34 replies to this topic

[Legacy]

My computer is going loco.

My desktop is blue with a blue and yellow box which reads "Warning! Your computer is infected with spyware!" and when the computer is in a period of inactivity, beetles began to 'eat' the screen. If that's not enough, theres a rougeware on my computer called Malware Protector 2008. My time also changed from 2-12 to 1-24, but I managed to fix that easily.

I'm in distress, this is my older brothers computer and this somehow happened. I don't want him to buy a new computer because, knowing him, he's to lazy to fix this and also if he does buy a new computer he'll blame crap on me. I know I'm not so computer savvy but I tried my best, but couldn't do anything.

So.

Ran Spybot search and destroy immunization scan, not sure if I had teatime on or off but results-

Unprotected: 0
Protected: 63018
Total: 63018


Malwarebytes log:

Malwarebytes' Anti-Malware 1.17
Database version: 849

10:41:19 PM 6/11/2008
mbam-log-6-11-2008 (22-41-19).txt

Scan type: Quick Scan
Objects scanned: 53663
Time elapsed: 19 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\blphc5skj0ee89.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carlos\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Delete on reboot.

Panda active scan log:

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-06-12 11:07:07
PROTECTIONS: 1
MALWARE: 45
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
avast! antivirus 4.8.1201 [VPS 080611-1] 4.8.1201 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.mediaplex.com/]
00146967 Cookie/PayCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@paycounter[1].txt
00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@entrepreneur[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@revenue[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@xiti[2].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@azjmp[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@statcounter[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[www.burstbeacon.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@www.burstbeacon[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[statse.webtrendslive.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.overture.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@questionmarket[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@adrevolver[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.adrevolver.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@target[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Mozilla\Firefox\Profiles\424l2tt3.default\cookies.txt[.atwola.com/]
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@www3.addfreestats[1].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@enhance[1].txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Carlos\Cookies\carlos@adserver.easyad[1].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe
02634745 Application/Playmp3z HackTools No 0 Yes No C:\Documents and Settings\Carlos\Local Settings\Temporary Internet Files\Content.IE5\ZYXAQ1N8\PLAY_MP3[1].exe
02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-45d99cbd-6c5dfc5f.zip[VaannnaaBaa.class]
02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5b605af0-4d2c5eca.zip[VaannnaaBaa.class]
02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5b605af0-4d2c5eca.zip[Bnnnnn.class]
02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-45d99cbd-6c5dfc5f.zip[Bnnnnn.class]
02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-45d99cbd-6c5dfc5f.zip[BnnnnBaa.class]
02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\Carlos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5b605af0-4d2c5eca.zip[BnnnnBaa.class]
03008451 Application/AdvancedXPFixer HackTools Yes 0 Yes No C:\PROGRAM FILES\SHC3SKJ0EE89\SHC3SKJ0EE89SKIN.DLL
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\blphc5skj0ee89.scr
03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{921622A0-D118-4E71-92AF-80DA8980141C}\RP394\A0052800.scr
03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{921622A0-D118-4E71-92AF-80DA8980141C}\RP394\A0052817.scr
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\FD.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\103.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\106.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\109.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\10C.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\100.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\EC.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\EF.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\F4.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\F7.tmp
03053495 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\system32\FA.tmp
03064986 Adware/MalwareAlarm Adware Yes 2 Yes No C:\WINDOWS\SYSTEM32\LPHC5SKJ0EE89.EXE
03064986 Adware/MalwareAlarm Adware No 1 Yes No C:\Documents and Settings\Carlos\Local Settings\Temporary Internet Files\Content.IE5\ZYXAQ1N8\secure[1]
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

Hijack this! log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:09 AM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\lphc5skj0ee89.exe
C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt17D.tmp
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc5skj0ee89] C:\WINDOWS\system32\lphc5skj0ee89.exe
O4 - HKLM\..\Run: [SMshc3skj0ee89] C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 11487 bytes

So. Did I do it right?

After the Mbam quick scan it said C:\Documents and settings\Carlos\Local settings\Temp\.tt4.tmp could not be removed. It also said everything else would be removed on reboot.

I am DETERMINED to get this computer fixed.

[JeanInMontana]

Hi Legacy and welcome to Malwarebytes. You have done well so far, still work to do. Did you run a removal scan with Spbot Search and Destroy? If not please do so, the Panda scan looks like you might not have. You also still have Tea Timer running and that can interfere with removal prossesses. Please turn it off.

Open SB S&D
Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.

Click on the Tools section and then Resident.
You will see two items.
1. Resident "SD helper" (Internet Explorer bad download blocker.) active
2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck number 2..
Leave number 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

Run HJT in scan only and put a check next to these items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background


Next please go to Start > My Computer > Right Click on C if that is your main drive and choose properties. You will see a pie chart and a button *Disk Clean-up* click this. Clean up all the temp files etc.

Reboot the computer.

Now please get this:

1. Download this file :
http://download.blee...Bs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.
Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall.

[Legacy]

erm, okay I disabled Tea-time. Do you still want me to run the immunize thing on SD and post the log? I really don't know what teatimer does but do you recommend I leave it on? You also told me to put a check next to those files, but what do I do afterwards?

Edited by JeanInMontana, 12 June 2008 - 06:38 PM.
Remove quote no need to quote, save the scroll time.

[JeanInMontana]

Sorry put the check and click fix. Follow all the instructions i gave you. Disable Tea Timer for now. Immunize and run a removal scan with the Spybot S&D remove what it finds. Immunization is not a scan. It just adds a list of bad sites. I don not want a log from that program, I want you to have the prevention it provides and remove the junk from the tracking cookies etc that show in your Panda scan.

Please follow all instructions.

[Legacy]

I ran spybot and deleted Microsoft.Windows.System. and it came back. But, I'll follow your steps for now. It had 2 entries.

[JeanInMontana]

You can add that entry to the ignore list. There should have been many other cookies also. But please move on to the next step in the instructions.

[Legacy]

ComboFix 08-06-11.1 - Carlos 2008-06-12 19:13:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -4:00]
Running from: C:\Documents and Settings\Carlos\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_NPF
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 18:22 . 2008-06-12 18:12 52,736 --a------ C:\WINDOWS\system32\2F.tmp
2008-06-12 17:11 . 2008-06-12 19:20 52,736 --a------ C:\WINDOWS\system32\blphc5skj0ee89.scr
2008-06-12 17:05 . 2008-06-12 16:55 52,736 --a------ C:\WINDOWS\system32\1D4.tmp
2008-06-12 16:55 . 2008-06-12 16:45 52,736 --a------ C:\WINDOWS\system32\1D1.tmp
2008-06-12 16:45 . 2008-06-12 16:35 52,736 --a------ C:\WINDOWS\system32\1CE.tmp
2008-06-12 16:35 . 2008-06-12 16:25 52,736 --a------ C:\WINDOWS\system32\1CB.tmp
2008-06-12 16:25 . 2008-06-12 16:15 52,736 --a------ C:\WINDOWS\system32\1C8.tmp
2008-06-12 16:15 . 2008-06-12 16:05 52,736 --a------ C:\WINDOWS\system32\1C5.tmp
2008-06-12 16:05 . 2008-06-12 15:55 52,736 --a------ C:\WINDOWS\system32\1C2.tmp
2008-06-12 15:55 . 2008-06-12 15:40 52,736 --a------ C:\WINDOWS\system32\1BF.tmp
2008-06-12 15:40 . 2008-06-12 15:30 52,736 --a------ C:\WINDOWS\system32\1BC.tmp
2008-06-12 15:30 . 2008-06-12 15:19 52,736 --a------ C:\WINDOWS\system32\1B9.tmp
2008-06-12 15:19 . 2008-06-12 15:09 52,736 --a------ C:\WINDOWS\system32\1B6.tmp
2008-06-12 15:09 . 2008-06-12 14:59 52,736 --a------ C:\WINDOWS\system32\1B3.tmp
2008-06-12 14:59 . 2008-06-12 14:49 52,736 --a------ C:\WINDOWS\system32\1B0.tmp
2008-06-12 14:24 . 2008-06-12 14:14 52,736 --a------ C:\WINDOWS\system32\1A9.tmp
2008-06-12 14:14 . 2008-06-12 14:04 52,736 --a------ C:\WINDOWS\system32\1A6.tmp
2008-06-12 14:04 . 2008-06-12 13:54 52,736 --a------ C:\WINDOWS\system32\1A3.tmp
2008-06-12 13:54 . 2008-06-12 13:44 52,736 --a------ C:\WINDOWS\system32\1A0.tmp
2008-06-12 13:03 . 2008-06-12 12:53 52,736 --a------ C:\WINDOWS\system32\195.tmp
2008-06-12 08:19 . 2008-06-12 08:09 52,736 --a------ C:\WINDOWS\system32\172.tmp
2008-06-12 08:09 . 2008-06-12 07:59 52,736 --a------ C:\WINDOWS\system32\16F.tmp
2008-06-12 07:59 . 2008-06-12 07:49 52,736 --a------ C:\WINDOWS\system32\16C.tmp
2008-06-12 07:49 . 2008-06-12 07:39 52,736 --a------ C:\WINDOWS\system32\169.tmp
2008-06-12 07:39 . 2008-06-12 07:29 52,736 --a------ C:\WINDOWS\system32\166.tmp
2008-06-12 07:29 . 2008-06-12 07:19 52,736 --a------ C:\WINDOWS\system32\163.tmp
2008-06-12 07:19 . 2008-06-12 07:08 52,736 --a------ C:\WINDOWS\system32\160.tmp
2008-06-12 07:08 . 2008-06-12 06:58 52,736 --a------ C:\WINDOWS\system32\15D.tmp
2008-06-12 06:58 . 2008-06-12 06:48 52,736 --a------ C:\WINDOWS\system32\15A.tmp
2008-06-12 06:48 . 2008-06-12 06:38 52,736 --a------ C:\WINDOWS\system32\157.tmp
2008-06-12 06:38 . 2008-06-12 06:28 52,736 --a------ C:\WINDOWS\system32\154.tmp
2008-06-12 06:28 . 2008-06-12 06:18 52,736 --a------ C:\WINDOWS\system32\151.tmp
2008-06-12 06:18 . 2008-06-12 06:08 52,736 --a------ C:\WINDOWS\system32\14E.tmp
2008-06-12 06:08 . 2008-06-12 05:58 52,736 --a------ C:\WINDOWS\system32\14B.tmp
2008-06-12 05:58 . 2008-06-12 05:48 52,736 --a------ C:\WINDOWS\system32\148.tmp
2008-06-12 05:48 . 2008-06-12 05:38 52,736 --a------ C:\WINDOWS\system32\145.tmp
2008-06-12 05:38 . 2008-06-12 05:28 52,736 --a------ C:\WINDOWS\system32\142.tmp
2008-06-12 05:28 . 2008-06-12 05:18 52,736 --a------ C:\WINDOWS\system32\13F.tmp
2008-06-12 05:18 . 2008-06-12 05:08 52,736 --a------ C:\WINDOWS\system32\13C.tmp
2008-06-12 05:08 . 2008-06-12 04:58 52,736 --a------ C:\WINDOWS\system32\139.tmp
2008-06-12 04:58 . 2008-06-12 04:48 52,736 --a------ C:\WINDOWS\system32\136.tmp
2008-06-12 04:48 . 2008-06-12 04:38 52,736 --a------ C:\WINDOWS\system32\133.tmp
2008-06-12 04:38 . 2008-06-12 04:28 52,736 --a------ C:\WINDOWS\system32\130.tmp
2008-06-12 04:28 . 2008-06-12 04:18 52,736 --a------ C:\WINDOWS\system32\12D.tmp
2008-06-12 04:18 . 2008-06-12 04:08 52,736 --a------ C:\WINDOWS\system32\12A.tmp
2008-06-12 04:08 . 2008-06-12 03:57 52,736 --a------ C:\WINDOWS\system32\127.tmp
2008-06-12 03:57 . 2008-06-12 03:47 52,736 --a------ C:\WINDOWS\system32\124.tmp
