ad.yieldmanager

[cheriebono]

--------------------------------------------------------------------------------

My Compaq Evo 510 needs help removing ad.yieldmanager

I am using windows XP SP 2,

I can generate an Everest report if needed.

I am using Nortons, Avast,AVG, AdAware, Haute Secure, ATF Cleaner, Sygate Personal Firewall, RootkitBuster and a few others All are updated, as is Windows.

When I go to Yahoo.com and log into my mail account, I get redirected to ad.yieldmanager and a screen that says Internet Explorer cannot open this page. and now I cannot get my mail. This has been going on for a month and no one seems to be able to offer any suggestions.

I have run all the above programs over and over and in safe mode also. No Luck. Does anyone have any suggestions??? I have now run the suggested Malware Anti malware and it found nothing. I can't get Panda installed correctly but maybe you can think of something else for me to run. Below are my logs and files from HiJackThis and Malware Anti Malware report. Thanks in advance

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:35:27 PM, on 2/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SYSTEM TOOLS\Lavasoft\Ad-Aware SE Personal\aawservice.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton GoBack\GBPoll.exe

C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\WFXSVC.EXE

C:\Program Files\HARDWARE\Fax\WINFAX\WFXMOD32.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

C:\PROGRA~1\SYSTEM~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\PDVDServ.exe

C:\WINDOWS\system32\LXSUPMON.EXE

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wfxsnt40.exe

C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MISC\WeatherBug\WeatherBug\Weather.exe

C:\PROGRA~1\GRAPHICS\NEROPH~1\data\Xtras\mssysmgr.exe

C:\Program Files\HARDWARE\Fax\WINFAX\WFXCTL32.EXE

C:\PROGRA~1\GRAPHICS\WebShots\Webshots\Webshots.scr

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\SYSTEM TOOLS\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\INTERNET TOOLS\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CtBho Class - {6462546F-70AE-4abc-B2B6-BE68E9410002} - C:\Program Files\SYSTEM TOOLS\Haute Secure\CtBho.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\HARDWARE\All In One\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\INTERNET TOOLS\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\HARDWARE\All In One\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Haute Secure Toolbar - {7792546F-70AE-4abc-B2B6-BE68E9410002} - C:\Program Files\SYSTEM TOOLS\Haute Secure\CtToolBand.dll

O4 - HKLM\..\Run: [setRefresh] "C:\Program Files\COMPAQ and HP and DELL\COMPAQ\COMPAQ\SetRefresh\SetRefresh.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DrvLsnr] "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SYSTEM~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [Motive SmartBridge] "C:\Program Files\COMMUNICATIONS\ALLTEL DSL Check-up Center\ALLTEL DSL Check-up Center\bin\MotiveSB.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\SYSTEM TOOLS\Norton Systemworks\osCheck.exe"

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] "C:\WINDOWS\system32\LXSUPMON.EXE" RUN

O4 - HKLM\..\Run: [ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\MISC\WeatherBug\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\GRAPHICS\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" /FU "C:\WINDOWS\TEMP\E_SE7.tmp" /EF "HKCU"

O4 - HKUS\S-1-5-18\..\RunOnce: [*LogMeInRescue_552069356] "C:\WINDOWS\LMI5.tmp\lmi_rescue.exe" -runonce -gui (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [*LogMeInRescue_552069356] "C:\WINDOWS\LMI5.tmp\lmi_rescue.exe" -runonce -gui (User 'Default user')

O4 - Startup: Webshots.lnk = C:\Program Files\GRAPHICS\WebShots\Webshots\Launcher.exe

O4 - Global Startup: Controller.LNK = C:\Program Files\HARDWARE\Fax\WINFAX\WFXCTL32.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\INTERNET TOOLS\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\SYSTEM TOOLS\Lavasoft\Ad-Aware SE Personal\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--

End of file - 12703 bytes

-----------------------------------------------

Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.02

Database version: 330

Scan type: Full Scan (C:\|)

Objects scanned: 105767

Time elapsed: 55 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------------------------------------------------------------End of Message

[pomp]

Hello.

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

[cheriebono]

Thank you for your quick reply. Ok, I did as you asked. Below are the logs: (and by the way, I could not install the recovery console at the time since I did not have the disk. But since I posted this originally, I have now installed it.)

ComboFix 08-02.05.3 - Administrator 2008-02-08 23:45:02.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.204 [GMT -6:00]

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))

.

2008-02-08 20:08 . 2008-02-08 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-02-08 20:08 . 2008-02-08 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-02-08 19:41 . 2008-02-08 19:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-02-08 19:41 . 2008-02-08 19:41 <DIR> d-------- C:\WINDOWS\LastGood

2008-02-08 19:41 . 2008-02-08 19:43 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-02-08 19:41 . 2008-02-08 19:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-02-08 19:41 . 2008-02-08 19:43 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-02-08 13:11 . 2008-02-08 13:11 67 --a------ C:\Ntf2.tmp

2008-02-08 13:11 . 2008-02-08 13:11 67 --a------ C:\Ntf1.tmp

2008-02-07 20:11 . 2008-02-07 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-02-05 19:43 . 2008-02-05 19:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft

2008-02-05 19:38 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-02-04 12:51 . 2008-02-04 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-02-01 16:33 . 2008-02-01 16:33 <DIR> d-------- C:\Program Files\Windows Sidebar

2008-02-01 15:27 . 2008-02-01 15:27 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

2008-02-01 15:07 . 2008-02-01 15:29 <DIR> d-------- C:\WINDOWS\LMI5.tmp

2008-01-31 21:24 . 2008-01-31 21:24 164 --a------ C:\install.dat

2008-01-30 16:07 . 2008-01-30 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-24 15:10 . 2008-01-24 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug

2008-01-14 20:32 . 2008-01-14 20:32 <DIR> d-------- C:\Program Files\Netflix

2008-01-11 22:31 . 2008-02-08 21:25 <DIR> d-------- C:\WINDOWS\Ct

2008-01-11 22:05 . 2008-01-11 22:05 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-09 02:06 --------- d-----w C:\Program Files\SYSTEM TOOLS

2008-02-09 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-02-06 01:42 --------- d-----w C:\Program Files\GENEALOGY

2008-02-05 00:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2008-02-05 00:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2008-02-05 00:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2008-02-05 00:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2008-02-05 00:20 --------- d-----w C:\Program Files\Symantec

2008-02-04 16:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-02-01 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-02-01 22:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec

2008-02-01 05:27 --------- d-----w C:\Program Files\GAMES

2008-01-30 22:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-24 21:07 --------- d-----w C:\Program Files\MISC

2008-01-15 15:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat

2008-01-15 11:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf

2008-01-15 02:30 --------- d-----w C:\Program Files\ENTERTAINMENT

2008-01-14 02:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SpinTop

2008-01-14 00:11 --------- d-----w C:\Program Files\GRAPHICS

2008-01-14 00:08 --------- d-----w C:\Program Files\CD and DVD Makers

2008-01-13 23:53 --------- d-----w C:\Program Files\INTERNET TOOLS

2008-01-13 00:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys

2008-01-08 00:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio

2008-01-06 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-01-04 01:06 --------- d-----w C:\Program Files\MY PHOTOS

2008-01-03 19:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue

2008-01-03 19:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Snapfish

2008-01-03 04:44 --------- d-----w C:\Program Files\Roxio

2008-01-03 03:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON

2008-01-03 02:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech

2008-01-03 02:35 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-03 02:32 --------- d-----w C:\Program Files\Common Files\ArcSoft

2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ArcSoft

2008-01-03 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON

2008-01-03 02:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield

2007-12-21 19:01 --------- d-----w C:\Program Files\Common Files\Novell Shared

2007-12-21 18:58 --------- d-----w C:\Program Files\HARDWARE

2007-12-19 22:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ulead Systems

2007-12-19 21:39 --------- d-----w C:\Program Files\Windows Media Components

2007-12-19 21:38 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2007-12-19 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems

2007-12-18 04:39 --------- d-----w C:\Program Files\MSECache

2007-12-15 23:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead

2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-12-10 18:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wal-Mart Digital Photo Viewer

2007-12-10 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Wal-Mart

2007-12-10 17:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wal-Mart

2007-12-10 17:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wal-Mart Digital Photo Manager

2007-12-08 01:46 413,696 ----a-w C:\WINDOWS\system32\cnvshell.dll

2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-10 18:23 8,388,608,000 --sha-w C:\gobackio.bin

2007-11-09 16:36 43,011 -c--a-w C:\WINDOWS\Sbunins3.exe

2000-06-19 18:56 45,056 -c--a-w C:\WINDOWS\inf\i386\twotCPL.dll

2000-03-01 07:02 45,056 -c--a-w C:\WINDOWS\inf\i386\Pmxusd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6462546F-70AE-4abc-B2B6-BE68E9410002}]

2007-08-17 11:10 44232 --a------ C:\Program Files\SYSTEM TOOLS\Haute Secure\CtBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

2008-02-01 17:11 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}

{EE5D279F-081B-4404-994D-C6B60AAEBA6D}

{7792546F-70AE-4ABC-B2B6-BE68E9410002}

[HKEY_CLASSES_ROOT\clsid\{7792546f-70ae-4abc-b2b6-be68e9410002}]

[HKEY_CLASSES_ROOT\CtToolBand.CtToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib\{7792546F-70AE-4abc-B2B6-BE68E9410001}]

[HKEY_CLASSES_ROOT\CtToolBand.CtToolBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GoBack]

@={1F038B9D-83F5-4b28-BA76-8654EC297DD6}

[HKEY_CLASSES_ROOT\CLSID\{1F038B9D-83F5-4b28-BA76-8654EC297DD6}]

2006-07-19 11:45 607920 -ra------ C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton GoBack\ShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 07:18 15360]

"Weather"="C:\Program Files\MISC\WeatherBug\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]

"Power2GoExpress"="" []

"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\GRAPHICS\NEROPH~1\data\Xtras\mssysmgr.exe" [2005-02-25 18:28 212992]

"EPSON Stylus CX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe" [2007-02-15 06:00 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SetRefresh"="C:\Program Files\COMPAQ and HP and DELL\COMPAQ\COMPAQ\SetRefresh\SetRefresh.exe" [2003-11-20 17:01 525824]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 15:44 126976]

"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 10:34 69632]

"avast!"="C:\PROGRA~1\SYSTEM~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

"NWEReboot"="" []

"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]

"Motive SmartBridge"="C:\Program Files\COMMUNICATIONS\ALLTEL DSL Check-up Center\ALLTEL DSL Check-up Center\bin\MotiveSB.exe" [2004-11-09 12:04 401408]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18 51048]

"NSWosCheck"="C:\Program Files\SYSTEM TOOLS\Norton Systemworks\osCheck.exe" [2007-09-18 08:22 25472]

"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

"RemoteControl"="C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\PDVDServ.exe" [2007-02-07 16:24 71216]

"LanguageShortcut"="C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\Language\Language.exe" [2007-02-07 16:21 54832]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 12:32 36864]

"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2000-06-07 13:01 794112]

"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22 90112]

"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-14 17:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE]

"osCheck"="C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53 714608]

"!AVG Anti-Spyware"="C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"*LogMeInRescue_552069356"="C:\WINDOWS\LMI5.tmp\lmi_rescue.exe" [2008-02-01 15:07 1578280]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

Webshots.lnk - C:\Program Files\GRAPHICS\WebShots\Webshots\Launcher.exe [2007-12-01 00:04:12 157008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= c:\program files\hardware\fax\winfax\WfxSeh32.Dll [1998-07-27 04:54 38400]

"{6462546F-70AE-4abc-B2B6-BE68E9410002}"= C:\Program Files\SYSTEM TOOLS\Haute Secure\CtBho.dll [2007-08-17 11:10 44232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=NVDESK32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]

backup=C:\WINDOWS\pss\ZDWLan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AttuneClientEngine]

R0 Ct;Ct;C:\WINDOWS\system32\DRIVERS\ct.sys [2007-08-17 11:10]

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2006-07-19 11:45]

R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2006-07-19 11:45]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\000.fcl [2006-11-02 16:51]

R2 CtServ;CtServ;C:\WINDOWS\system32\svchost.exe [2004-08-12 07:30]

R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2006-07-19 11:45]

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-10-23 16:18]

R2 wfxsvc;WinFax Basic Edition;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 17:36]

R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 07:17]

R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]

S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-03 20:43]

S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 10:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

CtServ REG_MULTI_SZ CtServ

.

Contents of the 'Scheduled Tasks' folder

"2008-02-05 02:02:26 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Administrator.job"

- C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton AntiVirus\Navw32.exe

"2008-02-04 18:02:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"

- C:\Program Files\SYSTEM TOOLS\Norton Systemworks\OBC.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-08 23:54:40

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-08 23:58:44

.

2008-01-09 20:21:37 --- E O F ---

----------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:01:05 AM, on 2/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\SYSTEM TOOLS\Lavasoft\Ad-Aware SE Personal\aawservice.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton GoBack\GBPoll.exe

C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\WFXSVC.EXE

C:\Program Files\HARDWARE\Fax\WINFAX\WFXMOD32.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

C:\PROGRA~1\SYSTEM~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\PDVDServ.exe

C:\WINDOWS\system32\LXSUPMON.EXE

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wfxsnt40.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MISC\WeatherBug\WeatherBug\Weather.exe

C:\PROGRA~1\GRAPHICS\NEROPH~1\data\Xtras\mssysmgr.exe

C:\Program Files\HARDWARE\Fax\WINFAX\WFXCTL32.EXE

C:\PROGRA~1\GRAPHICS\WebShots\Webshots\Webshots.scr

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\SYSTEM TOOLS\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CtBho Class - {6462546F-70AE-4abc-B2B6-BE68E9410002} - C:\Program Files\SYSTEM TOOLS\Haute Secure\CtBho.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\HARDWARE\All In One\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\INTERNET TOOLS\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\HARDWARE\All In One\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Haute Secure Toolbar - {7792546F-70AE-4abc-B2B6-BE68E9410002} - C:\Program Files\SYSTEM TOOLS\Haute Secure\CtToolBand.dll

O4 - HKLM\..\Run: [setRefresh] "C:\Program Files\COMPAQ and HP and DELL\COMPAQ\COMPAQ\SetRefresh\SetRefresh.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DrvLsnr] "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SYSTEM~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [Motive SmartBridge] "C:\Program Files\COMMUNICATIONS\ALLTEL DSL Check-up Center\ALLTEL DSL Check-up Center\bin\MotiveSB.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\SYSTEM TOOLS\Norton Systemworks\osCheck.exe"

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CD and DVD Makers\CyberLink Powder DVD 7\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] "C:\WINDOWS\system32\LXSUPMON.EXE" RUN

O4 - HKLM\..\Run: [ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\MISC\WeatherBug\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\GRAPHICS\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" /FU "C:\WINDOWS\TEMP\E_SE7.tmp" /EF "HKCU"

O4 - HKUS\S-1-5-18\..\RunOnce: [*LogMeInRescue_552069356] "C:\WINDOWS\LMI5.tmp\lmi_rescue.exe" -runonce -gui (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [*LogMeInRescue_552069356] "C:\WINDOWS\LMI5.tmp\lmi_rescue.exe" -runonce -gui (User 'Default user')

O4 - Startup: Webshots.lnk = C:\Program Files\GRAPHICS\WebShots\Webshots\Launcher.exe

O4 - Global Startup: Controller.LNK = C:\Program Files\HARDWARE\Fax\WINFAX\WFXCTL32.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\INTERNET TOOLS\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\INTERN~2\COPERN~2\COPERN~1.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SYSTEM~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\SYSTEM TOOLS\Lavasoft\Ad-Aware SE Personal\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\SYSTEM TOOLS\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\SYSTEM TOOLS\AVG Anti Spy\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\SYSTEM TOOLS\Norton Systemworks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\SYSTEM~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--

End of file - 12284 bytes

-------------------------------------------------------------------------------

End of message

[screen317]

Hi cheriebono,

pomp asked me to step in while he's at work.

Please open HijackThis, and select Open the Misc Tools section.

Select Open Uninstall Manager...

Select Save list..., and a Notepad document will open. Post the contents of that Notepad document.

Also, please download the HostsXpert.

[*]Extract the HostsXpert.zip by doing the following:

[*]Right-click HostsXpert.zip and select extract all

[cheriebono]

Hi cheriebono,

pomp asked me to step in while he's at work.

Please open HijackThis, and select Open the Misc Tools section.

Select Open Uninstall Manager...

Select Save list..., and a Notepad document will open. Post the contents of that Notepad document.

Also, please download the HostsXpert.

[*]Extract the HostsXpert.zip by doing the following:

[*]Right-click HostsXpert.zip and select extract all

[cheriebono]

Hi cheriebono,

pomp asked me to step in while he's at work.

Please open HijackThis, and select Open the Misc Tools section.

Select Open Uninstall Manager...

Select Save list..., and a Notepad document will open. Post the contents of that Notepad document.

Also, please download the HostsXpert.

[*]Extract the HostsXpert.zip by doing the following:

[*]Right-click HostsXpert.zip and select extract all

[cheriebono]

Hi cheriebono,

pomp asked me to step in while he's at work.

Please open HijackThis, and select Open the Misc Tools section.

Select Open Uninstall Manager...

Select Save list..., and a Notepad document will open. Post the contents of that Notepad document.

Also, please download the HostsXpert.

[*]Extract the HostsXpert.zip by doing the following:

[*]Right-click HostsXpert.zip and select extract all

[cheriebono]

Thanks. I tried to get into my mail account after I had run ComboFix and lo and behold, I was able to get in with no problems! But I waited until today to try this again. Again, no problems. And again this afternoon. Again, no problems. So, tentatively, I'm being cautiously optomistic and saying whatever the problem was, it seems to be fixed. Do you feel I should go ahead and restore the MS hosts file? Or should we leave well enough alone? I'd be curious to know, what actually happened? So that in case it ever happens again I'll know what it was. I thought I had enough security stuff on here to stop a train. Or was it a setting that got off track as opposed to malware? I appreciate all your answers and time. Thanks.

[screen317]

Hi cheriebono,

Thanks. I tried to get into my mail account after I had run ComboFix and lo and behold, I was able to get in with no problems!

Good to hear.

Do you feel I should go ahead and restore the MS hosts file? Or should we leave well enough alone?

Yes, please restore it. It's a good security measure.

I'd be curious to know, what actually happened? So that in case it ever happens again I'll know what it was. I thought I had enough security stuff on here to stop a train. Or was it a setting that got off track as opposed to malware?

It was a bug with Yahoo! mail and their advertising sponsors. ComboFix restored whatever setting got off-track.

I notice that you are using more than one antivirus program (Norton and Avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either:

• (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or
  
• (2) go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.
  

Next, navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer. Any other concerns or questions?

-screen317

[cheriebono]

No, Not at this time. As far as the dual AV, I'll keep one on real time for a week or so and then swithch. I'll still run a full scan manually everynight using both. I realize this may sound like a lot of extra work, but I have found no one program gets them all. One will grab some, and if I go back with another program, it will get some more. and then vice versa. (haven't had any of them grab one in years, actually), Adaware is manually run in AM when I boot up and again before I shut down at night. Spybot is only for once a month maintenance. Sygate Firewall is on all the time. Now, what happens if I just move ComboFix to a file elsewhere instead of removing it? Any problem with that? What could I have done, if anything, to have prevented this problem in the first place?

Again, thanks.

Hi cheriebono,

Good to hear.

Yes, please restore it. It's a good security measure.

It was a bug with Yahoo! mail and their advertising sponsors. ComboFix restored whatever setting got off-track.

I notice that you are using more than one antivirus program (Norton and Avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either:

• (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or
  
• (2) go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.
  

Next, navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer. Any other concerns or questions?

-screen317

[screen317]

Hi cheriebono

I'll still run a full scan manually everynight using both. I realize this may sound like a lot of extra work, but I have found no one program gets them all.

Good plan. :thumbsup:

Now, what happens if I just move ComboFix to a file elsewhere instead of removing it?

For security reasons, ComboFix will automatically expire and uninstall itself after ten days. It is a very dangerous tool when used without supervision.

What could I have done, if anything, to have prevented this problem in the first place?

You really didn't do anything wrong to get this; just a glitch on Yahoo's part.

With your security practices, I'd say you are in good shape for the future.

One item I would recommend though is to download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

Also, an excellent article to read is Tony Klein's So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[cheriebono]

Thanks for the encouraging words. I did download SpyWare Blaster. I have used it in the past. I also ran Jason's Toolbox Security Test and passed it with flying colors! It was nice to know that many of the malware and Av programs recommended in the Tony Klein article I either use on an everyday basis or use as part of my weekly maintenance. So. Thanks again.

Hi cheriebono

Good plan. :thumbsup:

For security reasons, ComboFix will automatically expire and uninstall itself after ten days. It is a very dangerous tool when used without supervision.

You really didn't do anything wrong to get this; just a glitch on Yahoo's part.

With your security practices, I'd say you are in good shape for the future.

One item I would recommend though is to download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

Also, an excellent article to read is Tony Klein's So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[screen317]

You're very welcome, cheriebono.

Take care.

-screen317

[JeanInMontana]

Since this topic has been resolved it will now be closed. Many thanks to screen317 it is much appreciated.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.