Fixed: back for log check, Crush was working with me

dachshundLover · 01-03-2009

I have a closed hijackthis thread where crush had asked for a combofix log. I had given my friend her computer back. She just brought it back and I am going to post mbam, hijackthis and combofix logs I just ran. I believe she has two installations of XP on here, not sure why or if she even knows. This is a Dimension 4550.

Mbam:
Malwarebytes' Anti-Malware 1.31
Database version: 1604
Windows 5.1.2600 Service Pack 3
1/3/2009 6:11:58 PM
mbam-log-2009-01-03 (18-11-58).txt
Scan type: Full Scan (C:\|)
Objects scanned: 187220
Time elapsed: 1 hour(s), 58 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:51 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\LEXBCES.EXE
C:\WINDOWS2\system32\LEXPPS.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\wanmpsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\AOL\1139524247\ee\AOLSoftware.exe
C:\WINDOWS2\BCMSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\notepad.exe
C:\Documents and Settings\tammy\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139524247\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS2\system32\spool\drivers\w32x86\3\hpztsb 07.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab40641.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1230564828390
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames...o.cab42341.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames...e.cab42268.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS2\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS2\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS2\wanmpsvc.exe
--
End of file - 8397 bytes

Combofix:
ComboFix 09-01-02.01 - tammy 2009-01-03 18:21:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.59 [GMT -5:00]
Running from: c:\documents and settings\tammy\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\George Simpson\Cookies\hpothb07.dat
c:\documents and settings\George Simpson\Cookies\hpothb07.tif
c:\program files\INSTALL.LOG
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_AVG

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-03 16:12 . 2009-01-03 16:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 16:12 . 2008-12-03 19:54 38,496 --a------ c:\windows2\system32\drivers\mbamswissarmy.sys
2009-01-03 16:12 . 2008-12-03 19:54 15,504 --a------ c:\windows2\system32\drivers\mbam.sys
2008-12-31 04:08 . 2009-01-03 11:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 03:04 . 2008-10-16 14:06 268,648 --a------ c:\windows2\system32\mucltui.dll
2008-12-30 03:04 . 2008-10-16 14:06 27,496 --a------ c:\windows2\system32\mucltui.dll.mui
2008-12-29 19:28 . 2008-12-30 17:15 <DIR> d-------- c:\program files\PamperedPartnerPlus
2008-12-29 14:32 . 2009-01-03 18:33 <DIR> d-------- c:\windows2\system32\drivers\Avg
2008-12-29 14:32 . 2008-12-29 14:32 324,872 --a------ c:\windows2\system32\drivers\avgldx86.sys
2008-12-29 14:32 . 2008-12-29 14:32 107,272 --a------ c:\windows2\system32\drivers\avgtdix.sys
2008-12-29 14:32 . 2008-12-29 14:32 12,552 --a------ c:\windows2\system32\drivers\avgrkx86.sys
2008-12-29 14:32 . 2008-12-29 14:32 10,520 --a------ c:\windows2\system32\avgrsstx.dll
2008-12-29 14:31 . 2008-12-29 14:31 <DIR> d-------- c:\program files\AVG
2008-12-29 14:31 . 2008-12-29 14:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\avg8
2008-12-29 13:29 . 2008-12-29 13:29 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\TEMP
2008-12-29 13:28 . 2008-12-29 13:30 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-29 12:13 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows2\system32\dllcache\ieframe.dll
2008-12-29 12:13 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows2\system32\dllcache\ieapfltr.dat
2008-12-29 12:13 . 2007-03-08 00:10 991,232 -----c--- c:\windows2\system32\dllcache\ieframe.dll.mui
2008-12-29 12:13 . 2008-10-16 15:38 459,264 -----c--- c:\windows2\system32\dllcache\msfeeds.dll
2008-12-29 12:13 . 2008-10-16 15:38 383,488 -----c--- c:\windows2\system32\dllcache\ieapfltr.dll
2008-12-29 12:13 . 2008-10-16 15:38 267,776 -----c--- c:\windows2\system32\dllcache\iertutil.dll
2008-12-29 12:13 . 2008-10-16 15:38 63,488 -----c--- c:\windows2\system32\dllcache\icardie.dll
2008-12-29 12:13 . 2008-10-16 15:38 52,224 -----c--- c:\windows2\system32\dllcache\msfeedsbs.dll
2008-12-29 12:13 . 2008-10-16 08:11 13,824 -----c--- c:\windows2\system32\dllcache\ieudinit.exe
2008-12-29 11:52 . 2008-06-13 06:05 272,128 -----c--- c:\windows2\system32\dllcache\bthport.sys
2008-12-29 11:51 . 2008-09-08 05:41 333,824 -----c--- c:\windows2\system32\dllcache\srv.sys
2008-12-29 11:51 . 2008-08-14 05:04 138,496 -----c--- c:\windows2\system32\dllcache\afd.sys
2008-12-29 11:50 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows2\system32\dllcache\ntoskrnl.exe
2008-12-29 11:50 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows2\system32\dllcache\ntkrnlmp.exe
2008-12-29 11:50 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows2\system32\dllcache\ntkrnlpa.exe
2008-12-29 11:50 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows2\system32\dllcache\ntkrpamp.exe
2008-12-29 11:50 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows2\system32\dllcache\win32k.sys
2008-12-29 11:49 . 2008-04-11 14:04 691,712 -----c--- c:\windows2\system32\dllcache\inetcomm.dll
2008-12-29 11:49 . 2008-10-15 11:34 337,408 -----c--- c:\windows2\system32\dllcache\netapi32.dll
2008-12-29 11:49 . 2008-05-08 09:02 203,136 -----c--- c:\windows2\system32\dllcache\rmcast.sys
2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\scripting
2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\en
2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\bits
2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\l2schemas
2008-12-29 10:19 . 2008-12-29 10:18 410,984 --a------ c:\windows2\system32\deploytk.dll
2008-12-29 10:19 . 2008-12-29 10:18 73,728 --a------ c:\windows2\system32\javacpl.cpl
2008-12-29 10:10 . 2008-12-29 10:27 <DIR> d-------- c:\program files\NOS
2008-12-29 10:10 . 2008-12-29 10:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\NOS
2008-12-29 08:22 . 2008-12-29 10:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy
2008-12-29 08:18 . 2008-12-29 08:21 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-12-29 06:04 . 2008-12-29 06:04 <DIR> d-------- c:\windows2\system32\NtmsData
2008-12-28 20:02 . 2008-12-28 20:02 <DIR> d-------- c:\documents and settings\tammy\Application Data\Malwarebytes
2008-12-28 20:02 . 2008-12-28 20:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-12-28 19:17 . 2008-12-28 19:17 <DIR> d-------- c:\program files\CCleaner
2008-12-28 18:48 . 2001-08-17 13:48 12,160 --a------ c:\windows2\system32\drivers\mouhid.sys
2008-12-28 18:48 . 2001-08-17 13:48 12,160 --a--c--- c:\windows2\system32\dllcache\mouhid.sys
2008-12-28 18:48 . 2008-04-13 13:45 10,368 --a------ c:\windows2\system32\drivers\hidusb.sys
2008-12-21 16:06 . 2008-12-21 16:06 <DIR> d-------- c:\documents and settings\tammy\Application Data\Viewpoint
2008-12-21 11:56 . 2003-03-31 07:00 457,607 -----c--- c:\windows2\system32\dllcache\mdlib.wmv
2008-12-21 11:55 . 2008-04-13 19:12 1,306,624 -----c--- c:\windows2\system32\dllcache\msxml6.dll
2008-12-21 11:54 . 2008-04-13 19:12 774,144 -----c--- c:\windows2\system32\dllcache\setup_wm.exe
2008-12-21 11:53 . 2008-04-13 19:12 4,874,240 -----c--- c:\windows2\system32\dllcache\wmp.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-29 17:25 --------- d-----w c:\documents and settings\tammy\Application Data\AOL
2008-12-29 17:24 --------- d-----w c:\program files\Common Files\aol
2008-12-29 15:18 --------- d-----w c:\program files\Java
2008-12-29 15:15 --------- d-----w c:\program files\Common Files\Adobe
2008-12-29 11:26 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\McAfee
2008-12-29 11:19 --------- d-----w c:\program files\QuickTime
2008-12-29 11:19 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\Apple Computer
2008-12-29 11:17 --------- d-----w c:\program files\Common Files\Real
2008-12-29 00:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 00:24 --------- d-----w c:\program files\Common Files\Motive
2008-11-14 20:41 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows2\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows2\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows2\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows2\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows2\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows2\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows2\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows2\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows2\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows2\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows2\system32\muweb.dll
2008-10-03 10:15 247,326 ----a-w c:\windows2\system32\strmdll.dll
2008-08-27 00:20 256 ----a-w c:\documents and settings\tammy\pool.bin
2003-09-19 01:09 160 -c--a-w c:\documents and settings\Tammy Simpson\hpothb07.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-13 15360]
"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2003-10-06 5058560]
"HostManager"="c:\program files\Common Files\AOL\1139524247\ee\AOLSoftware.exe" [2006-09-25 50736]
"HPDJ Taskbar Utility"="c:\windows2\system32\spool\drivers\w32x8 6\3\hpztsb07.exe" [2002-11-22 188416]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-29 1601304]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows2\BCMSMMSG.exe]
c:\documents and settings\All Users.WINDOWS2\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-29 14:32 10520 c:\windows2\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^hp instant support.lnk]
path=c:\documents and settings\All Users.WINDOWS2\Start Menu\Programs\Startup\hp instant support.lnk
backup=c:\windows2\pss\hp instant support.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows2\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows2\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-06-20 14:30 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 14:16 741376 c:\windows2\system32\nwiz.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS2\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\aol\\1139524247\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\1139524247\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers \avgrkx86.sys [2008-12-29 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2008-12-29 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sy s [2008-12-29 107272]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 298264]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoRcd.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: www.update.microsoft.com
O16 -: Microsoft XML Parser for Java - file://c:\windows2\Java\classes\xmldso.cab
c:\windows2\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 18:40:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows2\system32\LEXBCES.EXE
c:\windows2\system32\LEXPPS.EXE
c:\program files\Common Files\aol\ACS\AOLacsd.exe
c:\program files\Common Files\aol\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\aol\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows2\system32\nvsvc32.exe
c:\windows2\system32\wdfmgr.exe
c:\windows2\wanmpsvc.exe
c:\program files\America Online 9.0a\waol.exe
c:\program files\America Online 9.0a\shellmon.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
************************************************** ************************
.
Completion time: 2009-01-03 18:46:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 23:46:08
Pre-Run: 43,359,023,104 bytes free
Post-Run: 43,822,219,264 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS2="Micr osoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /noexecute=optin
225 --- E O F --- 2009-01-03 19:36:31

Is there anything I need to get rid of? Thank you!

Crush · 01-04-2009

Hi again,

Do you have access to the computer in question to remove some entries in hijackthis?

dachshundLover · 01-04-2009

Yes, I will have the computer for a couple of days this time. Thank you

Crush · 01-04-2009

Perfect. We can have HJT remove the entries below. Before removal ensure HJT is the only program open and these are the only entries checked. Then click Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

Let me know if that's any better

dachshundLover · 01-04-2009

I was able to delete that. One other question. This computer has two XP installs on it. I edited boot.ini so only one shows up during boot up. But she has two c:windows directories, on named that, and the other named c:windows2. Is there a way to get rid of the one that is not used? I believe it is taking up a lot of space. The computer is really, really slow!! Any ideas? Thank you for your help. You are the best!

Crush · 01-05-2009

Sure, just delete it. Provided her documents and settings and all that are saved on the first C:\Windows file system

dachshundLover · 01-05-2009

great. things are running great now. Thanks for the help

01-03-2009	#1
dachshundLover Bronze Member Join Date: Nov 2008 Posts: 47 PC Experience: Experienced	back for log check, Crush was working with me I have a closed hijackthis thread where crush had asked for a combofix log. I had given my friend her computer back. She just brought it back and I am going to post mbam, hijackthis and combofix logs I just ran. I believe she has two installations of XP on here, not sure why or if she even knows. This is a Dimension 4550. Mbam: Malwarebytes' Anti-Malware 1.31 Database version: 1604 Windows 5.1.2600 Service Pack 3 1/3/2009 6:11:58 PM mbam-log-2009-01-03 (18-11-58).txt Scan type: Full Scan (C:\\|) Objects scanned: 187220 Time elapsed: 1 hour(s), 58 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:51:51 PM, on 1/3/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS2\System32\smss.exe C:\WINDOWS2\system32\winlogon.exe C:\WINDOWS2\system32\services.exe C:\WINDOWS2\system32\lsass.exe C:\WINDOWS2\system32\svchost.exe C:\WINDOWS2\System32\svchost.exe C:\WINDOWS2\system32\LEXBCES.EXE C:\WINDOWS2\system32\LEXPPS.EXE C:\WINDOWS2\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS2\system32\nvsvc32.exe C:\WINDOWS2\System32\svchost.exe C:\WINDOWS2\wanmpsvc.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\Program Files\Common Files\AOL\1139524247\ee\AOLSoftware.exe C:\WINDOWS2\BCMSMMSG.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS2\system32\ctfmon.exe C:\Program Files\America Online 9.0a\waol.exe C:\WINDOWS2\system32\wuauclt.exe C:\Program Files\America Online 9.0a\shellmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS2\explorer.exe C:\WINDOWS2\system32\notepad.exe C:\Documents and Settings\tammy\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139524247\ee\AOLSoftware.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS2\system32\spool\drivers\w32x86\3\hpztsb 07.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab40641.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1230564828390 O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames...o.cab42341.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688 O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames...e.cab42268.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab36107.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS2\SYSTEM32\avgrsstx.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS2\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS2\wanmpsvc.exe -- End of file - 8397 bytes Combofix: ComboFix 09-01-02.01 - tammy 2009-01-03 18:21:55.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.59 [GMT -5:00] Running from: c:\documents and settings\tammy\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\George Simpson\Cookies\hpothb07.dat c:\documents and settings\George Simpson\Cookies\hpothb07.tif c:\program files\INSTALL.LOG . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_AVG ((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 ))))))))))))))))))))))))))))))) . 2009-01-03 16:12 . 2009-01-03 16:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-03 16:12 . 2008-12-03 19:54 38,496 --a------ c:\windows2\system32\drivers\mbamswissarmy.sys 2009-01-03 16:12 . 2008-12-03 19:54 15,504 --a------ c:\windows2\system32\drivers\mbam.sys 2008-12-31 04:08 . 2009-01-03 11:07 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-30 03:04 . 2008-10-16 14:06 268,648 --a------ c:\windows2\system32\mucltui.dll 2008-12-30 03:04 . 2008-10-16 14:06 27,496 --a------ c:\windows2\system32\mucltui.dll.mui 2008-12-29 19:28 . 2008-12-30 17:15 <DIR> d-------- c:\program files\PamperedPartnerPlus 2008-12-29 14:32 . 2009-01-03 18:33 <DIR> d-------- c:\windows2\system32\drivers\Avg 2008-12-29 14:32 . 2008-12-29 14:32 324,872 --a------ c:\windows2\system32\drivers\avgldx86.sys 2008-12-29 14:32 . 2008-12-29 14:32 107,272 --a------ c:\windows2\system32\drivers\avgtdix.sys 2008-12-29 14:32 . 2008-12-29 14:32 12,552 --a------ c:\windows2\system32\drivers\avgrkx86.sys 2008-12-29 14:32 . 2008-12-29 14:32 10,520 --a------ c:\windows2\system32\avgrsstx.dll 2008-12-29 14:31 . 2008-12-29 14:31 <DIR> d-------- c:\program files\AVG 2008-12-29 14:31 . 2008-12-29 14:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\avg8 2008-12-29 13:29 . 2008-12-29 13:29 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\TEMP 2008-12-29 13:28 . 2008-12-29 13:30 <DIR> d-------- c:\program files\SpywareBlaster 2008-12-29 12:13 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows2\system32\dllcache\ieframe.dll 2008-12-29 12:13 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows2\system32\dllcache\ieapfltr.dat 2008-12-29 12:13 . 2007-03-08 00:10 991,232 -----c--- c:\windows2\system32\dllcache\ieframe.dll.mui 2008-12-29 12:13 . 2008-10-16 15:38 459,264 -----c--- c:\windows2\system32\dllcache\msfeeds.dll 2008-12-29 12:13 . 2008-10-16 15:38 383,488 -----c--- c:\windows2\system32\dllcache\ieapfltr.dll 2008-12-29 12:13 . 2008-10-16 15:38 267,776 -----c--- c:\windows2\system32\dllcache\iertutil.dll 2008-12-29 12:13 . 2008-10-16 15:38 63,488 -----c--- c:\windows2\system32\dllcache\icardie.dll 2008-12-29 12:13 . 2008-10-16 15:38 52,224 -----c--- c:\windows2\system32\dllcache\msfeedsbs.dll 2008-12-29 12:13 . 2008-10-16 08:11 13,824 -----c--- c:\windows2\system32\dllcache\ieudinit.exe 2008-12-29 11:52 . 2008-06-13 06:05 272,128 -----c--- c:\windows2\system32\dllcache\bthport.sys 2008-12-29 11:51 . 2008-09-08 05:41 333,824 -----c--- c:\windows2\system32\dllcache\srv.sys 2008-12-29 11:51 . 2008-08-14 05:04 138,496 -----c--- c:\windows2\system32\dllcache\afd.sys 2008-12-29 11:50 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows2\system32\dllcache\ntoskrnl.exe 2008-12-29 11:50 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows2\system32\dllcache\ntkrnlmp.exe 2008-12-29 11:50 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows2\system32\dllcache\ntkrnlpa.exe 2008-12-29 11:50 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows2\system32\dllcache\ntkrpamp.exe 2008-12-29 11:50 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows2\system32\dllcache\win32k.sys 2008-12-29 11:49 . 2008-04-11 14:04 691,712 -----c--- c:\windows2\system32\dllcache\inetcomm.dll 2008-12-29 11:49 . 2008-10-15 11:34 337,408 -----c--- c:\windows2\system32\dllcache\netapi32.dll 2008-12-29 11:49 . 2008-05-08 09:02 203,136 -----c--- c:\windows2\system32\dllcache\rmcast.sys 2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\scripting 2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\en 2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\system32\bits 2008-12-29 11:03 . 2008-12-29 11:03 <DIR> d-------- c:\windows2\l2schemas 2008-12-29 10:19 . 2008-12-29 10:18 410,984 --a------ c:\windows2\system32\deploytk.dll 2008-12-29 10:19 . 2008-12-29 10:18 73,728 --a------ c:\windows2\system32\javacpl.cpl 2008-12-29 10:10 . 2008-12-29 10:27 <DIR> d-------- c:\program files\NOS 2008-12-29 10:10 . 2008-12-29 10:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\NOS 2008-12-29 08:22 . 2008-12-29 10:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy 2008-12-29 08:18 . 2008-12-29 08:21 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner 2008-12-29 06:04 . 2008-12-29 06:04 <DIR> d-------- c:\windows2\system32\NtmsData 2008-12-28 20:02 . 2008-12-28 20:02 <DIR> d-------- c:\documents and settings\tammy\Application Data\Malwarebytes 2008-12-28 20:02 . 2008-12-28 20:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Malwarebytes 2008-12-28 19:17 . 2008-12-28 19:17 <DIR> d-------- c:\program files\CCleaner 2008-12-28 18:48 . 2001-08-17 13:48 12,160 --a------ c:\windows2\system32\drivers\mouhid.sys 2008-12-28 18:48 . 2001-08-17 13:48 12,160 --a--c--- c:\windows2\system32\dllcache\mouhid.sys 2008-12-28 18:48 . 2008-04-13 13:45 10,368 --a------ c:\windows2\system32\drivers\hidusb.sys 2008-12-21 16:06 . 2008-12-21 16:06 <DIR> d-------- c:\documents and settings\tammy\Application Data\Viewpoint 2008-12-21 11:56 . 2003-03-31 07:00 457,607 -----c--- c:\windows2\system32\dllcache\mdlib.wmv 2008-12-21 11:55 . 2008-04-13 19:12 1,306,624 -----c--- c:\windows2\system32\dllcache\msxml6.dll 2008-12-21 11:54 . 2008-04-13 19:12 774,144 -----c--- c:\windows2\system32\dllcache\setup_wm.exe 2008-12-21 11:53 . 2008-04-13 19:12 4,874,240 -----c--- c:\windows2\system32\dllcache\wmp.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-12-29 17:25 --------- d-----w c:\documents and settings\tammy\Application Data\AOL 2008-12-29 17:24 --------- d-----w c:\program files\Common Files\aol 2008-12-29 15:18 --------- d-----w c:\program files\Java 2008-12-29 15:15 --------- d-----w c:\program files\Common Files\Adobe 2008-12-29 11:26 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\McAfee 2008-12-29 11:19 --------- d-----w c:\program files\QuickTime 2008-12-29 11:19 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\Apple Computer 2008-12-29 11:17 --------- d-----w c:\program files\Common Files\Real 2008-12-29 00:24 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-29 00:24 --------- d-----w c:\program files\Common Files\Motive 2008-11-14 20:41 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\AOL 2008-10-23 12:36 286,720 ----a-w c:\windows2\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows2\system32\wininet.dll 2008-10-16 19:13 202,776 ----a-w c:\windows2\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows2\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows2\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows2\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows2\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows2\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows2\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows2\system32\wups.dll 2008-10-16 19:07 208,744 ----a-w c:\windows2\system32\muweb.dll 2008-10-03 10:15 247,326 ----a-w c:\windows2\system32\strmdll.dll 2008-08-27 00:20 256 ----a-w c:\documents and settings\tammy\pool.bin 2003-09-19 01:09 160 -c--a-w c:\documents and settings\Tammy Simpson\hpothb07.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-13 15360] "AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032] "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022] "NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2003-10-06 5058560] "HostManager"="c:\program files\Common Files\AOL\1139524247\ee\AOLSoftware.exe" [2006-09-25 50736] "HPDJ Taskbar Utility"="c:\windows2\system32\spool\drivers\w32x8 6\3\hpztsb07.exe" [2002-11-22 188416] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016] "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216] "Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-29 1601304] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows2\BCMSMMSG.exe] c:\documents and settings\All Users.WINDOWS2\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2008-12-29 14:32 10520 c:\windows2\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^hp instant support.lnk] path=c:\documents and settings\All Users.WINDOWS2\Start Menu\Programs\Startup\hp instant support.lnk backup=c:\windows2\pss\hp instant support.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=c:\windows2\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Kodak software updater.lnk] backup=c:\windows2\pss\Kodak software updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-06-20 14:30 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-10-06 14:16 741376 c:\windows2\system32\nwiz.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\WINDOWS2\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0a\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Common Files\\aol\\1139524247\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\Program Files\\Common Files\\aol\\1139524247\\EE\\aolsoftware.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers \avgrkx86.sys [2008-12-29 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2008-12-29 324872] R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sy s [2008-12-29 107272] R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 903960] R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 298264] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\autoRcd.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML Trusted Zone: www.update.microsoft.com O16 -: Microsoft XML Parser for Java - file://c:\windows2\Java\classes\xmldso.cab c:\windows2\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************ ******************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-03 18:40:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . ------------------------ Other Running Processes ------------------------ . c:\windows2\system32\LEXBCES.EXE c:\windows2\system32\LEXPPS.EXE c:\program files\Common Files\aol\ACS\AOLacsd.exe c:\program files\Common Files\aol\TopSpeed\2.0\aoltsmon.exe c:\program files\Common Files\aol\TopSpeed\2.0\aoltpspd.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows2\system32\nvsvc32.exe c:\windows2\system32\wdfmgr.exe c:\windows2\wanmpsvc.exe c:\program files\America Online 9.0a\waol.exe c:\program files\America Online 9.0a\shellmon.exe c:\progra~1\AVG\AVG8\avgam.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\AVG\AVG8\avgcsrvx.exe . ********************************************** ********************** . Completion time: 2009-01-03 18:46:42 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-03 23:46:08 Pre-Run: 43,359,023,104 bytes free Post-Run: 43,822,219,264 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S2 [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS2="Micr osoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /noexecute=optin 225 --- E O F --- 2009-01-03 19:36:31 Is there anything I need to get rid of? Thank you!

01-04-2009	#2
Crush PC Security Analyst Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,103 PC Experience: Always Learning New Things	Re: back for log check, Crush was working with me Hi again, Do you have access to the computer in question to remove some entries in hijackthis? __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

01-04-2009	#3
dachshundLover Bronze Member Join Date: Nov 2008 Posts: 47 PC Experience: Experienced	Re: back for log check, Crush was working with me Yes, I will have the computer for a couple of days this time. Thank you

01-04-2009	#4
Crush PC Security Analyst Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,103 PC Experience: Always Learning New Things	Re: back for log check, Crush was working with me Perfect. We can have HJT remove the entries below. Before removal ensure HJT is the only program open and these are the only entries checked. Then click Fix Checked. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 Let me know if that's any better __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

01-04-2009	#5
dachshundLover Bronze Member Join Date: Nov 2008 Posts: 47 PC Experience: Experienced	Re: back for log check, Crush was working with me I was able to delete that. One other question. This computer has two XP installs on it. I edited boot.ini so only one shows up during boot up. But she has two c:windows directories, on named that, and the other named c:windows2. Is there a way to get rid of the one that is not used? I believe it is taking up a lot of space. The computer is really, really slow!! Any ideas? Thank you for your help. You are the best!

01-05-2009	#6
Crush PC Security Analyst Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,103 PC Experience: Always Learning New Things	Re: back for log check, Crush was working with me Sure, just delete it. Provided her documents and settings and all that are saved on the first C:\Windows file system __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
for Crush	jerryw1976	[Fixed] Hijackthis! Logs	3	01-13-2009 03:54 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode