 Jul 2005 27,648 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1116.tmp" Tue 26 Jul 2005 26,112 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1119.tmp" Sun 17 Jul 2005 27,648 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1183.tmp" Wed 27 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1286.tmp" Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1364.tmp" Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2305.tmp" Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2443.tmp" Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2697.tmp" Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2754.tmp" Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2757.tmp" Sun 17 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2778.tmp" Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2797.tmp" Sun 17 Jul 2005 28,672 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2819.tmp" Sun 17 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2969.tmp" Tue 26 Jul 2005 24,576 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3211.tmp" Tue 26 Jul 2005 25,600 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3449.tmp" Sun 17 Jul 2005 20,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3920.tmp" Sun 17 Jul 2005 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3931.tmp" Mon 2 Jan 2006 4,348 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1key.bak" Sun 26 Feb 2006 20 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1lic.bak" Mon 2 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv2key.bak" Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0026.tmp" Sun 3 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0263.tmp" Sun 3 Dec 2006 88,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0875.tmp" Sat 2 Dec 2006 77,312 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0953.tmp" Sat 2 Dec 2006 76,800 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL1334.tmp" Sat 2 Dec 2006 51,200 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL1499.tmp" Sat 2 Dec 2006 73,216 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2218.tmp" Sat 2 Dec 2006 24,576 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2256.tmp" Sat 2 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2383.tmp" Sun 3 Dec 2006 87,552 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2446.tmp" Sat 2 Dec 2006 73,216 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2505.tmp" Sat 2 Dec 2006 76,800 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2756.tmp" Sat 2 Dec 2006 51,200 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2763.tmp" Sat 2 Dec 2006 74,240 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2820.tmp" Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2929.tmp" Sat 2 Dec 2006 74,240 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2952.tmp" Sat 2 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3125.tmp" Sun 3 Dec 2006 87,552 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3297.tmp" Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3302.tmp" Sat 2 Dec 2006 35,840 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3556.tmp" Sat 2 Dec 2006 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3774.tmp" Sat 2 Dec 2006 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3775.tmp" Wed 14 May 2008 32,256 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1348.tmp" Wed 14 May 2008 32,256 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1598.tmp" Wed 14 May 2008 62,464 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1743.tmp" Wed 14 May 2008 31,744 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL2961.tmp" Wed 14 May 2008 62,464 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL3259.tmp" Finished! =========================================================================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:37:25 PM, on 9/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\afisicx.exe C:\WINDOWS\System32\Atievxx.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\roxtctm.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\sotpeca.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wsldoekd.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Sprint music manager\MEMonitor.exe C:\Program Files\Trend Micro\HijackThis\snyper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = ? O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mmchost.dll' missing O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113 O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLavgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: noxtcyr Co. Ltd. (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe O23 - Service: sotpeca Corporation (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe O23 - Service: wsldoekd Corporation inc. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 7633 bytes Were getting there but there are still some very nasty ones left. Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved DIRECTLY to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. Next set of logs... ================== ComboFix 08-08-31.01 - Julie 2008-09-03 7:45:31.1 - NTFSx86 Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\test.txt C:\WINDOWS\Install.txt C:\WINDOWS\system32\afisicx.exe C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\system32\Install.txt C:\WINDOWS\system32\mywfhit.ini C:\WINDOWS\system32\mywfhit.ini.tmp C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\roxtctm.exe C:\WINDOWS\system32\rtl60.bpl C:\WINDOWS\system32\sotpeca.exe C:\WINDOWS\system32\tmpacj0.exe C:\WINDOWS\system32\wsldoekd.exe C:\WINDOWS\tawisys.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFISICX -------\Legacy_INTERNET_SERVICE -------\Legacy_MACIDWE -------\Legacy_MSSERVICE -------\Legacy_NOXTCYR -------\Legacy_ROXTCTM -------\Legacy_SEUICTOL -------\Legacy_SOTPECA -------\Legacy_TDXDOWKC -------\Legacy_WSLDOEKD -------\Service_afisicx -------\Service_noxtcyr -------\Service_roxtctm -------\Service_seuictol -------\Service_sotpeca -------\Service_wsldoekd ((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 ))))))))))))))))))))))))))))))) . 2008-09-02 22:58 . 2008-09-02 22:58d--------C:\WINDOWS\ERUNT 2008-09-02 19:00 . 2008-09-02 23:34d--------C:\SDFix 2008-09-02 15:16 . 2008-09-02 15:16d--------C:\Program Files\Trend Micro 2008-09-02 15:05 . 2008-06-10 02:3273,728--a------C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-09-02 15:03 . 2008-09-02 15:05d--------C:\Program Files\Java 2008-09-02 15:03 . 2008-09-02 15:03d--------C:\Program Files\Common Files\Java 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Program Files\Malwarebytes' Anti-Malware 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\Julie\Application Data\Malwarebytes 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-02 12:55 . 2008-08-17 15:0438,472--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-09-02 12:55 . 2008-08-17 15:0417,144--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Program Files\SUPERAntiSpyware 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\Julie\Application Data\SUPERAntiSpyware.com 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-09-02 07:56 . 2008-09-02 07:56d--------C:\Program Files\CCleaner 2008-09-01 14:38 . 2008-09-03 06:26d--h-----C:\$AVG8.VAULT$ 2008-09-01 13:00 . 2008-09-01 13:00d---s----C:\Documents and Settings\LocalService\UserData 2008-09-01 12:53 . 2008-09-01 12:5376,040--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys 2008-09-01 12:53 . 2008-09-01 12:5310,520--a------C:\WINDOWS\SYSTEM32\avgrsstx.dll 2008-09-01 12:52 . 2008-09-02 07:34d--------C:\WINDOWS\SYSTEM32\DRIVERS\Avg 2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Program Files\AVG 2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Documents and Settings\All Users\Application Data\avg8 2008-09-01 12:52 . 2008-09-01 12:5296,520--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys 2008-09-01 01:06 . 2008-09-01 01:12d--------C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-01 01:03 . 2008-09-02 08:25d--------C:\Program Files\Common Files\Wise Installation Wizard 2008-08-31 21:26 . 2008-09-03 07:46d--------C:\WINDOWS\SYSTEM32\inf 2008-08-30 22:23 . 2008-09-01 12:42d--------C:\Documents and Settings\NetworkService\Application Data\StumbleUpon 2008-08-22 14:18 . 2008-08-22 15:38d--------C:\WINDOWS\SYSTEM32\CatRoot_bak 2008-08-20 09:33 . 2008-08-20 09:33d--------C:\WINDOWS\Cache 2008-08-20 09:33 . 2008-08-30 22:47d--------C:\Program Files\Coupons 2008-08-14 19:26 . 2008-05-01 09:30331,776-----c---C:\WINDOWS\SYSTEM32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-02 21:10---------d-----wC:\Documents and Settings\Julie\Application Data\StumbleUpon 2008-09-01 17:24---------d-----wC:\Program Files\Viewpoint 2008-09-01 17:24---------d-----wC:\Documents and Settings\Julie\Application Data\Viewpoint 2008-09-01 17:24---------d-----wC:\Documents and Settings\All Users\Application Data\Viewpoint 2008-09-01 06:09---------d-----wC:\Program Files\Lavasoft 2008-09-01 06:09---------d-----wC:\Documents and Settings\Julie\Application Data\Lavasoft 2008-08-22 00:08---------d-----wC:\Program Files\StumbleUpon 2005-06-17 18:40266--sh--wC:\Program Files\desktop.ini 2005-06-17 18:4011,079-c-ha-wC:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:09 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-03 08:00 1235736] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-07 02:26 169984] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE] C:\Documents and Settings\Julie\Start Menu\Programs\Startup\ MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-05-07 18:32:58 951640] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.NTN1"= nuvision.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dllschannel.dlldigest.dllmsnss pc.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-03 08:00] R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-03 08:00] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 08:00] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-01 12:53] R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 07:48] R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 07:19] S2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2002-08-29 07:00] S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 19:07] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 15:40] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) HKLM-Run-ZoneAlarm Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/ R0 -: HKCU-Main,Search Page = hxxp://www.google.com R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 -: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage O17 -: HKLM\CCS\Interface\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113 O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-03 07:56:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\SYSTEM32\WudfHost.exe C:\WINDOWS\SYSTEM32\Atievxx.exe C:\WINDOWS\SYSTEM32\wscntfy.exe C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\AVG\AVG8\avgupd.exe.old4.Config C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ********************************************************************** . Completion time: 2008-09-03 8:04:28 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-03 13:04:13 Pre-Run: 11,819,463,168 bytes free Post-Run: 11,758,628,864 bytes free 183--- E O F ---2008-08-15 08:16:19 ============================================================================================================ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:06:17 AM, on 9/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Atievxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Sprint music manager\MEMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Trend Micro\HijackThis\snyper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = ? O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113 O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe -- End of file - 7121 bytes Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: AFISICX INTERNET_SERVICE MACIDWE MSSERVICE NOXTCYR ROXTCTM SEUICTOL SOTPECA TDXDOWKC WSLDOEKD afisicx noxtcyr roxtctm seuictol sotpeca wsldoekd File:: C:\WINDOWS\system32\noytcyr.exe 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download FixWareout by LonnyRJonesfrom one of the two below links and save it to your desktop. Link #1 Link #2 Run Fixwareout. Click Next then Install Make sure Run fixit is checked Click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may TAKE longer than usual to load; this is normal. . When you run fixwareout, just follow the prompts, you will need to restart when prompted. After rebooting (restart) back into normal boot mode. Make sure you have all web browsers closed. Go into Control Panel > Network Connections. Right click on your connection and click Properties. On the Properties page, highlight Internet Protocol(TCP/IP) Click Properties. This will bring up another page. Select Obtain DNS Server Automatically. Click the ok button. The page will close. Press ok on the page in front of you. Restart the computer. Reconnect to the Internet using Internet Explorer. Add the log from fixwareout in your next reply. It will be located at c:\fixwareout\report.txt** ComboFix 08-09-03.02 - Julie 2008-09-03 18:37:57.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.297 [GMT -5:00] Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Julie\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\system32\tpszxyd.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NOYTCYR -------\Service_noytcyr ((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 ))))))))))))))))))))))))))))))) . 2008-09-02 22:58 . 2008-09-02 22:58d--------C:\WINDOWS\ERUNT 2008-09-02 19:00 . 2008-09-02 23:34d--------C:\SDFix 2008-09-02 15:16 . 2008-09-02 15:16d--------C:\Program Files\Trend Micro 2008-09-02 15:05 . 2008-06-10 02:3273,728--a------C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-09-02 15:03 . 2008-09-02 15:05d--------C:\Program Files\Java 2008-09-02 15:03 . 2008-09-02 15:03d--------C:\Program Files\Common Files\Java 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Program Files\Malwarebytes' Anti-Malware 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\Julie\Application Data\Malwarebytes 2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-02 12:55 . 2008-08-17 15:0438,472--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-09-02 12:55 . 2008-08-17 15:0417,144--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Program Files\SUPERAntiSpyware 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\Julie\Application Data\SUPERAntiSpyware.com 2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-09-02 07:56 . 2008-09-02 07:56d--------C:\Program Files\CCleaner 2008-09-01 14:38 . 2008-09-03 18:36d--h-----C:\$AVG8.VAULT$ 2008-09-01 13:00 . 2008-09-01 13:00d---s----C:\Documents and Settings\LocalService\UserData 2008-09-01 12:53 . 2008-09-01 12:5376,040--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys 2008-09-01 12:53 . 2008-09-01 12:5310,520--a------C:\WINDOWS\SYSTEM32\avgrsstx.dll 2008-09-01 12:52 . 2008-09-03 18:27d--------C:\WINDOWS\SYSTEM32\DRIVERS\Avg 2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Program Files\AVG 2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Documents and Settings\All Users\Application Data\avg8 2008-09-01 12:52 . 2008-09-03 08:0097,928--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys 2008-09-01 01:06 . 2008-09-01 01:12d--------C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-01 01:03 . 2008-09-02 08:25d--------C:\Program Files\Common Files\Wise Installation Wizard 2008-08-31 21:26 . 2008-09-03 07:46d--------C:\WINDOWS\SYSTEM32\inf 2008-08-30 22:23 . 2008-09-01 12:42d--------C:\Documents and Settings\NetworkService\Application Data\StumbleUpon 2008-08-22 14:18 . 2008-08-22 15:38d--------C:\WINDOWS\SYSTEM32\CatRoot_bak 2008-08-20 09:33 . 2008-08-20 09:33d--------C:\WINDOWS\Cache 2008-08-20 09:33 . 2008-08-30 22:47d--------C:\Program Files\Coupons 2008-08-14 19:26 . 2008-05-01 09:30331,776-----c---C:\WINDOWS\SYSTEM32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-03 23:36---------d-----wC:\Documents and Settings\Julie\Application Data\StumbleUpon 2008-09-01 17:24---------d-----wC:\Program Files\Viewpoint 2008-09-01 17:24---------d-----wC:\Documents and Settings\Julie\Application Data\Viewpoint 2008-09-01 17:24---------d-----wC:\Documents and Settings\All Users\Application Data\Viewpoint 2008-09-01 06:09---------d-----wC:\Program Files\Lavasoft 2008-09-01 06:09---------d-----wC:\Documents and Settings\Julie\Application Data\Lavasoft 2008-08-22 00:08---------d-----wC:\Program Files\StumbleUpon 2005-06-17 18:40266--sh--wC:\Program Files\desktop.ini 2005-06-17 18:4011,079-c-ha-wC:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-03 1235736] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-07 169984] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 C:\WINDOWS\LOGI_MWX.EXE] C:\Documents and Settings\Julie\Start Menu\Programs\Startup\ MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-05-07 951640] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.NTN1"= nuvision.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dllschannel.dlldigest.dllmsnss pc.