Author Topic: iexplore.exe (Read 7802 times)

indfin · « **Reply #20 on:** May 17, 2009, 06:13:02 PM »

Just to alert you, this looks like its going to be a long while. Kaspersky has completed only 2% after scanning for over 40 minutes. I'll post the results in the morning.

indfin · « **Reply #21 on:** May 17, 2009, 10:04:52 PM »

Here they are:

GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 18:04:57
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF755887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7558BFE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----
________________________________________________________________

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 17, 2009 23:42:56
Records in database: 2189078
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 63153
Threat name: 5
Infected objects: 86
Suspicious objects: 0
Duration of the scan: 03:34:23

File name / Threat name / Threats count
C:\FOUND.001\FILE0005.CHK Infected: EICAR-Test-File 1
C:\FOUND.001\FILE0039.CHK Infected: EICAR-Test-File 1
C:\FOUND.002\FILE0006.CHK Infected: EICAR-Test-File 1
C:\Documents and Settings\hj\Local Settings\Temp\install.exe Infected: Trojan.Win32.Inject.zzx 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CHWT.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Intellibridge.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Larson.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Sent Items.dbx Infected: Virus.MSWord.VMPC-based 32
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Intellibridge (1).dbx Infected: Virus.MSWord.VMPC-based 4
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Larson (1).dbx Infected: Virus.MSWord.VMPC-based 3
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Internal (1).dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Baltek (1).dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CHWT (1).dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CiviGenics (1).dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\CHWT.dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Internal.dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Larson.dbx Infected: Virus.MSWord.VMPC-based 3
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Intellibridge.dbx Infected: Virus.MSWord.VMPC-based 4
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Baltek.dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\CiviGenics.dbx Infected: Virus.MSWord.VMPC-based 2
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012421.dll Infected: Trojan.Win32.TDSS.acbv 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.
_______________________________________________________________

Thanks.

guestolo · « **Reply #22 on:** May 17, 2009, 11:12:34 PM »

Double click on OTListit2.exe to run it
Copy the contents of the paths below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[color=\"#0000FF\"]:OTLI
PRC - C:\WINDOWS.000\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\Iexplore.exe (Microsoft Corporation)

:files
C:\Documents and Settings\hj\Local Settings\Temp\install.exe
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll

:commands
[emptytemp]
[start explorer]
[Reboot][/color]

Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Close all Browser windows, including this one
Then Click the red Run Fix button.
Let the program run unhindered, reboot when it is done
Then post the OTL2 log that opens

In addition, post a fresh Hijackthis log and let me know how things are now running

NOTE:
This is a usual folder in your Outlook Express identity
Sent Items

Did you create the next ones in your OE account?
CHWT
Intellibridge
Larson
Internal (1)
Baltek (1)
CiviGenics (1)
Internal
Baltek
CiviGenics
As you can see by the Kaspersky scan, you have an infected file in each of the above
Possibly a Word attachment?
If, so, I would delete it

indfin · « **Reply #23 on:** May 18, 2009, 11:19:53 AM »

OTL2 Log:

========== OTLISTIT ==========
Process Explorer.EXE killed successfully!
No active process named Iexplore.exe was found!
========== FILES ==========
File\Folder C:\Documents and Settings\hj\Local Settings\Temp\install.exe not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS.000\temp\Perflib_Perfdata_4fc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05182009_113808

Files moved on Reboot...
File C:\WINDOWS.000\temp\Perflib_Perfdata_4fc.dat not found!

Registry entries deleted on Reboot...
___________________________________________________________

Let Chkdsk run on reboot.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:11 AM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: 7E5C2CF5213DBFD292AA44CF30FDF9D9 - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7286 bytes
____________________________________________________________

I have many folders created over the years in OE and, yes, I created all the ones listed below - though only once, I don't know why they appear twice. Any one of these folders may have 25 to 2,000 messages, many with attachments. I would delete the infected files, but how would I find them? I guess the other option is to just copy all the folders on to a disc and delete them all from my hard drive.

The computer is running fine...the music has stopped, in a good way.

Is there a way to reduce the 30 seconds to 3 seconds at start up (Recovery Console)?

Thanks a ton.

The computer seems to be back to its original shape. Thank you once again.

guestolo · « **Reply #24 on:** May 18, 2009, 11:32:05 AM »

Can we just run one more scan with Malwarebytes
But do the following first, you should have a shortcut on desktop to Malwarebytes
Leave it there, but the installer you named to indfin.bat<<- can you delete this from desktop

Then if you renamed mbam.exe in the ProgramFiles folder
Navigate to C:\Program Files\Malwarebytes' Anti-Malware
Rename indfin.bat back to mbam.exe
Then from the shortcut on desktop, run MBAM
Check for updates, run another quick scan, remove anything found, if anything, and post it's new log back here please

Quote

Is there a way to reduce the 30 seconds to 3 seconds at start up (Recovery Console)?

Oh, yes, we'll fix that in a bit

indfin · « **Reply #25 on:** May 18, 2009, 12:38:16 PM »

The installer on my desktop was indfin.exe, which I deleted. There are no .bat files, either in the Program Files or the desktop.

Ran MBAM after updating. Nothing found. I guess that's good.

MBAM Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2147
Windows 5.1.2600 Service Pack 3

5/18/2009 1:33:20 PM
mbam-log-2009-05-18 (13-33-20).txt

Scan type: Quick Scan
Objects scanned: 88086
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

guestolo · « **Reply #26 on:** May 18, 2009, 12:47:43 PM »

Ok, looks good, just one last scan, and we'll do some cleanup
Can you ensure that you Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Ensure that AVG is up to date
Navigate to the following folder
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express
Right click on the Outlook Express folder and do a Scan with AVG on it
Does it pick up anything?

Also, go to the following directory, it's a bit different, take not of the 'Local Settings' folder
C:\Documents and Settings\hj\Local Settings\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express
Right click on Outlook Express and Scan it with AVG, anything?

indfin · « **Reply #27 on:** May 18, 2009, 01:12:35 PM »

AVG did not find anything in the Application Data location. The folder does not exist in the Local Settings location.

guestolo · « **Reply #28 on:** May 18, 2009, 01:40:00 PM »

I want to try a bit of cleanup on this machine of the tools we used

First: Right click on MyComputer icon and select Properties>>ADVANCED tab>>SETTINGS under 'Startup and Recovery'
Beside "Time to display list of Operating systems:"
Change the time from 30 to 2
OK out of there

Go to START>>RUN>>
copy and paste the following

[color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components
Let me know if that step successfully finished

Go to START>>RUN>>copy and paste the following

[color=\"#FF0000\"]C:\WINDOWS.000\gmer_uninstall.cmd[/color]
and press enter
This will uninstall GMER

You can remove Kaspersky Online Scanner from Add and Remove Programs

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

OTListIt2.exe

Double-click OTListIt2.exe to run it.
Click the Cleanup! button
Select Yes to reboot Now

Post back with a fresh Hijackthis log after reboot
Let me know if you get the following error message on startup

Code: [Select]

Windows can not find file 'C: \ ComboFix \ Hidec.exe "

indfin · « **Reply #29 on:** May 18, 2009, 02:15:31 PM »

Changed the time to 2 seconds.
Uninstalled ComboFix.
When trying to uninstall GMER, got message "Cannot find the File". When I searched for it, it is only on Desktop and Recent. Also, when I ran GMER initially, I could not follow your instructions completely because "New Folder" or something did not show up. I just extracted the files to a folder GMER on my desktop and ran it.
Cannot find Kaspersky in the Add/Remove Programs. As an aside, should I remove MBAM from there?
Removed Spyware entry through HJT.
Ran OTListIt2 and, yes, did get the error message on startup.

guestolo · « **Reply #30 on:** May 18, 2009, 02:42:58 PM »

The uninstalling of Combofix and running OTListIt's Cleanup afterwards would of taken care of most/all of Gmer
So don't worry about that step

Quote

Cannot find Kaspersky in the Add/Remove Programs.

Sorry, Kaspersky doesn't add that entry any more, you can simply run ATF-Cleaner.exe again and have it clear your Temp folders, that should take care of it

Quote

As an aside, should I remove MBAM from there

Yes, remove from Add and Remove programs, or if you prefer, hold onto it and update and run a quick scan occassionally

Quote

Ran OTListIt2 and, yes, did get the error message on startup.

Can I see that fresh Hijackthis log please that I asked for in my last response

indfin · « **Reply #31 on:** May 18, 2009, 02:46:53 PM »

Sorry, missed that, but here it is.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:35 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: 7E5C2CF5213DBFD292AA44CF30FDF9D9 - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7103 bytes
___________________________________________________

guestolo · « **Reply #32 on:** May 18, 2009, 03:31:51 PM »

Can you try the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as service.bat

Save this file on the desktop

Code: [Select]

sc stop 7E5C2CF5213DBFD292AA44CF30FDF9D9
sc delete 7E5C2CF5213DBFD292AA44CF30FDF9D9

Double click on service.bat
A dos like window may open and close quickly
Let it finish then Reboot the computer

Back in Windows, post one last Hijackthis log and let me know if the error on startup is now gone

indfin · « **Reply #33 on:** May 18, 2009, 03:48:53 PM »

The error on startup is gone, the computer works faster than before the problem and I have 2.8 GB of free space versus 200 MB when this started. Thank you.

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:59 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6961 bytes

guestolo · « **Reply #34 on:** May 18, 2009, 10:30:02 PM »

Looking at your log and uninstall list from OTListIt2
I see the following
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

Related to your Printing/Scanning software
I don't see the following in your uninstall list, which makes me think you have uninstalled the software and it is left behind
Arc Soft Print Creations
If you feel that you did have it installed, and have since removed it, please do the following

Copy the contents of the CODE box, not including the word "code"
Right click on service.bat we made earlier and select EDIT
Replace the contents of that file with the one in the code box

Left click to set and save the file

Code: [Select]

sc stop ACDaemon
sc delete ACDaemon

Double click on service.bat
A dos like window may open and close quickly
Let it finish then Reboot the computer

Back in Windows, although you are running out of room, and should consider backing up files to DVD or External Harddrive
It's important to keep your computer secure
I strongly recommend that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

indfin · « **Reply #35 on:** May 18, 2009, 11:35:09 PM »

Ran service.bat and downloaded SpywareBlaster. I guess it's all done then? Many thanks.

Couple of questions (these are just out of curiosity, so you don't have to answer them):

A). I routinely delete unnecessary files to create more space on the disk. I missed about 2.6 GB of them!! Which programs can I regularly run to delete junk from the computer?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />. Can I go back to watching cricket (www.ooxtv.com and www.lifeiscolourful.com) or were these the cause of all problems?

If I hear back on these, good; otherwise, thank you very much once again!

guestolo · « **Reply #36 on:** May 19, 2009, 09:50:06 AM »

Quote

Can I go back to watching cricket (www.ooxtv.com and www.lifeiscolourful.com) or were these the cause of all problems?

I'm not sure, lifeiscolourful seems to be ok
I'm not positive about ooxtv>>It mentions you need to run IE and install it's Active X, I can't find the control to check it out?
Is this when the problems started?

indfin · « **Reply #37 on:** May 19, 2009, 10:29:14 AM »

Well, these are the two I actually watched on. There are couple of others I tried, don't remember which ones, but couldn't watch. So could be any one of them too. But yes, that's when it all started.

With the semi-finals approaching, it's very hard to stay away.

indfin · « **Reply #38 on:** May 19, 2009, 10:33:21 AM »

I think it's when I clicked on crictime.com is when the troubles started.

guestolo · « **Reply #39 on:** May 19, 2009, 10:37:20 AM »

Let me try with my testbox and check out a couple of those sites
Give me a few minutes

News:

Author Topic: iexplore.exe (Read 7802 times)