my system is infected plz help

Unknown

i'm getting a lot of pop-ups, my desktop has been hijacked and shows Entrpreneur.com and i hear random audio that isnt associated with any running programs

i ran spybot and adaware

heres the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:30 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\Program Files\Verizon\McciTrayApp.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Verizon\VSP\VerizonServicepoint.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32052E0E-0378-46A1-8782-019EE7F9E1DA} - E:\Program Files\Messenger\holesuc4444.dll (file missing)
O2 - BHO: (no name) - {3381BDCE-30AA-4201-BAA7-DEF952DCB15e} - E:\WINDOWS\system32\yjvgofpr.dll
O2 - BHO: (no name) - {351813AB-A21A-F9BC-1216-828DBB51D0BF} - E:\WINDOWS\system32\mrmnjp.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - E:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6BB70C4F-4F71-433A-9040-DC8213A63647} - E:\WINDOWS\system32\yjvgofpr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A022DA7-591C-4516-9F27-D5054D8E6293} - E:\WINDOWS\system32\yjvgofpr.dll
O2 - BHO: (no name) - {83B632D7-FC17-4671-BFBE-5A190BB1D62F} - E:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {94D45A69-398A-48C5-B136-9D5A841C4F8B} - E:\Program Files\Messenger\holesuc83122.dll (file missing)
O4 - HKLM\..\Run: [Verizon_McciTrayApp] E:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "E:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [poolsv] "E:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [svhost] "E:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ifrk] E:\PROGRA~1\COMMON~1\ifrk\ifrkm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8703 bytes

Veka

Hello focused.

I'll be handling your log to help you get cleaned up. Please give me some time to look it over.

Veka

It appears you have two AntiVirus Programs running, Symantec and AVG. [SIZE=-1] You may want to choose one & uninstall the other (please let me know what is your decision). [/SIZE]Having more than one antivirus active in memory uses additional resources and can result in program conflicts and false virus alerts.

Also, I don't see a Firewall [SIZE=-1]running. Make sure that Windows Firewall is turned on.[/SIZE]

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click On (recommended), and then click OK.

You may want to print out these instructions or save them as a text file with Notepad to your desktop, because we will be restarting into Safe Mode later on in the fix.

Step 1

Please download to your Desktop

SDfix from here
ComboFix from here or here

Note: It is important that tools are saved directly to your Desktop

Step 2

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
• Instead of Windows loading as normal, the Advanced Options Menu should appear.
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum)

Step 3

Once in normal mode, run ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Close ALL open windows and programs.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.

Step 4

Please paste the contents of Report.txt (SDFix log) and ComboFix.txt (ComboFix log), along with a new HijackThis.

so...focused

hi vekarppe thank you for the quick reply

i uninstalled avg and i'm only running symantec now

HERE IS THE SDFIX REPORT


SDFix: Version 1.144

Run by Owner on Thu 02/21/2008 at 06:05 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

Trojan Files Found:

E:\WINDOWS\SYSTEM32\YJVGOFPR.DLL - Deleted
E:\PROGRA~1\WINDOW~1\LAWUME~1 - Deleted
E:\Documents and Settings\Owner\Application Data\WinTouch\wintouch.cfg - Deleted



Folder E:\Documents and Settings\Owner\Application Data\WinTouch - Removed
Folder E:\Program Files\poolsv - Removed
Folder E:\WINDOWS\system32\X2 - Removed
Folder E:\WINDOWS\system32\X3 - Removed
Folder E:\WINDOWS\system32\X4 - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 18:11:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\\WINDOWS\\system32\\viiqwlto.exe"="E:\\WINDOWS\\system32\\vii"
"E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="E:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"E:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="E:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Disabled:Orb"
"E:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="E:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Disabled:Orb Stream Client"
"E:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="E:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Disabled:OrbTray"
"E:\\WINDOWS\\system32\\sessmgr.exe"="E:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 28 Jan 2008 1,404,240 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 28 Jul 2007 1,737,092 A.SH. --- "E:\WINDOWS\system32\rqstv.tmp"
Sun 8 Jul 2007 1,843,028 A.SH. --- "E:\WINDOWS\system32\rqstv.bak1"
Tue 18 Sep 2007 1,965,918 A.SH. --- "E:\WINDOWS\system32\rqstv.bak2"
Wed 17 Oct 2007 4,348 A.SH. --- "E:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 19 Sep 2007 0 A.SH. --- "E:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "E:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 23 Jan 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT6.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "E:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

THIS IS THE COMBO FIX LOG


ComboFix 08-02-22 - Owner 2008-02-21 18:22:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT -5:00]
Running from: E:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
E:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
E:\Documents and Settings\All Users\Application Data\winantispyware 2007\Data\Abbr
E:\Documents and Settings\All Users\Application Data\winantispyware 2007\Data\ProductCode
E:\Documents and Settings\Owner\Application Data\CROSOF~1.NET
E:\Documents and Settings\Owner\Application Data\CROSOF~1.NET\??crosoft.NET\
E:\Documents and Settings\Owner\Application Data\SSTEM3~1
E:\Documents and Settings\Owner\err.log
E:\Program Files\Common Files\racle~1
E:\Program Files\svhost
E:\Program Files\svhost\wr-1-0000077.exe
E:\WINDOWS\cookies.ini
E:\WINDOWS\system32\dudukfcf.dll
E:\WINDOWS\system32\fnts~1
E:\WINDOWS\system32\o09PrEz
E:\WINDOWS\system32\win
E:\WINDOWS\system32\wyhxfaip.dll
E:\WINDOWS\system32\X5
E:\WINDOWS\system32\X9

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_CMDSERVICE

---

\LEGACY_DOMAINSERVICE

---

\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 18:02 . 2008-02-21 18:02 <DIR> d

---

E:\WINDOWS\ERUNT
2008-02-21 17:51 . 2008-02-21 18:15 <DIR> d

---

E:\SDFix
2008-02-20 14:00 . 2008-02-20 14:00 <DIR> d

---

E:\Program Files\COMODO
2008-02-20 14:00 . 2008-02-20 14:00 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Comodo
2008-02-20 14:00 . 2008-02-20 14:12 <DIR> d

---

E:\Documents and Settings\All Users\Application Data\comodo
2008-02-20 14:00 . 2008-02-20 14:00 139,008 --a

---

E:\WINDOWS\system32\guard32.dll.vir
2008-02-20 14:00 . 2008-02-20 14:00 79,096 --a

---

E:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-20 14:00 . 2008-02-20 14:00 23,672 --a

---

E:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-20 13:51 . 2008-02-20 13:53 <DIR> d

---

E:\Program Files\SpywareBlaster
2008-02-20 13:51 . 2005-08-25 18:18 118,784 --a

---

E:\WINDOWS\system32\MSSTDFMT.DLL
2008-02-20 13:15 . 2008-02-20 13:16 <DIR> d

---

E:\Program Files\Desktop Hijack Fix
2008-02-20 13:15 . 2008-02-20 13:15 249,856

---

E:\WINDOWS\Setup1.exe
2008-02-20 13:15 . 2008-02-20 13:15 73,216 --a

---

E:\WINDOWS\ST6UNST.EXE
2008-02-19 11:24 . 2008-02-19 11:24 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Uniblue
2008-02-19 11:21 . 2008-02-19 11:21 <DIR> d

---

E:\Program Files\Uniblue
2008-02-17 08:26 . 2008-02-17 08:26 <DIR> d

---

E:\Program Files\OGPlanet
2008-02-17 02:43 . 2008-02-17 02:43 <DIR> d

---

E:\Program Files\Lavalys
2008-02-17 02:42 . 2008-02-17 03:02 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-16 15:09 . 2008-02-16 15:09 <DIR> d

---

E:\Program Files\Common Files\Motorola Shared
2008-02-16 14:59 . 2008-02-16 14:59 25,600 --a

---

E:\Documents and Settings\Owner\usbsermptxp.sys
2008-02-16 14:59 . 2008-02-16 14:59 22,768 --a

---

E:\Documents and Settings\Owner\usbsermpt.sys
2008-02-16 13:37 . 2008-02-16 13:37 <DIR> d

---

E:\WINDOWS\FIOS
2008-02-10 20:21 . 2008-02-10 20:21 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\VOL_TOOLBAR
2008-02-10 16:38 . 2008-02-10 16:38 <DIR> d

---

E:\Program Files\Trend Micro
2008-01-27 20:57 . 2008-01-27 20:57 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\ImgBurn
2008-01-27 20:25 . 2000-07-21 10:40 2,048 --a

---

E:\w2ksect.bin
2008-01-27 18:47 . 2008-01-27 20:05 <DIR> d

---

E:\xpsetup
2008-01-27 18:36 . 2008-01-27 18:37 <DIR> d

---

E:\Program Files\ImgBurn
2008-01-23 17:14 . 2008-01-23 17:14 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\DivX
2008-01-23 17:12 . 2008-01-23 17:13 <DIR> d

---

E:\Program Files\DivX
2008-01-23 17:12 . 2008-01-04 16:58 120,056

---

E:\WINDOWS\system32\pxcpyi64.exe
2008-01-23 17:12 . 2008-01-04 16:58 118,520

---

E:\WINDOWS\system32\pxinsi64.exe
2008-01-23 14:06 . 2001-08-22 22:00 26,209 --a

---

E:\WINDOWS\system32\ntmsmgr.msc
2008-01-23 14:05 . 2004-08-03 23:56 4,274,816 --a

---

E:\WINDOWS\system32\nv4_disp.dll
2008-01-23 14:05 . 2004-08-03 23:56 4,274,816 --a--c--- E:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-23 11:57 . 2008-01-23 11:57 <DIR> d

---

E:\Program Files\Winamp Remote
2008-01-23 11:57 . 2008-01-23 11:57 <DIR> d

---

E:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-23 11:55 . 2008-01-23 11:58 <DIR> d

---

E:\Program Files\Winamp
2008-01-23 11:55 . 2008-01-23 17:08 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 16:43

---

d

---

w E:\Documents and Settings\All Users\Application Data\avg7
2008-02-21 16:41

---

d

---

w E:\Documents and Settings\Owner\Application Data\VideoEgg
2008-02-19 16:09

---

d

---

w E:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-19 16:03

---

d

---

w E:\Documents and Settings\Owner\Application Data\AVG7
2008-02-18 04:02

---

d

---

w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 22:39

---

d

---

w E:\Program Files\Soulseek
2008-02-17 22:31

---

d

---

w E:\Program Files\Spybot - Search & Destroy
2008-02-16 18:37

---

d

---

w E:\Program Files\Verizon
2008-02-15 00:38

---

d

---

w E:\Program Files\Common Files\Symantec Shared
2008-02-15 00:38

---

d

---

w E:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 01:01

---

d

---

w E:\Program Files\Disney
2008-02-10 23:03

---

d

---

w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 21:46

---

d

---

w E:\Program Files\Google
2008-02-05 21:32

---

d

---

w E:\Documents and Settings\althea g\Application Data\LimeWire
2008-01-18 01:46

---

d

---

w E:\Documents and Settings\althea g\Application Data\AVG7
2008-01-15 14:54 10,537 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 01:01

---

d

---

w E:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-10 00:54

---

d

---

w E:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-01-09 23:58

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Search Settings
2008-01-05 23:53

---

d

---

w E:\Program Files\Common Files\SWF Studio
2008-01-05 23:51

---

d

---

w E:\Program Files\Free Audio Pack
2008-01-05 22:11 26,952 ----a-w E:\WINDOWS\system32\drivers\avgmfx86.sys.install_backup
2008-01-05 22:11 10,760 ----a-w E:\WINDOWS\system32\drivers\avgclean.sys.install_backup
2008-01-05 01:13

---

d

---

w E:\Program Files\Norton AntiVirus
2008-01-05 01:08 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-05 01:08 123,952 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-05 01:08 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-05 01:08

---

d

---

w E:\Program Files\Symantec
2008-01-05 00:58 821,856 ----a-w E:\WINDOWS\system32\drivers\avg7core.sys.install_backup
2008-01-05 00:58 4,960 ----a-w E:\WINDOWS\system32\drivers\avgtdi.sys.install_backup
2008-01-05 00:58 4,224 ----a-w E:\WINDOWS\system32\drivers\avg7rsw.sys.install_backup
2008-01-05 00:58 27,776 ----a-w E:\WINDOWS\system32\drivers\avg7rsxp.sys.install_backup
2008-01-05 00:58

---

d

---

w E:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-05 00:58

---

d

---

w E:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 23:46

---

d

---

w E:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 20:27

---

d

---

w E:\Program Files\Lavasoft
2007-12-31 00:46

---

d

---

w E:\Documents and Settings\Owner\Application Data\Apple Computer
2007-07-08 17:33 1,843,028 --sha-w E:\WINDOWS\system32\rqstv.bak1
2007-09-18 23:56 1,965,918 --sha-w E:\WINDOWS\system32\rqstv.bak2
2007-09-19 05:22 1,965,013 --sha-w E:\WINDOWS\system32\rqstv.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32052E0E-0378-46A1-8782-019EE7F9E1DA}]
E:\Program Files\Messenger\holesuc4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3381BDCE-30AA-4201-BAA7-DEF952DCB15e}]
E:\WINDOWS\system32\yjvgofpr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351813AB-A21A-F9BC-1216-828DBB51D0BF}]
E:\WINDOWS\system32\mrmnjp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BB70C4F-4F71-433A-9040-DC8213A63647}]
E:\WINDOWS\system32\yjvgofpr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A022DA7-591C-4516-9F27-D5054D8E6293}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83B632D7-FC17-4671-BFBE-5A190BB1D62F}]
E:\WINDOWS\system32\vtsqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94D45A69-398A-48C5-B136-9D5A841C4F8B}]
E:\Program Files\Messenger\holesuc83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"ifrk"="E:\PROGRA~1\COMMON~1\ifrk\ifrkm.exe" [ ]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="E:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"osCheck"="E:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 20:22 26248]
"VerizonServicepoint.exe"="E:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"IgfxTray"="E:\WINDOWS\system32\igfxtray.exe" [2003-10-02 12:37 155648]
"HotKeysCmds"="E:\WINDOWS\system32\hkcmd.exe" [2003-10-02 12:19 118784]
"Symantec PIF AlertEng"="E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"ccApp"="E:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"COMODO Firewall Pro"="E:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-20 14:00 1481984]
"svhost"="E:\WINDOWS\svhost.exe" [ ]
"poolsv"="E:\WINDOWS\poolsv.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= E:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=E:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=E:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a

---

2006-09-03 02:04 84640 E:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a

---

2007-12-11 12:10 267048 E:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a

---

2006-07-13 00:22 57344 E:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a

---

2008-01-07 15:02 495616 E:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2007-12-11 10:56 286720 E:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
E:\WINDOWS\retadpu77.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
E:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
E:\Program Files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
E:\Documents and Settings\Owner\Application Data\Microsoft\Windows\wwxmuj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srir]
E:\DOCUME~1\Owner\APPLIC~1\CROSOF~1.NET\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a

---

2007-07-29 15:51 68856 E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Terk]
E:\Documents and Settings\Owner\Application Data\s?stem32\?canregw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra

---

2006-03-30 15:45 313472 E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
E:\Program Files\Web Buying\v1.7.8\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
E:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
E:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"CiSvc"=3 (0x3)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;E:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-20 14:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;E:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-20 14:00]
R1 vcdrom;Virtual CD-ROM Device Driver;E:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
S3 hamachi_oem;PlayLinc Adapter;E:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 XDva037;XDva037;E:\WINDOWS\system32\XDva037.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 19:30:12 E:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- E:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 18:40:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\guard32.dll

PROCESS: E:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> E:\WINDOWS\system32\guard32.dll
.

---

Other Running Processes

---

.
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-22 18:46:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 23:46:04
.
2008-02-13 06:00:39 --- E O F ---


THIS IS THE NEW HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:52 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\COMODO\Firewall\cmdagent.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Verizon\McciTrayApp.exe
E:\Program Files\Verizon\VSP\VerizonServicepoint.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\COMODO\Firewall\cfp.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32052E0E-0378-46A1-8782-019EE7F9E1DA} - E:\Program Files\Messenger\holesuc4444.dll (file missing)
O2 - BHO: (no name) - {3381BDCE-30AA-4201-BAA7-DEF952DCB15e} - E:\WINDOWS\system32\yjvgofpr.dll (file missing)
O2 - BHO: (no name) - {351813AB-A21A-F9BC-1216-828DBB51D0BF} - E:\WINDOWS\system32\mrmnjp.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - E:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6BB70C4F-4F71-433A-9040-DC8213A63647} - E:\WINDOWS\system32\yjvgofpr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {83B632D7-FC17-4671-BFBE-5A190BB1D62F} - E:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {94D45A69-398A-48C5-B136-9D5A841C4F8B} - E:\Program Files\Messenger\holesuc83122.dll (file missing)
O4 - HKLM\..\Run: [Verizon_McciTrayApp] E:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "E:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [svhost] "E:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ifrk] E:\PROGRA~1\COMMON~1\ifrk\ifrkm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O20 - AppInit_DLLs: E:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - E:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8685 bytes

Veka

Do you know what is this:

E:\Program Files\Search Settings


Please do the following....

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
E:\WINDOWS\system32\rqstv.tmp
E:\WINDOWS\system32\rqstv.bak1
E:\WINDOWS\system32\rqstv.bak2
E:\Program Files\Messenger\holesuc4444.dll
E:\WINDOWS\system32\yjvgofpr.dll
E:\WINDOWS\system32\mrmnjp.dll
E:\WINDOWS\system32\yjvgofpr.dll
E:\WINDOWS\system32\vtsqr.dll
E:\Program Files\Messenger\holesuc83122.dll
E:\PROGRA~1\COMMON~1\ifrk\ifrkm.exe
E:\WINDOWS\svhost.exe
E:\WINDOWS\poolsv.exe
E:\WINDOWS\retadpu77.exe
E:\Documents and Settings\Owner\Application Data\Microsoft\Windows\wwxmuj.exe

Folder::
E:\Program Files\Web Buying
E:\Program Files\WinPop
E:\Documents and Settings\Owner\Application Data\WinTouch
E:\PROGRA~1\COMMON~1\ifrk\

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32052E0E-0378-46A1-8782-019EE7F9E1DA}]
[-HKEY_CLASSES_ROOT\CLSID\{32052E0E-0378-46A1-8782-019E E7F9E1DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3381BDCE-30AA-4201-BAA7-DEF952DCB15e}]
[-HKEY_CLASSES_ROOT\CLSID\{3381BDCE-30AA-4201-BAA7-DEF9 52DCB15e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351813AB-A21A-F9BC-1216-828DBB51D0BF}]
[-HKEY_CLASSES_ROOT\CLSID\{351813AB-A21A-F9BC-1216-828D BB51D0BF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BB70C4F-4F71-433A-9040-DC8213A63647}]
[-HKEY_CLASSES_ROOT\CLSID\{6BB70C4F-4F71-433A-9040-DC82 13A63647}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A022DA7-591C-4516-9F27-D5054D8E6293}]
[-HKEY_CLASSES_ROOT\CLSID\{7A022DA7-591C-4516-9F27-D505 4D8E6293]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83B632D7-FC17-4671-BFBE-5A190BB1D62F}]
[-HKEY_CLASSES_ROOT\CLSID\{83B632D7-FC17-4671-BFBE-5A19 0BB1D62F]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94D45A69-398A-48C5-B136-9D5A841C4F8B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ifrk"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svhost"=-
"poolsv"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Terk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

so...focused

i'm not sure what Search Settings is but i think its what is changing my search engine settings in firefox from google to yahoo.

here is the new combofix log

ComboFix 08-02-22 - Owner 2008-02-23 20:01:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -5:00]
Running from: E:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\Documents and Settings\Owner\Application Data\Microsoft\Windows\wwxmuj.exe
E:\PROGRA~1\COMMON~1\ifrk\ifrkm.exe
E:\Program Files\Messenger\holesuc4444.dll
E:\Program Files\Messenger\holesuc83122.dll
E:\WINDOWS\poolsv.exe
E:\WINDOWS\retadpu77.exe
E:\WINDOWS\svhost.exe
E:\WINDOWS\system32\mrmnjp.dll
E:\WINDOWS\system32\rqstv.bak1
E:\WINDOWS\system32\rqstv.bak2
E:\WINDOWS\system32\rqstv.tmp
E:\WINDOWS\system32\vtsqr.dll
E:\WINDOWS\system32\yjvgofpr.dll
.
The following files were disabled during the run:
E:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\PROGRA~1\COMMON~1\ifrk\
E:\PROGRA~1\COMMON~1\ifrk\\ifrka.lck
E:\PROGRA~1\COMMON~1\ifrk\\ifrkd\class-barrel
E:\PROGRA~1\COMMON~1\ifrk\\ifrkd\vocabulary
E:\PROGRA~1\COMMON~1\ifrk\\ifrkh
E:\PROGRA~1\COMMON~1\ifrk\\ifrkl.lck
E:\PROGRA~1\COMMON~1\ifrk\\ifrkm.lck
E:\WINDOWS\system32\rqstv.bak1
E:\WINDOWS\system32\rqstv.bak2
E:\WINDOWS\system32\rqstv.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 18:14 . 2008-02-23 18:14 376 --a

---

E:\WINDOWS\ODBC.INI
2008-02-23 18:09 . 2008-02-23 18:09 <DIR> d

---

E:\WINDOWS\ShellNew
2008-02-23 18:07 . 2008-02-23 18:07 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-02-23 16:46 . 2008-02-23 16:46 0 --ah

---

E:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-02-23 16:46 . 2008-02-23 16:46 0 --ah

---

E:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-02-23 16:32 . 2007-03-17 15:12 303,104 --a

---

E:\lame_enc.dll
2008-02-23 16:22 . 2008-02-23 16:22 0 --ah

---

E:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-23 16:22 . 2008-02-23 16:22 0 --ah

---

E:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-02-23 16:22 . 2008-02-23 16:22 0 --ah

---

E:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-02-23 16:14 . 2008-02-23 16:14 <DIR> d

---

E:\WINDOWS\LastGood
2008-02-23 16:10 . 2008-02-23 16:11 <DIR> d

---

E:\Program Files\Audacity
2008-02-23 13:09 . 2004-07-20 17:24 1,568,768

---

E:\WINDOWS\system32\ImagX7.dll
2008-02-23 13:09 . 2004-07-20 17:24 476,320

---

E:\WINDOWS\system32\ImagXpr7.dll
2008-02-23 13:09 . 2004-07-20 17:24 471,040

---

E:\WINDOWS\system32\ImagXRA7.dll
2008-02-23 13:09 . 2004-07-09 09:43 364,544

---

E:\WINDOWS\system32\TwnLib4.dll
2008-02-23 13:09 . 2004-07-20 17:24 262,144

---

E:\WINDOWS\system32\ImagXR7.dll
2008-02-23 13:09 . 2000-06-26 11:45 106,496 --a

---

E:\WINDOWS\system32\TwnLib20.dll
2008-02-23 13:09 . 2001-06-26 08:15 38,912

---

E:\WINDOWS\system32\picn20.dll
2008-02-23 13:08 . 2008-02-23 13:08 <DIR> d

---

E:\Program Files\Common Files\Ahead
2008-02-23 13:08 . 2008-02-23 13:10 <DIR> d

---

E:\Program Files\Ahead
2008-02-23 13:08 . 2001-07-09 11:50 155,648 --a

---

E:\WINDOWS\system32\NeroCheck.exe
2008-02-22 22:09 . 2008-02-23 17:31 54,156 --ah

---

E:\WINDOWS\QTFont.qfn
2008-02-22 22:09 . 2008-02-22 22:09 1,409 --a

---

E:\WINDOWS\QTFont.for
2008-02-21 18:02 . 2008-02-21 18:02 <DIR> d

---

E:\WINDOWS\ERUNT
2008-02-21 17:51 . 2008-02-21 18:15 <DIR> d

---

E:\SDFix
2008-02-20 14:00 . 2008-02-20 14:00 <DIR> d

---

E:\Program Files\COMODO
2008-02-20 14:00 . 2008-02-20 14:00 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Comodo
2008-02-20 14:00 . 2008-02-20 14:12 <DIR> d

---

E:\Documents and Settings\All Users\Application Data\comodo
2008-02-20 14:00 . 2008-02-20 14:00 139,008 --a

---

E:\WINDOWS\system32\guard32.dll.vir
2008-02-20 14:00 . 2008-02-20 14:00 79,096 --a

---

E:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-20 14:00 . 2008-02-20 14:00 23,672 --a

---

E:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-20 13:51 . 2008-02-20 13:53 <DIR> d

---

E:\Program Files\SpywareBlaster
2008-02-20 13:51 . 2005-08-25 18:18 118,784 --a

---

E:\WINDOWS\system32\MSSTDFMT.DLL
2008-02-20 13:15 . 2008-02-20 13:16 <DIR> d

---

E:\Program Files\Desktop Hijack Fix
2008-02-20 13:15 . 2008-02-20 13:15 249,856

---

E:\WINDOWS\Setup1.exe
2008-02-20 13:15 . 2008-02-20 13:15 73,216 --a

---

E:\WINDOWS\ST6UNST.EXE
2008-02-19 11:24 . 2008-02-19 11:24 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\Uniblue
2008-02-19 11:21 . 2008-02-19 11:21 <DIR> d

---

E:\Program Files\Uniblue
2008-02-17 08:26 . 2008-02-17 08:26 <DIR> d

---

E:\Program Files\OGPlanet
2008-02-17 02:43 . 2008-02-17 02:43 <DIR> d

---

E:\Program Files\Lavalys
2008-02-17 02:42 . 2008-02-17 03:02 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-16 15:10 . 2006-11-13 15:45 1,419,232 --a

---

E:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-02-16 15:10 . 2007-04-02 22:13 21,632 --a

---

E:\WINDOWS\system32\drivers\motport.sys
2008-02-16 15:10 . 2007-04-02 22:13 21,632 --a

---

E:\WINDOWS\system32\drivers\motmodem.sys
2008-02-16 15:10 . 2007-04-02 22:13 17,920 --a

---

E:\WINDOWS\system32\drivers\motccgp.sys
2008-02-16 15:10 . 2007-01-23 20:03 7,680 --a

---

E:\WINDOWS\system32\drivers\motccgpfl.sys
2008-02-16 15:10 . 2006-12-06 18:33 6,400 --a

---

E:\WINDOWS\system32\drivers\motswch.sys
2008-02-16 15:09 . 2008-02-16 15:09 <DIR> d

---

E:\Program Files\Common Files\Motorola Shared
2008-02-16 14:59 . 2008-02-16 14:59 25,600 --a

---

E:\Documents and Settings\Owner\usbsermptxp.sys
2008-02-16 14:59 . 2008-02-16 14:59 22,768 --a

---

E:\Documents and Settings\Owner\usbsermpt.sys
2008-02-16 13:37 . 2008-02-16 13:37 <DIR> d

---

E:\WINDOWS\FIOS
2008-02-10 20:21 . 2008-02-10 20:21 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\VOL_TOOLBAR
2008-02-10 16:38 . 2008-02-10 16:38 <DIR> d

---

E:\Program Files\Trend Micro
2008-01-27 20:57 . 2008-01-27 20:57 <DIR> d

---

E:\Documents and Settings\Owner\Application Data\ImgBurn
2008-01-27 20:25 . 2000-07-21 10:40 2,048 --a

---

E:\w2ksect.bin
2008-01-27 18:47 . 2008-01-27 20:05 <DIR> d

---

E:\xpsetup
2008-01-27 18:36 . 2008-01-27 18:37 <DIR> d

---

E:\Program Files\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 00:35

---

d

---

w E:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-23 23:07

---

d

---

w E:\Program Files\microsoft frontpage
2008-02-21 16:43

---

d

---

w E:\Documents and Settings\All Users\Application Data\avg7
2008-02-21 16:41

---

d

---

w E:\Documents and Settings\Owner\Application Data\VideoEgg
2008-02-19 16:03

---

d

---

w E:\Documents and Settings\Owner\Application Data\AVG7
2008-02-18 04:02

---

d

---

w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 22:39

---

d

---

w E:\Program Files\Soulseek
2008-02-17 22:31

---

d

---

w E:\Program Files\Spybot - Search & Destroy
2008-02-16 18:37

---

d

---

w E:\Program Files\Verizon
2008-02-15 00:38

---

d

---

w E:\Program Files\Common Files\Symantec Shared
2008-02-15 00:38

---

d

---

w E:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 01:01

---

d

---

w E:\Program Files\Disney
2008-02-10 23:03

---

d

---

w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 23:00 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-02-10 21:46