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-03 97928] R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-03 875288] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 231704] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-01 76040] R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 281600] R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464] S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 611840] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 260144] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-03 18:53:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\SYSTEM32\Atievxx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe . ********************************************************************** . Completion time: 2008-09-03 18:58:08 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-03 23:57:54 ComboFix2.txt 2008-09-03 13:04:32 Pre-Run: 11,735,892,480 bytes free Post-Run: 11,731,142,144 bytes free 138--- E O F ---2008-08-15 08:16:19 =========================================================================================== Username "Julie" - 09/03/2008 19:02:34 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "Logitech Utility"="Logi_MwX.Exe" "AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\AutorunsDisabled] "ISLP2STA.EXE"="ISLP2STA.EXE START" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Next, run HijackThis, but instead of scanning, click on the Open the MISC tools section button at the bottom of the choices. Select Delete an NT Service Copy/paste noytcyr into the box that opens, and press OK If you receive any error messages just ignore them and continue. Now do the same with the following entry. Copy/paste noxtcyr into the box that opens, and press OK ---------- Download OTMoveIt2 by OldTimer Save it to your desktop. Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator. Double-click OTMoveIt2.exe to run it. Copy the lines in the codebox below. [/list]Code: [Select][kill explorer] C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\noytcyr.exe EmptyTemp [start explorer] Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste Click the red Moveit! button. Copy everything in the Results window (under the green bar) and paste it in your next reply. Close OTMoveIt2 That entry was not found in HJT system scan. Also, it was not found when i tried to delete the NT service for both of those files. Explorer killed successfully File/Folder C:\WINDOWS\system32\noxtcyr.exe not found. File/Folder C:\WINDOWS\system32\noytcyr.exe not found. < EmptyTemp > File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DF2D9C.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DF2DB8.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DFFE2F.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DFFE4C.tmp scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09032008_193243 Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . ---------- 1. Double click OTMoveIt2.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt2 ---------- Delete temporary files Go to: Start Run type: CLEANMGR.EXE Press Enter. . When prompted select the C: drive and click OK. Check the boxes for: Temporary Internet Files Downloaded Program Files Recycle Bin Temporary Files . Click OK or Enter ---------- Run the Kaspersky Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator. Click on SCAN NOW Click Accept. The program will then begin downloading the latest definition files. Once the files have been downloaded locate the Scan Settings and have it scan My Computer. The scan will take a while, so be patient and let it finish. When the scan is done, in the Scan is complete window, any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop. In the File name area use KScan, or something similar. In Save as type: click the drop arrow and select: Text file [.txt]* Then, click: Save Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, September 4, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, September 03, 2008 23:31:57 Records in database: 1189161 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 63393 Threat name: 6 Infected objects: 8 Suspicious objects: 12 Duration of the scan: 03:50:10 File name / Threat name / Threats count C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.jg1 C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxSuspicious: Trojan-Spy.HTML.Fraud.gen12 C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.je2 C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Bayfraud.jv3 C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.iy1 C:\WINDOWS\SYSTEM32\udxfytw.sysInfected: Trojan-Clicker.Win32.VB.bzc1 The selected area was scanned. There are some infected files in your email and one other location. Download OTMoveIt2 by OldTimer Save it to your desktop. Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator. Double-click OTMoveIt2.exe to run it. Copy the lines in the codebox below. [/list]Code: [Select][kill explorer] C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx C:\WINDOWS\SYSTEM32\udxfytw.sys EmptyTemp [start explorer] Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste Click the red Moveit! button. Copy everything in the Results window (under the green bar) and paste it in your next reply. Close OTMoveIt2 The OTMoveIt2 app locked up when I first ran it. I was unable to grab the original results window. I had to reboot. Ran OTMoveIt2 again and got the results below. ============================== Explorer killed successfully File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found. File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found. File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found. File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found. File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found. File/Folder C:\WINDOWS\SYSTEM32\udxfytw.sys not found. < EmptyTemp > Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09042008_182735 Looks good. 1. Double click OTMoveIt2.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt2 ---------- Set a New Restore Point to prevent possible REINFECTION from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : Multiple IE windows opening, appears to be adware/malware, now IE won't connect?

Answer»

We started noticing all the problems when about 25 IE windows were open on my wife's laptop last Saturday morning when we got up. Not sure what was downloaded that started all of this.

I've run thru all of the "Malware Removal Steps". I've attached the 3 logs you've requested to get this started.

At the moment I am unable to connect to the internet with IE. I can ping various websites just can't get the
browser to connect to any of them. Get dnserror. Having to post all of this on another computer.

Thanks for you help!

[recovering disk space -- attachment deleted by admin]Welcome to CH.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

.
Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Thanks for the quick reply. Here's the next logfiles...

=======================================

SDFix: Version 1.220
Run by Julie on Tue 09/02/2008 at 11:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\atsxyzd.sys - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 23:32:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized APPLICATION Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 May 1998 93,880 ..SH. --- "C:\COMMAND.COM"
THU 21 Apr 2005 101,376 A..H. --- "C:\MPC-Backup\docs on Derrek's Trading Computer 1 (Dbtrading1)\~WRL3518.tmp"
Wed 17 Oct 2007 145,920 ..SHR --- "C:\Program Files\Sprint music manager\Setup.exe"
Wed 1 Aug 2007 53,248 A.SHR --- "C:\Program Files\Sprint music manager\_Setupx.dll"
Mon 2 Jan 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 21 Apr 2005 101,376 A..H. --- "C:\MPC-Backup\11-07-06-backup\docs\~WRL3518.tmp"
Sun 24 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 17 Jul 2005 26,624 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL0549.tmp"
Tue 26 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL0750.tmp"
Sun 17 Jul 2005 26,624 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1032.tmp"
Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1113.tmp"
Sun 17 Jul 2005 27,648 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1116.tmp"
Tue 26 Jul 2005 26,112 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1119.tmp"
Sun 17 Jul 2005 27,648 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1183.tmp"
Wed 27 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1286.tmp"
Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL1364.tmp"
Tue 26 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2305.tmp"
Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2443.tmp"
Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2697.tmp"
Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2754.tmp"
Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2757.tmp"
Sun 17 Jul 2005 25,088 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2778.tmp"
Sun 17 Jul 2005 28,160 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2797.tmp"
Sun 17 Jul 2005 28,672 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2819.tmp"
Sun 17 Jul 2005 24,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL2969.tmp"
Tue 26 Jul 2005 24,576 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3211.tmp"
Tue 26 Jul 2005 25,600 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3449.tmp"
Sun 17 Jul 2005 20,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3920.tmp"
Sun 17 Jul 2005 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Marketing\~WRL3931.tmp"
Mon 2 Jan 2006 4,348 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1key.bak"
Sun 26 Feb 2006 20 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 2 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv2key.bak"
Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0026.tmp"
Sun 3 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0263.tmp"
Sun 3 Dec 2006 88,064 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0875.tmp"
Sat 2 Dec 2006 77,312 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL0953.tmp"
Sat 2 Dec 2006 76,800 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL1334.tmp"
Sat 2 Dec 2006 51,200 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL1499.tmp"
Sat 2 Dec 2006 73,216 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2218.tmp"
Sat 2 Dec 2006 24,576 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2256.tmp"
Sat 2 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2383.tmp"
Sun 3 Dec 2006 87,552 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2446.tmp"
Sat 2 Dec 2006 73,216 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2505.tmp"
Sat 2 Dec 2006 76,800 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2756.tmp"
Sat 2 Dec 2006 51,200 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2763.tmp"
Sat 2 Dec 2006 74,240 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2820.tmp"
Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2929.tmp"
Sat 2 Dec 2006 74,240 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL2952.tmp"
Sat 2 Dec 2006 84,992 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3125.tmp"
Sun 3 Dec 2006 87,552 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3297.tmp"
Sat 2 Dec 2006 85,504 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3302.tmp"
Sat 2 Dec 2006 35,840 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3556.tmp"
Sat 2 Dec 2006 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3774.tmp"
Sat 2 Dec 2006 27,136 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\LarryGoins\Mentoring\~WRL3775.tmp"
Wed 14 May 2008 32,256 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1348.tmp"
Wed 14 May 2008 32,256 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1598.tmp"
Wed 14 May 2008 62,464 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL1743.tmp"
Wed 14 May 2008 31,744 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL2961.tmp"
Wed 14 May 2008 62,464 A..H. --- "C:\MPC-Backup\11-07-06-backup\RealEstate\Properties\1307 Ewing Ave\Sale\~WRL3259.tmp"

Finished!

===========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:25 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\Trend Micro\HijackThis\snyper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mmchost.dll' missing
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLavgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: noxtcyr Co. Ltd. (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca Corporation (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: wsldoekd Corporation inc. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 7633 bytes
Were getting there but there are still some very nasty ones left.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved DIRECTLY to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Next set of logs...

==================

ComboFix 08-08-31.01 - Julie 2008-09-03 7:45:31.1 - NTFSx86
Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\tmpacj0.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\tawisys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MACIDWE
-------\Legacy_MSSERVICE
-------\Legacy_NOXTCYR
-------\Legacy_ROXTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOTPECA
-------\Legacy_TDXDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_noxtcyr
-------\Service_roxtctm
-------\Service_seuictol
-------\Service_sotpeca
-------\Service_wsldoekd

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 22:58 . 2008-09-02 22:58d--------C:\WINDOWS\ERUNT
2008-09-02 19:00 . 2008-09-02 23:34d--------C:\SDFix
2008-09-02 15:16 . 2008-09-02 15:16d--------C:\Program Files\Trend Micro
2008-09-02 15:05 . 2008-06-10 02:3273,728--a------C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-02 15:03 . 2008-09-02 15:05d--------C:\Program Files\Java
2008-09-02 15:03 . 2008-09-02 15:03d--------C:\Program Files\Common Files\Java
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\Julie\Application Data\Malwarebytes
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-02 12:55 . 2008-08-17 15:0438,472--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-02 12:55 . 2008-08-17 15:0417,144--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Program Files\SUPERAntiSpyware
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\Julie\Application Data\SUPERAntiSpyware.com
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 07:56 . 2008-09-02 07:56d--------C:\Program Files\CCleaner
2008-09-01 14:38 . 2008-09-03 06:26d--h-----C:\$AVG8.VAULT$
2008-09-01 13:00 . 2008-09-01 13:00d---s----C:\Documents and Settings\LocalService\UserData
2008-09-01 12:53 . 2008-09-01 12:5376,040--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-09-01 12:53 . 2008-09-01 12:5310,520--a------C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-09-01 12:52 . 2008-09-02 07:34d--------C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Program Files\AVG
2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Documents and Settings\All Users\Application Data\avg8
2008-09-01 12:52 . 2008-09-01 12:5296,520--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-09-01 01:06 . 2008-09-01 01:12d--------C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 01:03 . 2008-09-02 08:25d--------C:\Program Files\Common Files\Wise Installation Wizard
2008-08-31 21:26 . 2008-09-03 07:46d--------C:\WINDOWS\SYSTEM32\inf
2008-08-30 22:23 . 2008-09-01 12:42d--------C:\Documents and Settings\NetworkService\Application Data\StumbleUpon
2008-08-22 14:18 . 2008-08-22 15:38d--------C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-20 09:33 . 2008-08-20 09:33d--------C:\WINDOWS\Cache
2008-08-20 09:33 . 2008-08-30 22:47d--------C:\Program Files\Coupons
2008-08-14 19:26 . 2008-05-01 09:30331,776-----c---C:\WINDOWS\SYSTEM32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 21:10---------d-----wC:\Documents and Settings\Julie\Application Data\StumbleUpon
2008-09-01 17:24---------d-----wC:\Program Files\Viewpoint
2008-09-01 17:24---------d-----wC:\Documents and Settings\Julie\Application Data\Viewpoint
2008-09-01 17:24---------d-----wC:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-01 06:09---------d-----wC:\Program Files\Lavasoft
2008-09-01 06:09---------d-----wC:\Documents and Settings\Julie\Application Data\Lavasoft
2008-08-22 00:08---------d-----wC:\Program Files\StumbleUpon
2005-06-17 18:40266--sh--wC:\Program Files\desktop.ini
2005-06-17 18:4011,079-c-ha-wC:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-03 08:00 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-07 02:26 169984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Julie\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-05-07 18:32:58 951640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dllschannel.dlldigest.dllmsnss pc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-03 08:00]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-03 08:00]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 08:00]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-01 12:53]
R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 07:48]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 07:19]
S2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2002-08-29 07:00]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 19:07]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 15:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-ZoneAlarm Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
O17 -: HKLM\CCS\Interface\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 07:56:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\WudfHost.exe
C:\WINDOWS\SYSTEM32\Atievxx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe.old4.Config
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-03 8:04:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 13:04:13

