Active AVG notifies "Found Tracking cookie.Atdmt" when connecting to IE.

[Active] AVG notifies "Found Tracking cookie.Atdmt" when connecting to IE.

Most times when accessing the internet, AVG notifies "Found Tracking cookie.Atdmt ".

The cookie is either deleted or moved to the virus vault by AVG each time, but it keeps coming back? This leads me to believe there may be something else infecting my machine and causing this.


Below are the results of the DDS logs.




DDS (Ver_09-06-26.01) - FAT32x86
Run by The Cauchi's at 18:10:13.50 on Fri 07/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.71 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
SVCHOST.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\dds.pifWindows BBS.pif

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\4979\SiteAdv.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-au\msntb.dll
TB: ninemsn: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-au\msntb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\4979\SiteAdv.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: My &Search Bar: {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: Starware: {90c61707-c8f8-43db-a25c-c1f4b18ee41e} - c:\progra~1\comet\bin\csband.dll
EB: Starware: {edc4193f-34ad-4d07-aa87-e3fdb89e3e76} - c:\progra~1\comet\bin\csband.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe "
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe "
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Lexmark X5100 Series] "c:\program files\lexmark x5100 series\lxbabmgr.exe "
mRun: [msnappau] "c:\program files\msn apps\updater\01.02.3000.1001\en-au\msnappau.exe "
mRun: [WinPatrol] c:\program files\billp studios\winpatrolscotty2009\winpatrol.exe -expressboot
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180506225375
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\4979\SiteAdv.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-4 27784]
R1 SiSEsc;SISLIB_ESC;c:\windows\system32\sisesc.sys [2003-12-31 28416]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298776]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-30 1251720]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [2003-12-31 84788]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2004-7-10 36048]

=============== Created Last 30 ================

2009-07-24 18:09 359,929 a------- C:\dds.pifWindows BBS.pif
2009-07-04 19:31 <DIR> --dsh--- c:\documents and settings\the cauchi's\IECompatCache
2009-07-03 22:11 20,174 a------- c:\windows\system32\ASTULog.cab
2009-07-03 22:11 1,046 a------- c:\windows\system32\setup.inf
2009-07-03 22:11 283 a------- c:\windows\system32\setup.rpt
2009-07-03 22:11 <DIR> --d----- c:\windows\ASTULogTemp
2009-07-03 17:59 26 a------- c:\windows\Zone.Identifier
2009-07-02 11:28 472 a------- c:\windows\videoimp.ini
2009-07-02 11:28 212,480 a------- c:\windows\pcdlib32.dll
2009-07-02 11:28 21 a------- c:\windows\VI_setup.ini
2009-07-02 11:14 32 a------- c:\windows\CD_Start.INI

==================== Find3M ====================

2009-07-18 08:54 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-23 16:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 00:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-17 00:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-17 00:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-15 17:59 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-04 05:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-04 05:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 20:12 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 15:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 15:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-08 01:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-08 01:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 07:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-05-01 07:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-05-01 07:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-05-01 07:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-05-01 07:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-05-01 07:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-05-01 07:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 21:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 14:55 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 19:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2004-12-09 06:32 29,680 a------- c:\docume~1\thecau~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:11:30.71 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/29/2004 6:58:06 PM
System Uptime: 7/24/2009 7:26:00 AM (11 hours ago)

Motherboard: Acer | | E61ML
Processor: Intel(R) Celeron(R) CPU 2.60GHz | Socket 478 | 2600/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 37 GiB total, 10.194 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_NPF\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_NPF\0000
Service:

==== System Restore Points ===================

RP1595: 5/26/2009 8:12:14 PM - System Checkpoint
RP1596: 5/27/2009 8:38:26 PM - System Checkpoint
RP1597: 5/28/2009 9:40:13 PM - System Checkpoint
RP1598: 5/29/2009 10:58:37 PM - System Checkpoint
RP1599: 5/30/2009 11:45:44 PM - System Checkpoint
RP1600: 6/1/2009 6:45:46 PM - System Checkpoint
RP1601: 6/2/2009 7:18:51 PM - System Checkpoint
RP1602: 6/11/2009 1:43:17 PM - System Checkpoint
RP1603: 6/12/2009 5:03:42 PM - Software Distribution Service 3.0
RP1604: 6/13/2009 5:07:31 PM - System Checkpoint
RP1605: 6/14/2009 5:49:42 PM - System Checkpoint
RP1606: 6/15/2009 5:15:25 PM - Software Distribution Service 3.0
RP1607: 6/15/2009 9:38:03 PM - Software Distribution Service 3.0
RP1608: 6/16/2009 5:00:36 PM - Software Distribution Service 3.0
RP1609: 6/17/2009 5:25:20 PM - System Checkpoint
RP1610: 6/18/2009 5:41:35 PM - System Checkpoint
RP1611: 6/19/2009 5:54:29 PM - System Checkpoint
RP1612: 6/20/2009 6:21:36 PM - System Checkpoint
RP1613: 6/21/2009 6:46:01 PM - System Checkpoint
RP1614: 6/22/2009 7:23:39 PM - System Checkpoint
RP1615: 6/23/2009 4:09:43 PM - Avg8 Update
RP1616: 6/23/2009 4:21:08 PM - Avg8 Update
RP1617: 6/24/2009 7:53:28 AM - Software Distribution Service 3.0
RP1618: 6/25/2009 5:49:30 PM - System Checkpoint
RP1619: 6/26/2009 8:14:25 PM - System Checkpoint
RP1620: 6/27/2009 8:53:42 PM - System Checkpoint
RP1621: 6/29/2009 9:03:54 AM - System Checkpoint
RP1622: 6/30/2009 9:27:49 AM - System Checkpoint
RP1623: 7/1/2009 10:44:38 AM - System Checkpoint
RP1624: 7/2/2009 11:14:55 AM - Installed MyDSC2
RP1625: 7/3/2009 11:48:34 AM - System Checkpoint
RP1626: 7/3/2009 8:48:19 PM - Removed Microsoft ActiveSync
RP1627: 7/3/2009 9:26:09 PM - Removed Microsoft ActiveSync
RP1628: 7/3/2009 9:33:14 PM - Installed Microsoft ActiveSync
RP1629: 7/3/2009 9:51:33 PM - Removed Microsoft ActiveSync
RP1630: 7/3/2009 10:00:22 PM - Installed Microsoft ActiveSync
RP1631: 7/4/2009 10:52:28 PM - System Checkpoint
RP1632: 7/6/2009 12:48:12 PM - System Checkpoint
RP1633: 7/7/2009 1:43:06 PM - System Checkpoint
RP1634: 7/8/2009 1:46:09 PM - System Checkpoint
RP1635: 7/9/2009 2:22:43 PM - System Checkpoint
RP1636: 7/10/2009 2:31:22 PM - System Checkpoint
RP1637: 7/11/2009 5:11:15 PM - System Checkpoint
RP1638: 7/12/2009 5:40:55 PM - System Checkpoint
RP1639: 7/13/2009 7:13:08 PM - System Checkpoint
RP1640: 7/14/2009 8:03:39 PM - System Checkpoint
RP1641: 7/15/2009 5:00:37 PM - Software Distribution Service 3.0
RP1642: 7/16/2009 6:13:08 PM - System Checkpoint
RP1643: 7/17/2009 6:52:11 PM - System Checkpoint
RP1644: 7/18/2009 8:50:28 AM - Avg8 Update
RP1645: 7/18/2009 8:56:05 AM - Avg8 Update
RP1646: 7/19/2009 9:33:50 AM - System Checkpoint
RP1647: 7/20/2009 11:54:24 AM - System Checkpoint
RP1648: 7/21/2009 12:31:20 PM - System Checkpoint
RP1649: 7/22/2009 12:34:34 PM - System Checkpoint
RP1650: 7/23/2009 1:22:24 PM - System Checkpoint
RP1651: 7/24/2009 1:30:50 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
acer
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Alcatel SpeedTouch USB Software
Apple Software Update
ArcSoft VideoImpression 1.6
ATI Display Driver
AVG Free 8.5
Critical Update for Windows Media Player 11 (KB959772)
FaxTools
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ieSpell
Indeo® Software
Index.dat Suite
Kaspersky Online Scanner
Lexmark X5100 Series
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Search Bar
Nero Suite
ninemsn Toolbar
Nokia Connectivity Cable DKU-2 Drivers
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NTI CD & DVD-Maker
NTI CD & DVD-Maker 6.5 Gold
NVIDIA Display Driver
OGA Notifier 1.7.0105.35.0
Panda ActiveScan
PowerDVD
QuickTime
Realtek AC'97 Audio
RTLSetup
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SiS 661FX_760_741_M661FX_M760_M741
Sound Blaster Audigy 2 ZS
SpywareBlaster v3.5.1
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
TomTom HOME
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC_MergeModuleToMSI
WebFldrs XP
Windows Defender Signatures
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009

==== Event Viewer Messages From Past Week ========

7/17/2009 4:08:57 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

==== End Of File ===========================


I would appreciate any help.


Cheers, Shorerider.

 

Hi and welcome


Returning cookies don't really alarm us, it's coming from a web site you frequent.


Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================


NEXT**
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link
Here also

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply post:
Malwarebytes' Anti-Malware log
New DDS log

 

Thanks for the reply Juliet,


It's been happening to a few websites I visit. Google, eBay and msn hotmail for example. I just wanted to make sure it wasn't being caused by a less obvious, deeper rooted infection.

Logs as requested to follow,


Malwarebytes' Anti-Malware 1.39
Database version: 2494
Windows 5.1.2600 Service Pack 3

7/25/2009 8:23:00 AM
mbam-log-2009-07-25 (08-23-00).txt

Scan type: Quick Scan
Objects scanned: 93224
Time elapsed: 11 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0985c112-2562-46f2-8da6-92648ba4630f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{062efa85-8bbb-11d3-80d0-00500487b1c5} (Spyware.Comet.Cursor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{511f9316-771b-4953-a268-1c36da667fe9} (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/29/2004 6:58:06 PM
System Uptime: 7/25/2009 7:22:25 AM (1 hours ago)

Motherboard: Acer | | E61ML
Processor: Intel(R) Celeron(R) CPU 2.60GHz | Socket 478 | 2600/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 37 GiB total, 10.887 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_NPF\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_NPF\0000
Service:

==== System Restore Points ===================

RP1595: 5/26/2009 8:12:14 PM - System Checkpoint
RP1596: 5/27/2009 8:38:26 PM - System Checkpoint
RP1597: 5/28/2009 9:40:13 PM - System Checkpoint
RP1598: 5/29/2009 10:58:37 PM - System Checkpoint
RP1599: 5/30/2009 11:45:44 PM - System Checkpoint
RP1600: 6/1/2009 6:45:46 PM - System Checkpoint
RP1601: 6/2/2009 7:18:51 PM - System Checkpoint
RP1602: 6/11/2009 1:43:17 PM - System Checkpoint
RP1603: 6/12/2009 5:03:42 PM - Software Distribution Service 3.0
RP1604: 6/13/2009 5:07:31 PM - System Checkpoint
RP1605: 6/14/2009 5:49:42 PM - System Checkpoint
RP1606: 6/15/2009 5:15:25 PM - Software Distribution Service 3.0
RP1607: 6/15/2009 9:38:03 PM - Software Distribution Service 3.0
RP1608: 6/16/2009 5:00:36 PM - Software Distribution Service 3.0
RP1609: 6/17/2009 5:25:20 PM - System Checkpoint
RP1610: 6/18/2009 5:41:35 PM - System Checkpoint
RP1611: 6/19/2009 5:54:29 PM - System Checkpoint
RP1612: 6/20/2009 6:21:36 PM - System Checkpoint
RP1613: 6/21/2009 6:46:01 PM - System Checkpoint
RP1614: 6/22/2009 7:23:39 PM - System Checkpoint
RP1615: 6/23/2009 4:09:43 PM - Avg8 Update
RP1616: 6/23/2009 4:21:08 PM - Avg8 Update
RP1617: 6/24/2009 7:53:28 AM - Software Distribution Service 3.0
RP1618: 6/25/2009 5:49:30 PM - System Checkpoint
RP1619: 6/26/2009 8:14:25 PM - System Checkpoint
RP1620: 6/27/2009 8:53:42 PM - System Checkpoint
RP1621: 6/29/2009 9:03:54 AM - System Checkpoint
RP1622: 6/30/2009 9:27:49 AM - System Checkpoint
RP1623: 7/1/2009 10:44:38 AM - System Checkpoint
RP1624: 7/2/2009 11:14:55 AM - Installed MyDSC2
RP1625: 7/3/2009 11:48:34 AM - System Checkpoint
RP1626: 7/3/2009 8:48:19 PM - Removed Microsoft ActiveSync
RP1627: 7/3/2009 9:26:09 PM - Removed Microsoft ActiveSync
RP1628: 7/3/2009 9:33:14 PM - Installed Microsoft ActiveSync
RP1629: 7/3/2009 9:51:33 PM - Removed Microsoft ActiveSync
RP1630: 7/3/2009 10:00:22 PM - Installed Microsoft ActiveSync
RP1631: 7/4/2009 10:52:28 PM - System Checkpoint
RP1632: 7/6/2009 12:48:12 PM - System Checkpoint
RP1633: 7/7/2009 1:43:06 PM - System Checkpoint
RP1634: 7/8/2009 1:46:09 PM - System Checkpoint
RP1635: 7/9/2009 2:22:43 PM - System Checkpoint
RP1636: 7/10/2009 2:31:22 PM - System Checkpoint
RP1637: 7/11/2009 5:11:15 PM - System Checkpoint
RP1638: 7/12/2009 5:40:55 PM - System Checkpoint
RP1639: 7/13/2009 7:13:08 PM - System Checkpoint
RP1640: 7/14/2009 8:03:39 PM - System Checkpoint
RP1641: 7/15/2009 5:00:37 PM - Software Distribution Service 3.0
RP1642: 7/16/2009 6:13:08 PM - System Checkpoint
RP1643: 7/17/2009 6:52:11 PM - System Checkpoint
RP1644: 7/18/2009 8:50:28 AM - Avg8 Update
RP1645: 7/18/2009 8:56:05 AM - Avg8 Update
RP1646: 7/19/2009 9:33:50 AM - System Checkpoint
RP1647: 7/20/2009 11:54:24 AM - System Checkpoint
RP1648: 7/21/2009 12:31:20 PM - System Checkpoint
RP1649: 7/22/2009 12:34:34 PM - System Checkpoint
RP1650: 7/23/2009 1:22:24 PM - System Checkpoint
RP1651: 7/24/2009 1:30:50 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
acer
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Alcatel SpeedTouch USB Software
Apple Software Update
ArcSoft VideoImpression 1.6
ATI Display Driver
AVG Free 8.5
Critical Update for Windows Media Player 11 (KB959772)
FaxTools
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ieSpell
Indeo® Software
Index.dat Suite
Kaspersky Online Scanner
Lexmark X5100 Series
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Search Bar
Nero Suite
ninemsn Toolbar
Nokia Connectivity Cable DKU-2 Drivers
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NTI CD & DVD-Maker
NTI CD & DVD-Maker 6.5 Gold
NVIDIA Display Driver
OGA Notifier 1.7.0105.35.0
Panda ActiveScan
PowerDVD
QuickTime
Realtek AC'97 Audio
RTLSetup
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SiS 661FX_760_741_M661FX_M760_M741
Sound Blaster Audigy 2 ZS
SpywareBlaster v3.5.1
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
TomTom HOME
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC_MergeModuleToMSI
WebFldrs XP
Windows Defender Signatures
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009

==== Event Viewer Messages From Past Week ========

7/24/2009 8:15:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/20/2009 11:30:09 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

==== End Of File ===========================


Thanks,

Shorerider.

 

It can come from web ads on their sites.

MBAM found mainly adware.

Let's make sure to get Adobe updated since it's high on the list of exploitable programs.

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from [color= "red"]here[/color], and the latest version of Flash Player from [color= "red"]here[/color].
For more information and links to Adobe updates and downloads click [color= "red"]here[/color].