---

d

---

w E:\Program Files\Google
2008-02-05 21:32

---

d

---

w E:\Documents and Settings\althea g\Application Data\LimeWire
2008-01-23 22:14

---

d

---

w E:\Documents and Settings\Owner\Application Data\DivX
2008-01-23 22:13

---

d

---

w E:\Program Files\DivX
2008-01-23 22:08

---

d

---

w E:\Documents and Settings\Owner\Application Data\Winamp
2008-01-23 16:58

---

d

---

w E:\Program Files\Winamp
2008-01-23 16:57

---

d

---

w E:\Program Files\Winamp Remote
2008-01-23 16:57

---

d

---

w E:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-18 01:46

---

d

---

w E:\Documents and Settings\althea g\Application Data\AVG7
2008-01-15 14:54 10,537 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w E:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 01:01

---

d

---

w E:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-10 00:54

---

d

---

w E:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-01-09 23:58

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Search Settings
2008-01-05 23:53

---

d

---

w E:\Program Files\Common Files\SWF Studio
2008-01-05 23:51

---

d

---

w E:\Program Files\Free Audio Pack
2008-01-05 22:11 26,952 ----a-w E:\WINDOWS\system32\drivers\avgmfx86.sys.install_backup
2008-01-05 22:11 10,760 ----a-w E:\WINDOWS\system32\drivers\avgclean.sys.install_backup
2008-01-05 01:13

---

d

---

w E:\Program Files\Norton AntiVirus
2008-01-05 01:08 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-05 01:08 60,800 ----a-w E:\WINDOWS\system32\S32EVNT1.DLL
2008-01-05 01:08 123,952 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-05 01:08 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-05 01:08

---

d

---

w E:\Program Files\Symantec
2008-01-05 00:58 821,856 ----a-w E:\WINDOWS\system32\drivers\avg7core.sys.install_backup
2008-01-05 00:58 4,960 ----a-w E:\WINDOWS\system32\drivers\avgtdi.sys.install_backup
2008-01-05 00:58 4,224 ----a-w E:\WINDOWS\system32\drivers\avg7rsw.sys.install_backup
2008-01-05 00:58 27,776 ----a-w E:\WINDOWS\system32\drivers\avg7rsxp.sys.install_backup
2008-01-05 00:58

---

d

---

w E:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-05 00:58

---

d

---

w E:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 23:46

---

d

---

w E:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 21:59 524,288 ----a-w E:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w E:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784

---

w E:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056

---

w E:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520

---

w E:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w E:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w E:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w E:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w E:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w E:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w E:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w E:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w E:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w E:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w E:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w E:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w E:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w E:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w E:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w E:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-04 20:27

---

d

---

w E:\Program Files\Lavasoft
2007-12-31 00:46

---

d

---

w E:\Documents and Settings\Owner\Application Data\Apple Computer
2007-12-07 02:21 824,832 ----a-w E:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w E:\WINDOWS\system32\oleaut32.dll
2007-09-19 05:22 1,965,013 --sha-w E:\WINDOWS\system32\rqstv.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="E:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"osCheck"="E:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 20:22 26248]
"VerizonServicepoint.exe"="E:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"IgfxTray"="E:\WINDOWS\system32\igfxtray.exe" [2003-10-02 12:37 155648]
"HotKeysCmds"="E:\WINDOWS\system32\hkcmd.exe" [2003-10-02 12:19 118784]
"Symantec PIF AlertEng"="E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"ccApp"="E:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"COMODO Firewall Pro"="E:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-20 14:00 1481984]
"MSConfig"="E:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-03 23:56 158208]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= E:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=E:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=E:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a

---

2006-09-03 02:04 84640 E:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a

---

2007-12-11 12:10 267048 E:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a

---

2006-07-13 00:22 57344 E:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---

2004-10-13 11:24 1694208 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a

---

2008-01-07 15:02 495616 E:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2007-12-11 10:56 286720 E:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
E:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
E:\Program Files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srir]
E:\DOCUME~1\Owner\APPLIC~1\CROSOF~1.NET\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a

---

2007-07-29 15:51 68856 E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra

---

2006-03-30 15:45 313472 E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"CiSvc"=3 (0x3)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;E:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-20 14:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;E:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-20 14:00]
R1 vcdrom;Virtual CD-ROM Device Driver;E:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
S3 hamachi_oem;PlayLinc Adapter;E:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 motccgp;Motorola USB Composite Device Driver;E:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-04-02 22:13]
S3 motccgpfl;MotCcgpFlService;E:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;E:\WINDOWS\system32\DRIVERS\motport.sys [2007-04-02 22:13]
S3 XDva037;XDva037;E:\WINDOWS\system32\XDva037.sys []

*Newly Created Service* - WDF01000
.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 02:31:59 E:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- E:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 20:15:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\guard32.dll

PROCESS: E:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> E:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-23 20:16:44
ComboFix-quarantined-files.txt 2008-02-24 01:16:40
ComboFix2.txt 2008-02-22 23:46:10
.
2008-02-13 06:00:39 --- E O F ---


and this is the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:00 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\LEXPPS.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\COMODO\Firewall\cmdagent.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Verizon\McciTrayApp.exe
E:\Program Files\Verizon\VSP\VerizonServicepoint.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\COMODO\Firewall\cfp.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32052E0E-0378-46A1-8782-019EE7F9E1DA} - (no file)
O2 - BHO: (no name) - {3381BDCE-30AA-4201-BAA7-DEF952DCB15e} - (no file)
O2 - BHO: (no name) - {351813AB-A21A-F9BC-1216-828DBB51D0BF} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - E:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6BB70C4F-4F71-433A-9040-DC8213A63647} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A022DA7-591C-4516-9F27-D5054D8E6293} - (no file)
O2 - BHO: (no name) - {83B632D7-FC17-4671-BFBE-5A190BB1D62F} - (no file)
O2 - BHO: (no name) - {94D45A69-398A-48C5-B136-9D5A841C4F8B} - (no file)
O4 - HKLM\..\Run: [Verizon_McciTrayApp] E:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "E:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O20 - AppInit_DLLs: E:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - E:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8435 bytes

so...focused

oh do you know of any good registry cleaners preferably a free one it would be greatly appreciated

Veka

Hello


You may want to print out these instructions or save them as a text file with Notepad to your desktop

Step 1:

Please run CFScript again

Copy/paste the entire content of the codebox below into the Notepad

(Note: this script will also remove the leftovers of AVG Antivirus)

File::
E:\WINDOWS\system32\rqstv.ini2
E:\WINDOWS\system32\drivers\avgmfx86.sys.install_backup
E:\WINDOWS\system32\drivers\avgclean.sys.install_backup
E:\WINDOWS\system32\drivers\avg7core.sys.install_backup
E:\WINDOWS\system32\drivers\avgtdi.sys.install_backup
E:\WINDOWS\system32\drivers\avg7rsw.sys.install_backup
E:\WINDOWS\system32\drivers\avg7rsxp.sys.install_backup

Folder::
E:\Documents and Settings\All Users\Application Data\avg7
E:\Documents and Settings\Owner\Application Data\AVG7
E:\Documents and Settings\althea g\Application Data\AVG7
E:\Documents and Settings\Administrator\Application Data\AVG7
E:\Documents and Settings\LocalService\Application Data\AVG7
E:\PROGRA~1\Grisoft\AVG7

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srir]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=-

Save the above as CFScript.txt

Step 2:

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




After reboot, (in case it asks to reboot), please post Combofix.txt into your next reply.

Step 3:

Do a system scan with HijackThis.

Check the boxes next to all the entries listed below (if present)

O2 - BHO: (no name) - {32052E0E-0378-46A1-8782-019EE7F9E1DA} - (no file)
O2 - BHO: (no name) - {3381BDCE-30AA-4201-BAA7-DEF952DCB15e} - (no file)
O2 - BHO: (no name) - {351813AB-A21A-F9BC-1216-828DBB51D0BF} - (no file)
O2 - BHO: (no name) - {6BB70C4F-4F71-433A-9040-DC8213A63647} - (no file)
O2 - BHO: (no name) - {7A022DA7-591C-4516-9F27-D5054D8E6293} - (no file)
O2 - BHO: (no name) - {83B632D7-FC17-4671-BFBE-5A190BB1D62F} - (no file)
O2 - BHO: (no name) - {94D45A69-398A-48C5-B136-9D5A841C4F8B} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Step 4:

Click Start, click Run. Type (or copy & paste) sc delete Avg7Alrt and then click OK

Click Start, click Run. Type (or copy & paste) sc delete Avg7UpdSvc and then click OK

Click Start, click Run. Type (or copy & paste) sc delete AVGEMS and then click OK

Step 5:

Finally,

• Please go to VirusTotal
• Copy and paste the following file path into the Search Box in the middle of the page:
  
  E:\WINDOWS\system32\XDva037.sys
  
  
  
• Now, click on the Send File button
• Save a copy of the Anti-Virus results. Post the results in your next reply.

Step 6:

Please post the ComboFix log, a new HijackThis log, and the results of the VirusTotal scan.

Veka

How it's going? Please let me know if you don't need assistace anymore.