Pre-Run: 11,819,463,168 bytes free
Post-Run: 11,758,628,864 bytes free

183--- E O F ---2008-08-15 08:16:19

============================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:17 AM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\snyper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: Domain = kc.rr.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{435AE094-C503-484D-A19D-AB4437F1BB6F}: NameServer = 24.94.165.25,24.94.163.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe

--
End of file - 7121 bytes

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
AFISICX
INTERNET_SERVICE
MACIDWE
MSSERVICE
NOXTCYR
ROXTCTM
SEUICTOL
SOTPECA
TDXDOWKC
WSLDOEKD
afisicx
noxtcyr
roxtctm
seuictol
sotpeca
wsldoekd

File::
C:\WINDOWS\system32\noytcyr.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download FixWareout by LonnyRJonesfrom one of the two below links and save it to your desktop.

Run Fixwareout.
Click Next
then Install
Make sure Run fixit is checked
Click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may TAKE longer than usual to load; this is normal.

.
When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode. Make sure you have all web browsers closed.

Go into Control Panel > Network Connections.
Right click on your connection
and click Properties.
On the Properties page, highlight Internet Protocol(TCP/IP)
Click Properties. This will bring up another page.
Select Obtain DNS Server Automatically.
Click the ok button. The page will close.
Press ok on the page in front of you.
Restart the computer.
Reconnect to the Internet using Internet Explorer.
Add the log from fixwareout in your next reply.
It will be located at c:\fixwareout\report.txt

ComboFix 08-09-03.02 - Julie 2008-09-03 18:37:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.297 [GMT -5:00]
Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Julie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOYTCYR
-------\Service_noytcyr

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 22:58 . 2008-09-02 22:58d--------C:\WINDOWS\ERUNT
2008-09-02 19:00 . 2008-09-02 23:34d--------C:\SDFix
2008-09-02 15:16 . 2008-09-02 15:16d--------C:\Program Files\Trend Micro
2008-09-02 15:05 . 2008-06-10 02:3273,728--a------C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-02 15:03 . 2008-09-02 15:05d--------C:\Program Files\Java
2008-09-02 15:03 . 2008-09-02 15:03d--------C:\Program Files\Common Files\Java
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\Julie\Application Data\Malwarebytes
2008-09-02 12:55 . 2008-09-02 12:55d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-02 12:55 . 2008-08-17 15:0438,472--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-02 12:55 . 2008-08-17 15:0417,144--a------C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Program Files\SUPERAntiSpyware
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\Julie\Application Data\SUPERAntiSpyware.com
2008-09-02 08:26 . 2008-09-02 08:26d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 07:56 . 2008-09-02 07:56d--------C:\Program Files\CCleaner
2008-09-01 14:38 . 2008-09-03 18:36d--h-----C:\$AVG8.VAULT$
2008-09-01 13:00 . 2008-09-01 13:00d---s----C:\Documents and Settings\LocalService\UserData
2008-09-01 12:53 . 2008-09-01 12:5376,040--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-09-01 12:53 . 2008-09-01 12:5310,520--a------C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-09-01 12:52 . 2008-09-03 18:27d--------C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Program Files\AVG
2008-09-01 12:52 . 2008-09-01 12:52d--------C:\Documents and Settings\All Users\Application Data\avg8
2008-09-01 12:52 . 2008-09-03 08:0097,928--a------C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-09-01 01:06 . 2008-09-01 01:12d--------C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 01:03 . 2008-09-02 08:25d--------C:\Program Files\Common Files\Wise Installation Wizard
2008-08-31 21:26 . 2008-09-03 07:46d--------C:\WINDOWS\SYSTEM32\inf
2008-08-30 22:23 . 2008-09-01 12:42d--------C:\Documents and Settings\NetworkService\Application Data\StumbleUpon
2008-08-22 14:18 . 2008-08-22 15:38d--------C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-20 09:33 . 2008-08-20 09:33d--------C:\WINDOWS\Cache
2008-08-20 09:33 . 2008-08-30 22:47d--------C:\Program Files\Coupons
2008-08-14 19:26 . 2008-05-01 09:30331,776-----c---C:\WINDOWS\SYSTEM32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 23:36---------d-----wC:\Documents and Settings\Julie\Application Data\StumbleUpon
2008-09-01 17:24---------d-----wC:\Program Files\Viewpoint
2008-09-01 17:24---------d-----wC:\Documents and Settings\Julie\Application Data\Viewpoint
2008-09-01 17:24---------d-----wC:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-01 06:09---------d-----wC:\Program Files\Lavasoft
2008-09-01 06:09---------d-----wC:\Documents and Settings\Julie\Application Data\Lavasoft
2008-08-22 00:08---------d-----wC:\Program Files\StumbleUpon
2005-06-17 18:40266--sh--wC:\Program Files\desktop.ini
2005-06-17 18:4011,079-c-ha-wC:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-03 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-07 169984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Julie\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-05-07 951640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dllschannel.dlldigest.dllmsnss pc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-03 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-01 76040]
R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 611840]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 260144]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 18:53:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\Atievxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-09-03 18:58:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 23:57:54
ComboFix2.txt 2008-09-03 13:04:32