NEXT**
We'll check for remnants.


I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log


Please give me an update on how the computer is now.

 

It happens when I access this site too!!!

Kapersky log: (I hope I've done this correctly)

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, August 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, August 05, 2009 12:12:58
Records in database: 2582653


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 77475
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 02:50:27

File name Threat name Threats count
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\JMEVBTW1\xyachuch[1].swf Infected: Exploit.SWF.Downloader.nx 1

C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\9PUD484W\ciceroOnlyDolor[1].pdf Infected: Exploit.Win32.Pidief.bfz 1

C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\DZW59D2B\index[3].htm Infected: Trojan-Downloader.JS.Iframe.bmu 1

The selected area was scanned.


I'm still getting the same AVG notification.

Also, another thing which may be of concern, is that each time I open an IE window, it is never at full screen. (Note: this is ok now since removing the one infection found by the Kapersky scan.)


Thanks for you patience,

Shorerider.

 

Welcome back

Do you have 2 antivirus on the machine?...by chance Symantec/Norton and AVG?

In case you do.......please make a decision which to keep and which to uninstall or we will run into problems having two onboard.



Download OTM by OldTimer Here & save it to your desktop.

• Double click on OTM.exe to run it
• Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

Code:

:Files
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\JMEVBTW1\xyachuch[1].swf
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\9PUD484W\ciceroOnlyDolor[1].pdf
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\DZW59D2B\index[3].htm 
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

[*]

• Click on MoveIt!
• When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.[/QUOTE]


~~~~~~~~~~~~~~~~~~~~~~~~

Download Trend Micro Hijack Thisâ„¢ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

It will look like this

Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on Edit-> Select All then click on "Edit -> Copy " to copy the entire contents of the log.




In your next reply please post:
OTM log
HJT log

 

Juliet,

I did have Norton, however it has been uninstalled for a while now. I have since installed AVG. I did still have two Norton related programs which you obviously have seen in one of the logs. They have now been removed. Please let me know if any other part of Norton still exists, and I'll remove it.


OTM log:

All processes killed
========== FILES ==========
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\JMEVBTW1\xyachuch[1].swf moved successfully.
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\9PUD484W\ciceroOnlyDolor[1].pdf moved successfully.
C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\DZW59D2B\index[3].htm moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: The Cauchi's
->Temp folder emptied: 96571881 bytes
File delete failed. C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 387185782 bytes
->Java cache emptied: 20964740 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 816291 bytes
RecycleBin emptied: 513452901 bytes

Total Files Cleaned = 971.84 mb

Error: Unable to interpret <[Reboo> in the current context!

OTM by OldTimer - Version 3.0.0.5 log created on 08072009_075736

Files moved on Reboot...

Registry entries deleted on Reboot...


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:42 AM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180506225375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8296 bytes


Thanks,

Shorerider.

 

Welcome back


Actually, not all the Norton files/folders came off and the services have remained.
We'll attempt to take the remainders out.


Please disable Winpatrol, as it may hinder the removal of some entries. You can re-enable it after you're clean.
Right click the running icon of winpatrol, and choose exit.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)


O4 - HKLM\..\Run: [msnappau] \ "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe\ "
(Description: MSN Messenger Updater. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User \'SYSTEM\')
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User \'Default user\')
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

• Double click on OTM.exe to run it
• Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

Code:

:Files
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\SYMNET~1\SNDWarn.exe
C:\Program Files\Common Files\Symantec Shared
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Click on MoveIt!
• When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.[/QUOTE]


In your next reply post:
OTM log
new HJT log


how's your computer now?

 

Juliet,

Thanks for your help so far, its much appreciated. I have 'fixed' all suggested entries. Unfortunately the initial 'tracking cookie' problem when acessing IE is still present (When accessing this page too).


OTM log:


All processes killed
========== FILES ==========
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe moved successfully.
C:\PROGRA~1\SYMNET~1\SNDWarn.exe moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070915.008 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070806.009 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
C:\Program Files\Common Files\Symantec Shared\IDSDefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: The Cauchi's
->Temp folder emptied: 120657 bytes
File delete failed. C:\Documents and Settings\The Cauchi's\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 162596867 bytes
->Java cache emptied: 0 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 347 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 155.21 mb


OTM by OldTimer - Version 3.0.0.5 log created on 08072009_174421

Files moved on Reboot...

Registry entries deleted on Reboot...



HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:22 PM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180506225375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7134 bytes



Thanks, Shorerider.

 

Hi there tracking cookies are a fact of life and in of themselves are not harmfull, In my opinion they should not even detect cookies as that causes more problems than they are worth.

I run this program every day just before shutdown:




Please download ATF Cleaner by Atribune.
[color= "#333399"]Download - ATF Cleaner»[/color]

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

A cookie is a small amount of data that a Web site stores on your hard disk. The purpose of a cookie is to store a preference that you specify, such as custom page, or to allow you to return to a site later and pick up where you left off, such as when using a Web-based message board. Some sites also use cookies to store information as you move from page to page on a site. Depending on your browser type, you may be alerted when a site is about to set a cookie on your hard drive. If notified of the cookie installation you may accept or reject the cookie.

Note: There are some Web site Start pages that requires cookies, so if you disable or selectively disable cookies, be sure to allow them for access to our content.





The following site provides more information* about cookies:http://support.microsoft.com/servicedesks/webcasts/wc022001/wcblurb022001.asp

A HOSTS file will block atdmt.com as well as many other tracking cookies and unwanted parasites Blocking Unwanted Cookies with IE 7
http://www.mvps.org/winhelp2002/cookies.htm


Also see this bleepingcomputer tutorial
http://www.bleepingcomputer.com/tutorials/tutorial51.html


From what I can see so far the machine is essentially clean, what other malware problems are you having?

 

Juliet,

After all your help, for some reason the problem is still present. I'm a little confused as to why all of a sudden (over the past month) I'm having this annoying problem with this one cookie regardless of the website. I've been visiting a handful of websites for years now, including this one without issue.

For now I've altered my First and Third party cookies to block, then added the websites I frequent to allow, and this seems to have stopped the problem.



I'm not sure if its relevant, but I'll inform you anyway. I can't activate my Windows firewall for some reason. I can't view any settings either as I get this "Due to an unidentified problem, Windows cannot display Windows Firewall settings" when trying to do so.

Also, once I select "I have a Firewall solution I'll monitor myself" I get this system tray notification "Norton Internet worm protection is turned off. Click this balloon to fix this problem ".

If you think this is an unrelated problem, and warrants a new thread, please let me know and I'll start a new one.

Other than that, my machine is performing fine.


Thankyou for all your help ,

Shorerider.

 

Welcome back


It appears Norton does not want to fully remove off the machine.

I went after the obvious of what I could see, now it's time to use the Norton removal tool.


Download and run the Norton Removal Tool
http://service1.symantec.com/SUPPOR...007082908475279&nsf=norton2008.nsf&view=docid



This should stop any Norton notifications. After running the tool see if this corrects the issues with Windows Firewall, if not:

Windows cannot display Windows Firewall settings" error while accessing Firewall settings in Windows XP
http://windowsxp.mvps.org/sharedaccess.htm

http://support.microsoft.com/kb/920074


There are some very good suggestions in the above links.

Post back and let me know how it goes.

 

Um..............I don't know how to tell you this Juliet, but after all this, the initial problem is STILL present.

Even after setting my First and Third party cookies to block!!! It appeared to work at first, as I opened the websites it happens on including this one, several times and it didn't happen. Now its the same as before. Any ideas?

On a more positive note the Firewall problem is all fixed.


Thanks,

Shorerider.

 

Did you try a Host file?

You may also like trying a different browser like FireFox, used by a ton of people including myself and I love it.
Totally more secure then IE.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.



Let's do this:

Please download and install SUPERAntiSpyware Home Edition (free edition)

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

 

Juliet,


I ran SUPERAntiSpyware. I got this error message after I tried to Quarantine/Delete the infections - "R6205-Pure Virtual Function Call "

I performed a second scan to be sure that the infections had been removed, and the scan found nothing.

Note: I am also getting the notification upon exiting SUPERAntiSpyware, with no IE or any other windows open!!!

I have now tried a HOST file (was a little confused on the procedure, but I think I did it correctly) and cleaned up infections with SUPERAntiSpyware and the problem is still present.

I may try Firefox at some stage, especially if we can't sort out this problem.



SUPERAntiSpyware Log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/10/2009 at 09:19 AM

Application Version : 4.27.1002

Core Rules Database Version : 4046
Trace Rules Database Version: 1986

Scan type : Complete Scan
Total Scan Time : 01:11:31

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 6105
Registry threats detected : 183
File items scanned : 21841
File threats detected : 5

Adware.MyWay
HKLM\Software\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\TypeLib
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\0
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\0\win32
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\FLAGS
HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\HELPDIR
C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
HKCR\MyWayToolBar.NetscapeShutdown
HKCR\MyWayToolBar.NetscapeShutdown\CLSID
HKCR\MyWayToolBar.NetscapeShutdown\CurVer
HKCR\MyWayToolBar.NetscapeShutdown.1
HKCR\MyWayToolBar.NetscapeShutdown.1\CLSID
HKCR\MyWayToolBar.NetscapeStartup
HKCR\MyWayToolBar.NetscapeStartup\CLSID
HKCR\MyWayToolBar.NetscapeStartup\CurVer
HKCR\MyWayToolBar.NetscapeStartup.1
HKCR\MyWayToolBar.NetscapeStartup.1\CLSID
HKCR\MyWayToolBar.SettingsPlugin
HKCR\MyWayToolBar.SettingsPlugin\CLSID
HKCR\MyWayToolBar.SettingsPlugin\CurVer
HKCR\MyWayToolBar.SettingsPlugin.1
HKCR\MyWayToolBar.SettingsPlugin.1\CLSID
HKCR\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}\InProcServer32
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Control
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Version
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Control
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Version
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\ProgID
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\ProgID
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Control
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\ProgID
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Version
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#ShzmCurInstall
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#strings
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#pl
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#Build
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevision
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar\partner
HKLM\Software\MyWay\myBar\partner#bitmap
HKLM\Software\MyWay\myBar\partner#name
HKLM\Software\MyWay\myBar\partner#test
HKLM\Software\MyWay\myBar\partner#PM-Home
HKLM\Software\MyWay\myBar\partner#PM-Points
HKLM\Software\MyWay\myBar\partner#PM-Redeem
HKLM\Software\MyWay\myBar\partner#PM-Wallet
HKLM\Software\MyWay\myBar\partner#PM-Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout
HKCR\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}
HKCR\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid
HKCR\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid32
HKCR\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}\TypeLib
HKCR\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}\TypeLib#Version
HKCR\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}
HKCR\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid
HKCR\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid32
HKCR\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}\TypeLib
HKCR\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}\TypeLib#Version
HKCR\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}
HKCR\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid
HKCR\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid32
HKCR\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}\TypeLib
HKCR\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}\TypeLib#Version
HKCR\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}
HKCR\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid
HKCR\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}\ProxyStubClsid32
HKCR\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}\TypeLib
HKCR\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}\TypeLib#Version

Comet Cursor Explorer Bar
HKLM\Software\Classes\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}\Implemented Categories
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}\InprocServer32
HKCR\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}\InprocServer32#ThreadingModel
C:\PROGRA~1\COMET\BIN\CSBAND.DLL
HKLM\Software\Classes\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}\Implemented Categories
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}\InprocServer32
HKCR\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}\InprocServer32#ThreadingModel
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}

Comet Cursor BHO
HKLM\Software\Classes\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\Implemented Categories
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\InprocServer32
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\InprocServer32#ThreadingModel
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\ProgID
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\Programmable
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\TypeLib
HKCR\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}\VersionIndependentProgID
HKCR\BHO.CSBHO.1
HKCR\BHO.CSBHO
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}\1.0
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}\1.0\0
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}\1.0\0\win32
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}\1.0\FLAGS
HKCR\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}\1.0\HELPDIR
C:\PROGRA~1\COMET\BIN\CSBHO.DLL
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKCR\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}
HKCR\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}\ProxyStubClsid
HKCR\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}\ProxyStubClsid32
HKCR\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}\TypeLib
HKCR\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}\TypeLib#Version

Trojan.Comet/AutoSearch
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35E78239-811E-4C3F-B37D-F339AC16C2C0}
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35E78239-811E-4C3F-B37D-F339AC16C2C0}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35E78239-811E-4C3F-B37D-F339AC16C2C0}

Adware.IWantSearchBar
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

Trojan.SmitFraud Variant
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{77701E16-9BFE-4B63-A5B4-7BD156758A37}

Adware.Tracking Cookie
C:\Documents and Settings\The Cauchi's\Cookies\the_cauchi's@ads.infinisource[1].txt
C:\Documents and Settings\The Cauchi's\Cookies\the_cauchi's@atdmt[2].txt

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\SOFTWARE\FunWebProducts

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]



Thanks, Shorerider.

 

You did reboot after the scans ran?


I'm thinking if you download and use FireFox you should see a reduction in those cookies.


I've hesitated to ask you run this next tool cause it just did not seem to be needed, but it might be we should go ahead and give it a whirl.


Download Combofix© by sUBs from any of the links below.

Save it to your desktop.

Link 1
Link 2

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Juliet,


Sorry for the delayed response, but I have been checking for your reply for the past few days, without seeing that we are now on page 2.

Yes , I did reboot after the scans.

After I ran ComboFix, and did the reboot, I reactivated my Antivirus etc. Then, I came straight to this site and had the AVG notification happen again. Its just the one cookie "C:\Documents and settings\The Cauchi's\Cookies\the_cauchi's@atdmt[2].txt "that keeps being found, then deleted by AVG.


ComboFix log:


ComboFix 09-08-10.06 - The Cauchi's 08/14/2009 8:38.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.212 [GMT 10:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dds.pifWindows BBS.pif
c:\windows\dat.txt
c:\windows\install.exe
c:\windows\Installer\1040b6b3.msp
c:\windows\Installer\14111aa.msp
c:\windows\Installer\16413a3.msp
c:\windows\Installer\172ff09.msp
c:\windows\Installer\19122fa.msp
c:\windows\Installer\1be5124.msp
c:\windows\Installer\1d4de65.msp
c:\windows\Installer\1ea2fc.msi
c:\windows\Installer\1ed4d85.msp
c:\windows\Installer\29daa92.msp
c:\windows\Installer\3031585.msp
c:\windows\Installer\32b4146.msp
c:\windows\Installer\38e5efe.msp
c:\windows\Installer\3ab7eec.msp
c:\windows\Installer\403c531.msp
c:\windows\Installer\403c537.msp
c:\windows\Installer\48c78fb.msp
c:\windows\Installer\4b631e3.msp
c:\windows\Installer\50b3f63.msp
c:\windows\Installer\5197cc5.msp
c:\windows\Installer\52e4312.msp
c:\windows\Installer\566f51c.msp
c:\windows\Installer\61b96ee.msp
c:\windows\Installer\652cd83.msp
c:\windows\Installer\68ac11f.msp
c:\windows\Installer\7133cc.msp
c:\windows\Installer\8552d91.msp
c:\windows\Installer\a31d9b4.msp
c:\windows\Installer\daaf27.msp
c:\windows\Installer\f57afab.msp
c:\windows\Installer\fa31adc.msp
c:\windows\patch.exe
c:\windows\system32\run.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 22:20 . 2009-08-13 22:20 3124187 ----a-r- C:\ComboFix.exe
2009-08-12 04:11 . 2009-08-12 04:11 -------- d-sh--w- C:\FOUND.010
2009-08-11 22:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 08:37 . 2009-08-10 08:37 -------- d-----w- C:\hosts
2009-08-09 22:01 . 2009-08-13 22:51 117760 ----a-w- c:\documents and settings\The Cauchi's\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-09 21:58 . 2009-08-09 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-09 21:57 . 2009-08-09 21:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-09 21:57 . 2009-08-09 21:57 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\SUPERAntiSpyware.com
2009-08-09 21:55 . 2009-08-09 21:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 21:55 . 2009-08-09 21:55 6881824 ----a-w- C:\SUPERAntiSpyware.exe
2009-08-09 04:03 . 2009-08-09 04:03 5772 ----a-w- C:\sharedaccess.reg
2009-08-09 03:54 . 2009-08-09 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 01:24 . 2009-08-09 01:43 2908976 ----a-w- C:\Norton_Removal_Tool.exe
2009-08-07 21:55 . 2009-08-07 21:55 50688 ----a-w- C:\ATF_Cleaner.exe
2009-08-07 08:13 . 2009-08-07 08:13 -------- d-----w- C:\SpywareBlaster
2009-08-07 07:59 . 2009-08-07 07:59 3012768 ----a-w- C:\spywareblastersetup42.exe
2009-08-06 22:09 . 2009-08-06 22:09 812344 ----a-w- C:\HJTInstall.exe
2009-08-06 21:56 . 2009-08-06 21:48 407552 ----a-w- C:\OTM.exe
2009-08-06 21:49 . 2009-08-06 21:49 -------- d-----w- C:\_OTM
2009-08-06 07:12 . 2009-08-06 07:12 152576 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-06 07:03 . 2009-08-06 07:03 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 08:30 . 2009-08-03 08:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-03 08:28 . 2009-08-03 08:28 152576 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-08-03 07:59 . 2009-08-03 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-01 09:55 . 2009-08-01 09:55 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-30 12:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-30 12:41 . 2009-07-30 12:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-30 12:23 . 2009-07-30 12:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-30 12:22 . 2009-07-30 12:22 -------- d-----w- c:\program files\NOS
2009-07-30 12:22 . 2009-07-30 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-24 22:05 . 2009-07-24 22:05 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\Malwarebytes
2009-07-24 22:04 . 2009-07-13 03:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 22:04 . 2009-07-24 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 22:04 . 2009-07-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 22:04 . 2009-07-13 03:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 22:04 . 2009-07-24 22:04 3775176 ----a-w- C:\mbam-setup.exe
2009-07-24 21:57 . 2009-07-24 21:57 50688 ----a-w- C:\ATF-Cleaner.exe
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2002-12-11 14:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 22:54 . 2009-01-04 04:38 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 19:01 . 1979-12-31 14:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 13:43 . 2003-12-29 22:32 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 08:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 01:28 . 2009-07-02 01:28 -------- d-----w- c:\program files\ArcSoft
2009-06-23 06:20 . 2009-02-01 23:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 06:20 . 2009-01-04 04:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 1979-12-31 14:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1979-12-31 14:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-15 07:59 . 2003-12-29 22:22 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-12 12:31 . 1979-12-31 14:00 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 1979-12-31 14:00 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 1980-01-01 09:00 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-09 23:19 . 2003-12-29 22:19 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-03 19:09 . 2003-05-29 23:00 1291264 ------w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-01-29 361832]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "c:\windows\System32\sistray.EXE" [2003-08-19 667648]
"SiS Windows KeyHook "= "c:\windows\System32\keyhook.exe" [2003-08-19 241664]
"NvCplDaemon "= "c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"SBDrvDet "= "c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"Lexmark X5100 Series "= "c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrolScotty2009\winpatrol.exe" [2009-06-01 341312]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"CTHelper "= "CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-06-20 24576]
"AsioReg "= "CTASIO.DLL" - c:\windows\system32\CTASIO.DLL [2003-06-20 118784]
"SoundMan "= "SOUNDMAN.EXE" - c:\windows\soundman.exe [2003-08-14 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 06:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 2:38 PM 335752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 SiSEsc;SISLIB_ESC;c:\windows\system32\sisesc.sys [12/31/2003 8:51 PM 28416]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 9:17 AM 298776]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [12/31/2003 8:17 PM 84788]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [7/10/2004 10:30 AM 36048]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 08:50
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker3 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrolScotty2009\PATROLPRO.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\WGATRAY.EXE
c:\program files\LEXMARK X5100 SERIES\LXBABMON.EXE
c:\program files\MICROSOFT ACTIVESYNC\RAPIMGR.EXE
.
**************************************************************************
.
Completion time: 2009-08-13 8:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 22:55

Pre-Run: 11,566,776,320 bytes free
Post-Run: 11,985,420,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

249 --- E O F --- 2009-08-12 07:11


HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:43 AM, on 8/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180506225375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7366 bytes



Thanks, Shorerider.

 

Welcome back

AVG is just finding a few cookies. Nothing to worry about...


Open Internet Explorer and Go to

"Tools "
"Advanced" (tab) scroll down until the section "Browsing" then scroll further and uncheck "Enable third party browser extensions* "

Note the * means it only takes effect after you restart Internet Explorer



Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


In your next reply post:
ComboFix.txt
new HJT log

 

Hey Juliet ,

After completing your latest recommendations, the problem seems to be OK. I've opened this page, and others where the notification would pop up, several times, and so far it hasn't happened. I will notify you if it does.

On another note, I've been getting a notification (yes another one) from WinPatrol asking if is to allow changes "Run a DLL as an App" to my machine.

See here.

I've said no for now. Should I allow? With all that has been going on, I didn't want to allow without consulting you first.


ComboFix Log:

ComboFix 09-08-10.06 - The Cauchi's 08/14/2009 23:38.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.254 [GMT 10:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-13 22:20 . 2009-08-13 22:20 3124187 ----a-r- C:\ComboFix.exe
2009-08-12 04:11 . 2009-08-12 04:11 -------- d-sh--w- C:\FOUND.010
2009-08-11 22:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 08:37 . 2009-08-10 08:37 -------- d-----w- C:\hosts
2009-08-09 22:01 . 2009-08-14 13:03 117760 ----a-w- c:\documents and settings\The Cauchi's\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-09 21:58 . 2009-08-09 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-09 21:57 . 2009-08-09 21:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-09 21:57 . 2009-08-09 21:57 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\SUPERAntiSpyware.com
2009-08-09 21:55 . 2009-08-09 21:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 21:55 . 2009-08-09 21:55 6881824 ----a-w- C:\SUPERAntiSpyware.exe
2009-08-09 04:03 . 2009-08-09 04:03 5772 ----a-w- C:\sharedaccess.reg
2009-08-09 03:54 . 2009-08-09 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 01:24 . 2009-08-09 01:43 2908976 ----a-w- C:\Norton_Removal_Tool.exe
2009-08-07 21:55 . 2009-08-07 21:55 50688 ----a-w- C:\ATF_Cleaner.exe
2009-08-07 08:13 . 2009-08-07 08:13 -------- d-----w- C:\SpywareBlaster
2009-08-07 07:59 . 2009-08-07 07:59 3012768 ----a-w- C:\spywareblastersetup42.exe
2009-08-06 22:09 . 2009-08-06 22:09 812344 ----a-w- C:\HJTInstall.exe
2009-08-06 21:56 . 2009-08-06 21:48 407552 ----a-w- C:\OTM.exe
2009-08-06 21:49 . 2009-08-06 21:49 -------- d-----w- C:\_OTM
2009-08-06 07:12 . 2009-08-06 07:12 152576 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-06 07:03 . 2009-08-06 07:03 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 08:30 . 2009-08-03 08:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-03 08:28 . 2009-08-03 08:28 152576 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-08-03 07:59 . 2009-08-03 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-01 09:55 . 2009-08-01 09:55 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-30 12:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\The Cauchi's\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-30 12:41 . 2009-07-30 12:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-30 12:23 . 2009-07-30 12:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-30 12:22 . 2009-07-30 12:22 -------- d-----w- c:\program files\NOS
2009-07-30 12:22 . 2009-07-30 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-24 22:05 . 2009-07-24 22:05 -------- d-----w- c:\documents and settings\The Cauchi's\Application Data\Malwarebytes
2009-07-24 22:04 . 2009-07-13 03:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 22:04 . 2009-07-24 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 22:04 . 2009-07-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 22:04 . 2009-07-13 03:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 22:04 . 2009-07-24 22:04 3775176 ----a-w- C:\mbam-setup.exe
2009-07-24 21:57 . 2009-07-24 21:57 50688 ----a-w- C:\ATF-Cleaner.exe
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2002-12-11 14:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 22:54 . 2009-01-04 04:38 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 19:01 . 1979-12-31 14:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 13:43 . 2003-12-29 22:32 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 08:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 01:28 . 2009-07-02 01:28 -------- d-----w- c:\program files\ArcSoft
2009-06-23 06:20 . 2009-02-01 23:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 06:20 . 2009-01-04 04:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 1979-12-31 14:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1979-12-31 14:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-15 07:59 . 2003-12-29 22:22 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-12 12:31 . 1979-12-31 14:00 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 1979-12-31 14:00 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 1980-01-01 09:00 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-09 23:19 . 2003-12-29 22:19 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-03 19:09 . 2003-05-29 23:00 1291264 ------w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_22.51.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 13:02 . 2009-08-14 13:02 16384 c:\windows\Temp\Perflib_Perfdata_a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-01-29 361832]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "c:\windows\System32\sistray.EXE" [2003-08-19 667648]
"SiS Windows KeyHook "= "c:\windows\System32\keyhook.exe" [2003-08-19 241664]
"NvCplDaemon "= "c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"SBDrvDet "= "c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"Lexmark X5100 Series "= "c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrolScotty2009\winpatrol.exe" [2009-06-01 341312]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"CTHelper "= "CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-06-20 24576]
"AsioReg "= "CTASIO.DLL" - c:\windows\system32\CTASIO.DLL [2003-06-20 118784]
"SoundMan "= "SOUNDMAN.EXE" - c:\windows\soundman.exe [2003-08-14 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 06:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 2:38 PM 335752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 SiSEsc;SISLIB_ESC;c:\windows\system32\sisesc.sys [12/31/2003 8:51 PM 28416]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 9:17 AM 298776]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [12/31/2003 8:17 PM 84788]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [7/10/2004 10:30 AM 36048]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 23:48
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-14 23:51
ComboFix-quarantined-files.txt 2009-08-14 13:51
ComboFix2.txt 2009-08-13 22:55

Pre-Run: 11,931,811,840 bytes free
Post-Run: 11,888,197,632 bytes free

162 --- E O F --- 2009-08-12 07:11


HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:05 AM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrolScotty2009\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180506225375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7320 bytes



Thanks heaps, Shorerider.

 

We made changes in IE how to accept third party cookies, the WinPatrol notification from what I can see was for IE, and actually I should had thought ahead and had you disable WinPatrol to avoid the alerts.

Your looking good here now.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

NEXT**

• Download [color= "#FF0000"]OTC[/color] to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including the OTC application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Your good to go, good job!



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/