2008-06-12 03:47 . 2008-06-12 03:37 52,736 --a------ C:\WINDOWS\system32\121.tmp
2008-06-12 03:37 . 2008-06-12 03:27 52,736 --a------ C:\WINDOWS\system32\11E.tmp
2008-06-12 03:27 . 2008-06-12 03:17 52,736 --a------ C:\WINDOWS\system32\11B.tmp
2008-06-12 03:17 . 2008-06-12 03:07 52,736 --a------ C:\WINDOWS\system32\118.tmp
2008-06-12 03:07 . 2008-06-12 02:57 52,736 --a------ C:\WINDOWS\system32\115.tmp
2008-06-12 02:57 . 2008-06-12 02:47 52,736 --a------ C:\WINDOWS\system32\112.tmp
2008-06-12 02:47 . 2008-06-12 02:36 52,736 --a------ C:\WINDOWS\system32\10F.tmp
2008-06-12 02:36 . 2008-06-12 02:26 52,736 --a------ C:\WINDOWS\system32\10C.tmp
2008-06-12 02:26 . 2008-06-12 02:16 52,736 --a------ C:\WINDOWS\system32\109.tmp
2008-06-12 02:16 . 2008-06-12 02:06 52,736 --a------ C:\WINDOWS\system32\106.tmp
2008-06-12 02:06 . 2008-06-12 01:56 52,736 --a------ C:\WINDOWS\system32\103.tmp
2008-06-12 01:56 . 2008-06-12 01:46 52,736 --a------ C:\WINDOWS\system32\100.tmp
2008-06-12 01:46 . 2008-06-12 01:36 52,736 --a------ C:\WINDOWS\system32\FD.tmp
2008-06-12 01:36 . 2008-06-12 01:26 52,736 --a------ C:\WINDOWS\system32\FA.tmp
2008-06-12 01:26 . 2008-06-12 01:16 52,736 --a------ C:\WINDOWS\system32\F7.tmp
2008-06-12 01:16 . 2008-06-12 01:06 52,736 --a------ C:\WINDOWS\system32\F4.tmp
2008-06-12 00:55 . 2008-06-12 00:45 52,736 --a------ C:\WINDOWS\system32\EF.tmp
2008-06-12 00:45 . 2008-06-12 00:35 52,736 --a------ C:\WINDOWS\system32\EC.tmp
2008-06-11 22:46 . 2008-06-11 22:49 <DIR> d-------- C:\Program Files\Panda Security
2008-06-11 21:48 . 2008-06-11 21:48 <DIR> d-------- C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89
2008-06-11 21:47 . 2008-06-11 21:48 <DIR> d-------- C:\Program Files\shc3skj0ee89
2008-06-11 20:11 . 2008-06-11 20:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 20:06 . 2008-06-11 20:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:06 . 2008-06-11 20:06 <DIR> d-------- C:\Documents and Settings\Carlos\Application Data\Malwarebytes
2008-06-11 20:06 . 2008-06-11 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 20:06 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 20:06 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-10 16:33 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 16:33 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-10 16:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-10 16:07 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-10 16:07 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-10 16:07 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-10 16:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-10 16:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-10 16:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-09 21:29 . 2008-06-12 19:20 90,838 --a------ C:\WINDOWS\system32\phc5skj0ee89.bmp
2008-06-09 21:28 . 2008-06-09 21:28 92,160 --a------ C:\WINDOWS\system32\lphc5skj0ee89.exe
2008-06-09 16:25 . 2008-06-09 16:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-09 16:25 . 2008-06-09 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-09 16:23 . 2008-06-09 16:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 15:46 . 2008-06-06 16:55 0 --ahs---- C:\Documents and Settings\Carlos\Application Data\004849935f13e2079a2977247caf87ffb588545d7c2768b88f.dat
2008-06-06 12:02 . 2008-06-06 12:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-06 12:02 . 2008-06-06 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 20:05 . 2008-05-19 20:05 <DIR> d-------- C:\Documents and Settings\Carlos\Application Data\Apple Computer
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 01:41 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-10 02:59 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-10 02:51 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-10 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-10 02:31 --------- d-----w C:\Program Files\Yahoo!
2008-06-10 02:30 --------- d-----w C:\Documents and Settings\Carlos\Application Data\Yahoo!
2008-06-10 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-10 01:56 --------- d-----w C:\Program Files\InterActual
2008-06-10 01:42 --------- d-----w C:\Program Files\VstPlugins
2008-06-10 01:41 --------- d-----w C:\Program Files\Image-Line
2008-06-09 01:04 --------- d-----w C:\Program Files\Covey Inc
2008-06-07 18:18 --------- d-----w C:\Program Files\Microsoft Games
2008-06-05 11:28 --------- d-----w C:\Documents and Settings\Carlos\Application Data\LimeWire
2008-05-27 18:34 --------- d-----w C:\Program Files\Google
2008-05-24 13:33 --------- d-----w C:\Documents and Settings\Carlos\Application Data\Microsoft Games
2008-05-24 13:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Games
2008-05-24 13:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 03:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 22:29 --------- d-----w C:\Documents and Settings\Carlos\Application Data\Anvil Studio
2008-05-04 19:23 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-05-04 16:57 --------- d-----w C:\Documents and Settings\Carlos\Application Data\gtk-2.0
2008-05-01 19:57 --------- d-----w C:\Program Files\QuickTime
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-20 21:52 --------- d-----w C:\Program Files\Enterbrain
2008-04-15 21:36 --------- d-----w C:\Program Files\LimeWire
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 63,712 2007-03-09 15:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe

----a-w 40,048 2007-05-11 07:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2008-05-15 23:19:31 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-r 2,321,600 2007-03-01 14:37:52 C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe

----a-w 228,088 2007-04-23 16:43:50 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe

----a-w 299,008 2005-10-27 10:00:22 C:\Program Files\Creative\Shared Files\bak\CamTray.exe

----a-w 32,768 2003-10-31 23:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 132,496 2007-09-25 06:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 57,344 2003-08-19 10:43:46 C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe

----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 160,592 2007-10-04 03:32:52 C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe

----a-r 32,768 2007-02-26 17:02:00 C:\WINDOWS\bak\V0330Mon.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a5066406-348e-475e-9268-1d302b00c504}]
2007-12-08 20:04 1502232 --a------ C:\Program Files\Sal's_Realm's\tbSal1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A5066406-348E-475E-9268-1D302B00C504}"= "C:\Program Files\Sal's_Realm's\tbSal1.dll" [2007-12-08 20:04 1502232]

[HKEY_CLASSES_ROOT\clsid\{a5066406-348e-475e-9268-1d302b00c504}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A5066406-348E-475E-9268-1D302B00C504}"= C:\Program Files\Sal's_Realm's\tbSal1.dll [2007-12-08 20:04 1502232]

[HKEY_CLASSES_ROOT\clsid\{a5066406-348e-475e-9268-1d302b00c504}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 20:24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"C:\WINDOWS\system32\V0330Cvw.dll"="C:\WINDOWS\system32\RegSvr32.exe" [2004-08-04 08:00 11776]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lphc5skj0ee89"="C:\WINDOWS\system32\lphc5skj0ee89.exe" [2008-06-09 21:28 92160]
"SMshc3skj0ee89"="C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe" [2008-06-11 04:59 1167360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Carlos\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
OneNote Table Of Contents.onetoc2 [2008-01-17 17:22:07 3656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-22 23:38]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 02:23]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S3 s3chipid;s3chipid;C:\DOCUME~1\Carlos\LOCALS~1\Temp\s3chipid.sys []
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 13:09]
S3 V0330VID;WebCam Vista/Live! Cam Chat;C:\WINDOWS\system32\DRIVERS\V0330Vid.sys [2007-02-28 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{934a696e-1b5a-11dc-867c-001921519a07}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 22:13:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 19:20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-12 19:32:26 - machine was rebooted [Carlos]
ComboFix-quarantined-files.txt 2008-06-12 23:31:54

Pre-Run: 87,156,572,160 bytes free
Post-Run: 88,633,249,792 bytes free

260 --- E O F --- 2008-06-11 07:05:26


Hijack this!:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:16 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\lphc5skj0ee89.exe
C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc5skj0ee89] C:\WINDOWS\system32\lphc5skj0ee89.exe
O4 - HKLM\..\Run: [SMshc3skj0ee89] C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 10123 bytes

That seemed to delete the malware Protecter 08 from my taskbar, but not entirely. Also, Jeaninmontana, there were lots of other cookies, but I just wanted to tell you that one, because I think it might be the source of my blue screen, bugs, etc.

[JeanInMontana]

Did you at one time run SmitfraudFix? This system is seriously compromised. You have had a key logger for nearly a month from the ComboFix log and have been infected with a rootkit that can only be guaranteed removal by reformatting the machine. You should contact any banks and credit card companies that have information on the machine. Change all passwords and keep it off line as much as possible. If it's networked the entire network is at risk. You have P2P software installed (LimeWire) and this is a huge risk for what has happened to the machine. Possibly why your here. I recommend you uninstall it.

Please place the following files in a folder and zip it. Then upload here http://uploads.malwarebytes.org/

C:\WINDOWS\system32\lsdelete.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\phc5skj0ee89.bmp
C:\WINDOWS\system32\lphc5skj0ee89.exe
C:\WINDOWS\system32\V0330Cvw.dll
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab

All the above beginning with 016 will be found on your main drive, usually C in the Windows folder and then in a folder called Downloaded Program files.

Run HJT in scan only mode and place a check next to the following items and then click fix.

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

Reboot, update MBAM and scan again. Post that log and a new HJT log. Decide if you wish to continue trying to clean the system or do a reformat. Let me know what you decide, and how things are looking now.

[Legacy]

I'll uninstall Limewire then. I was going to reformat the whole computer at first but couldn't find all the setup cds. I only have 2, I need 1 more. I'm not sure if I RAN Smitfraudfix but I did download it, incase. Do you also recommend I erase Internet explorer? Because Firefox is much better.

Now, back to moving those files.

Edit: The 016 files don't want to move. Do you want me to 'cut' them, then store it into the folder?

[JeanInMontana]

Also please upload these files:


2008-06-12 18:22 . 2008-06-12 18:12 52,736 --a------ C:\WINDOWS\system32\2F.tmp
2008-06-12 17:11 . 2008-06-12 19:20 52,736 --a------ C:\WINDOWS\system32\blphc5skj0ee89.scr
2008-06-12 17:05 . 2008-06-12 16:55 52,736 --a------ C:\WINDOWS\system32\1D4.tmp
2008-06-12 16:55 . 2008-06-12 16:45 52,736 --a------ C:\WINDOWS\system32\1D1.tmp
2008-06-12 16:45 . 2008-06-12 16:35 52,736 --a------ C:\WINDOWS\system32\1CE.tmp
2008-06-12 16:35 . 2008-06-12 16:25 52,736 --a------ C:\WINDOWS\system32\1CB.tmp
2008-06-12 16:25 . 2008-06-12 16:15 52,736 --a------ C:\WINDOWS\system32\1C8.tmp
2008-06-12 16:15 . 2008-06-12 16:05 52,736 --a------ C:\WINDOWS\system32\1C5.tmp
2008-06-12 16:05 . 2008-06-12 15:55 52,736 --a------ C:\WINDOWS\system32\1C2.tmp
2008-06-12 15:55 . 2008-06-12 15:40 52,736 --a------ C:\WINDOWS\system32\1BF.tmp
2008-06-12 15:40 . 2008-06-12 15:30 52,736 --a------ C:\WINDOWS\system32\1BC.tmp
2008-06-12 15:30 . 2008-06-12 15:19 52,736 --a------ C:\WINDOWS\system32\1B9.tmp
2008-06-12 15:19 . 2008-06-12 15:09 52,736 --a------ C:\WINDOWS\system32\1B6.tmp
2008-06-12 15:09 . 2008-06-12 14:59 52,736 --a------ C:\WINDOWS\system32\1B3.tmp
2008-06-12 14:59 . 2008-06-12 14:49 52,736 --a------ C:\WINDOWS\system32\1B0.tmp
2008-06-12 14:24 . 2008-06-12 14:14 52,736 --a------ C:\WINDOWS\system32\1A9.tmp
2008-06-12 14:14 . 2008-06-12 14:04 52,736 --a------ C:\WINDOWS\system32\1A6.tmp
2008-06-12 14:04 . 2008-06-12 13:54 52,736 --a------ C:\WINDOWS\system32\1A3.tmp
2008-06-12 13:54 . 2008-06-12 13:44 52,736 --a------ C:\WINDOWS\system32\1A0.tmp
2008-06-12 13:03 . 2008-06-12 12:53 52,736 --a------ C:\WINDOWS\system32\195.tmp
2008-06-12 08:19 . 2008-06-12 08:09 52,736 --a------ C:\WINDOWS\system32\172.tmp
2008-06-12 08:09 . 2008-06-12 07:59 52,736 --a------ C:\WINDOWS\system32\16F.tmp
2008-06-12 07:59 . 2008-06-12 07:49 52,736 --a------ C:\WINDOWS\system32\16C.tmp
2008-06-12 07:49 . 2008-06-12 07:39 52,736 --a------ C:\WINDOWS\system32\169.tmp
2008-06-12 07:39 . 2008-06-12 07:29 52,736 --a------ C:\WINDOWS\system32\166.tmp
2008-06-12 07:29 . 2008-06-12 07:19 52,736 --a------ C:\WINDOWS\system32\163.tmp
2008-06-12 07:19 . 2008-06-12 07:08 52,736 --a------ C:\WINDOWS\system32\160.tmp
2008-06-12 07:08 . 2008-06-12 06:58 52,736 --a------ C:\WINDOWS\system32\15D.tmp
2008-06-12 06:58 . 2008-06-12 06:48 52,736 --a------ C:\WINDOWS\system32\15A.tmp
2008-06-12 06:48 . 2008-06-12 06:38 52,736 --a------ C:\WINDOWS\system32\157.tmp
2008-06-12 06:38 . 2008-06-12 06:28 52,736 --a------ C:\WINDOWS\system32\154.tmp
2008-06-12 06:28 . 2008-06-12 06:18 52,736 --a------ C:\WINDOWS\system32\151.tmp
2008-06-12 06:18 . 2008-06-12 06:08 52,736 --a------ C:\WINDOWS\system32\14E.tmp
2008-06-12 06:08 . 2008-06-12 05:58 52,736 --a------ C:\WINDOWS\system32\14B.tmp
2008-06-12 05:58 . 2008-06-12 05:48 52,736 --a------ C:\WINDOWS\system32\148.tmp
2008-06-12 05:48 . 2008-06-12 05:38 52,736 --a------ C:\WINDOWS\system32\145.tmp
2008-06-12 05:38 . 2008-06-12 05:28 52,736 --a------ C:\WINDOWS\system32\142.tmp
2008-06-12 05:28 . 2008-06-12 05:18 52,736 --a------ C:\WINDOWS\system32\13F.tmp
2008-06-12 05:18 . 2008-06-12 05:08 52,736 --a------ C:\WINDOWS\system32\13C.tmp
2008-06-12 05:08 . 2008-06-12 04:58 52,736 --a------ C:\WINDOWS\system32\139.tmp
2008-06-12 04:58 . 2008-06-12 04:48 52,736 --a------ C:\WINDOWS\system32\136.tmp
2008-06-12 04:48 . 2008-06-12 04:38 52,736 --a------ C:\WINDOWS\system32\133.tmp
2008-06-12 04:38 . 2008-06-12 04:28 52,736 --a------ C:\WINDOWS\system32\130.tmp
2008-06-12 04:28 . 2008-06-12 04:18 52,736 --a------ C:\WINDOWS\system32\12D.tmp
2008-06-12 04:18 . 2008-06-12 04:08 52,736 --a------ C:\WINDOWS\system32\12A.tmp
2008-06-12 04:08 . 2008-06-12 03:57 52,736 --a------ C:\WINDOWS\system32\127.tmp
2008-06-12 03:57 . 2008-06-12 03:47 52,736 --a------ C:\WINDOWS\system32\124.tmp
2008-06-12 03:47 . 2008-06-12 03:37 52,736 --a------ C:\WINDOWS\system32\121.tmp
2008-06-12 03:37 . 2008-06-12 03:27 52,736 --a------ C:\WINDOWS\system32\11E.tmp
2008-06-12 03:27 . 2008-06-12 03:17 52,736 --a------ C:\WINDOWS\system32\11B.tmp
2008-06-12 03:17 . 2008-06-12 03:07 52,736 --a------ C:\WINDOWS\system32\118.tmp
2008-06-12 03:07 . 2008-06-12 02:57 52,736 --a------ C:\WINDOWS\system32\115.tmp
2008-06-12 02:57 . 2008-06-12 02:47 52,736 --a------ C:\WINDOWS\system32\112.tmp
2008-06-12 02:47 . 2008-06-12 02:36 52,736 --a------ C:\WINDOWS\system32\10F.tmp
2008-06-12 02:36 . 2008-06-12 02:26 52,736 --a------ C:\WINDOWS\system32\10C.tmp
2008-06-12 02:26 . 2008-06-12 02:16 52,736 --a------ C:\WINDOWS\system32\109.tmp
2008-06-12 02:16 . 2008-06-12 02:06 52,736 --a------ C:\WINDOWS\system32\106.tmp
2008-06-12 02:06 . 2008-06-12 01:56 52,736 --a------ C:\WINDOWS\system32\103.tmp
2008-06-12 01:56 . 2008-06-12 01:46 52,736 --a------ C:\WINDOWS\system32\100.tmp
2008-06-12 01:46 . 2008-06-12 01:36 52,736 --a------ C:\WINDOWS\system32\FD.tmp
2008-06-12 01:36 . 2008-06-12 01:26 52,736 --a------ C:\WINDOWS\system32\FA.tmp
2008-06-12 01:26 . 2008-06-12 01:16 52,736 --a------ C:\WINDOWS\system32\F7.tmp
2008-06-12 01:16 . 2008-06-12 01:06 52,736 --a------ C:\WINDOWS\system32\F4.tmp
2008-06-12 00:55 . 2008-06-12 00:45 52,736 --a------ C:\WINDOWS\system32\EF.tmp
2008-06-12 00:45 . 2008-06-12 00:35 52,736 --a------ C:\WINDOWS\system32\EC.tmp

Ignore the date portion just navigate to the C:\Windows\System32 folder and find the rest of the file name.

[JeanInMontana]

Legacy, on Jun 13 2008, 10:42 AM, said:

I'll uninstall Limewire then. I was going to reformat the whole computer at first but couldn't find all the setup cds. I only have 2, I need 1 more. I'm not sure if I RAN Smitfraudfix but I did download it, incase.

Two CD's should be all it takes to reformat. The MBAM team would really appreciate if you can submit the files requested, it will help the program and others a great deal. Do you wish to continue with the fixes?

[Legacy]

Wow, that's lots of files.

Also, it won't let me move the files in the Downloaded Program Files folder, they just stay there and don't move at all.

Also, my brother said the CDs won't be able to fix, because we once had changed our motherboard.

Also, after I uploaded the folders what do you want me to do with them?

EDIT: I tried uploading the ZIP file twice but it keeps saying an error has occured.

EDIT2: I see, the filesize is 3.34 MB. Do you want me to upload it into 2 seperate folders?

[JeanInMontana]

Well after nosirrah has had a look reformat probably isn't necessary. I'm going to attach a zip file that will get all your files we want in the download program files. just unzip it and double click. It will make a folder on your desktop called malware. Zip that and upload.

Attached Files

•  capture.zip   240bytes   35 downloads

[Legacy]

Ok, but I might have to upload 3 files, because the first folder you told me to ZIP is to large.

Ok, I uploaded the files, attempting a reboot.


Also, do you want me to delete the original folders and ZIP files now that I uploaded them?

Also, do you want me to quickscan? Or full?

[Legacy]

Malwarebytes' Anti-Malware 1.17
Database version: 853

2:32:00 PM 6/13/2008
mbam-log-6-13-2008 (14-31-56).txt

Scan type: Quick Scan
Objects scanned: 36870
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 63

Memory Processes Infected:
C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe (Rogue.MalwareProtector2008) -> No action taken.

Memory Modules Infected:
C:\Program Files\shc3skj0ee89\MFC71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\MFC71ENU.DLL (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\msvcp71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\msvcr71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\shc3skj0ee89Skin.dll (Rogue.MalwareProtector2008) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMshc3skj0ee89 (Rogue.MalwareProtector2008) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\shc3skj0ee89 (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89 (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\BrowserObjects (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Packages (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\HKCU (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\HKLM (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\StartMenuAllUsers (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\StartMenuCurrentUser (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\HKCU\RunOnce (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\shc3skj0ee89\Quarantine\Autorun\HKLM\RunOnce (Rogue.MalwareProtector2008) -> No action taken.

Files Infected:
C:\WINDOWS\system32\10A.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\10C.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\10E.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\10F.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\111.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\112.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\114.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\115.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\117.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\118.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\11A.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\11F.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\1AA.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\1AD.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\1FD.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\201.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\270.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\68.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\6E.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\75.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\7A.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\7D.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\84.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\8B.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\A4.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\A9.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\B1.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\B5.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\BB.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\blphc5skj0ee89.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\C2.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\C9.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\CD.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\D0.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\D3.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\D8.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\DE.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\E3.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\E6.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\E9.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ED.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\F2.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\F9.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\FF.tmp (Trojan.FakeAlert) -> No action taken.
C:\Program Files\shc3skj0ee89\database.dat (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\license.txt (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\MFC71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\MFC71ENU.DLL (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\msvcp71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\msvcr71.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\shc3skj0ee89.exe.local (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\shc3skj0ee89Skin.dll (Rogue.MalwareProtector2008) -> No action taken.
C:\Program Files\shc3skj0ee89\Uninstall.exe (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Carlos\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> No action taken.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:32 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc5skj0ee89] C:\WINDOWS\system32\lphc5skj0ee89.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 9986 bytes

There we go. Malware Protector 08 seems to have ran away . I can change my desktop and screen saver now but I'm reluctant because, on my backgroudn options the pch5skj0ee89 file is still present. But the thing is, with that file, I no longer have the Yellow and blue background saying I have spyware, it's just all blue.

Also, do I delete the folders I uploaded to malware bytes.org?

Edit:NVM.

[JeanInMontana]

You have to check the box to "Take Action" with MBAM. Your still infected from the log it found a ton of stuff. Update the program, current data base is 854, scan again post that log and a new HJT log. Looks like you didn't remove the lines in HJT I asked you to do also.

Yes you can delete the files you uploaded.

[Legacy]

I didn't delete them?

I could've sworn I did.

Morning thing, then, eh?

Will do now.

Well, all I can do now is say thank you! I really appreciate how you took your time to fix my computer, considering your in Montana and I'm in Florida and I don't even KNOW you!

I hope my machine will be clean soon and I'll be scanning regularly. I'll fix those files and take action in my mbam scan (which I recommend for everyone to use.)

Also, I just want to know, do I still have that keylogger?

[JeanInMontana]

We aren't done. Please post the logs I asked for. New MBAM log and new HJT log.

Your welcome, but please let's finish this cleanup.

[Legacy]

Oh, my mistake

Well, here ya go. It looks like the files weren't deleted but I swear I pressed the Fix checked button! What's happening?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:49 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc5skj0ee89] C:\WINDOWS\system32\lphc5skj0ee89.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 8772 bytes


Malwarebytes' Anti-Malware 1.17
Database version: 854

4:06:03 PM 6/13/2008
mbam-log-6-13-2008 (16-06-03).txt

Scan type: Quick Scan
Objects scanned: 36907
Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 65

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\124.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\130.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\133.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\13C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\13F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\151.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\157.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\15A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\15D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\172.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\195.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1A0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1A3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1A6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1A7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1A9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1B0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1B3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1B6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1B9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1BC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1BF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1C2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1C5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1C8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1CB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1CE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1D1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\1D4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\2F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc11\blphc5skj0ee89.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\100.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\103.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\104.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\106.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\107.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\109.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\11B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\11E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\121.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\123.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\126.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\127.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\12A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\12D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\136.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\139.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\142.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\145.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\148.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\14B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\14E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\154.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\160.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\163.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\166.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\169.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\16C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\16F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\EC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\EF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\F4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\F7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\FA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-484763869-682003330-1004\Dc12\FD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Also, do you know how to make Mozilla Firefox my default browser?

[JeanInMontana]

OK, was HJT ran after the MBAM scan? I have to have these done in that order. For FF to be default browser here is an article