Pre-Run: 11,735,892,480 bytes free
Post-Run: 11,731,142,144 bytes free

138--- E O F ---2008-08-15 08:16:19

===========================================================================================

Username "Julie" - 09/03/2008 19:02:34 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Logitech Utility"="Logi_MwX.Exe"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\AutorunsDisabled]
"ISLP2STA.EXE"="ISLP2STA.EXE START"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Next, run HijackThis, but instead of scanning, click on the Open the MISC tools section button at the bottom of the choices.
Select Delete an NT Service
Copy/paste noytcyr into the box that opens, and press OK
If you receive any error messages just ignore them and continue.

Now do the same with the following entry.

Copy/paste noxtcyr into the box that opens, and press OK

----------

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

[/list]Code: [Select][kill explorer]
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

That entry was not found in HJT system scan. Also, it was not found when i tried to delete the NT service for both of those files.

Explorer killed successfully
File/Folder C:\WINDOWS\system32\noxtcyr.exe not found.
File/Folder C:\WINDOWS\system32\noytcyr.exe not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DF2D9C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DF2DB8.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DFFE2F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DFFE4C.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09032008_193243

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.

----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Delete temporary files

Go to:

Start
Run
type: CLEANMGR.EXE
Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

.
Click OK or Enter

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 03, 2008 23:31:57
Records in database: 1189161
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 63393
Threat name: 6
Infected objects: 8
Suspicious objects: 12
Duration of the scan: 03:50:10

File name / Threat name / Threats count
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.jg1
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxSuspicious: Trojan-Spy.HTML.Fraud.gen12
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.je2
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Bayfraud.jv3
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbxInfected: Trojan-Spy.HTML.Paylap.iy1
C:\WINDOWS\SYSTEM32\udxfytw.sysInfected: Trojan-Clicker.Win32.VB.bzc1

The selected area was scanned.

OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

[/list]Code: [Select][kill explorer]
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx
C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx
C:\WINDOWS\SYSTEM32\udxfytw.sys
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

The OTMoveIt2 app locked up when I first ran it. I was unable to grab the original results window. I had to reboot. Ran OTMoveIt2 again and got the results below.

==============================

Explorer killed successfully
File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found.
File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found.
File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found.
File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found.
File/Folder C:\Documents and Settings\Julie\Local Settings\Application Data\Identities\{EF8D8B41-A217-48F2-BF2E-9EC4EC7D7934}\Microsoft\Outlook Express\eBay.dbx not found.
File/Folder C:\WINDOWS\SYSTEM32\udxfytw.sys not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09042008_182735
Looks good.

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible REINFECTION from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : Multiple IE windows opening, appears to be adware/malware, now IE won't connect?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment