[mrblue]

Laptop running very quiet this morning (very unusual). Also, I just tried to browse Windows folders before I did the Combofix and it WORKED!!

Anyway, here's the Combofix log first:

ComboFix 08-02-17.2 - Kevin 2008-02-18 10:21:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.465 [GMT 0:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-16 20:10 . 2008-02-16 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-16 20:08 . 2008-02-16 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 19:22 . 2008-02-16 19:22 <DIR> d-------- C:\Deckard
2008-02-16 17:05 . 2008-02-16 17:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 16:19 . 2008-02-16 16:16 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-16 16:19 . 2008-02-16 16:19 3,446 --a------ C:\WINDOWS\unins000.dat
2008-02-16 13:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 13:18 . 2008-02-16 15:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 13:18 . 2008-02-16 13:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 13:18 . 2008-02-16 13:18 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 13:18 . 2008-02-16 13:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 09:13 . 2008-02-16 09:13 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Grisoft
2008-02-16 09:09 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-15 19:50 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-02-15 19:49 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-15 19:48 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-15 19:47 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-15 19:46 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-15 19:45 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-15 19:44 . 2003-03-31 12:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 19:44 . 2003-03-31 12:00 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-02-15 19:44 . 2003-03-31 12:00 111,104 --a--c--- C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-02-15 19:44 . 2001-08-17 12:50 103,296 --a--c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-02-15 19:44 . 2003-03-31 12:00 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2008-02-15 19:44 . 2004-08-04 07:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-02-15 19:44 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-02-15 19:44 . 2004-08-04 07:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-02-15 19:44 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-02-15 19:44 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-02-15 19:44 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-02-15 19:42 . 2003-03-31 12:00 315,452 --a--c--- C:\WINDOWS\system32\dllcache\imskf.dll
2008-02-15 19:41 . 2003-03-31 12:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 19:40 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-15 19:39 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-15 19:38 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-02-15 19:37 . 2003-03-31 12:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-15 19:36 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-15 19:35 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-02-15 19:34 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-10 22:57 . 2008-02-11 22:24 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVG7
2008-02-10 22:56 . 2008-02-10 22:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 22:56 . 2008-02-10 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 22:56 . 2008-02-16 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 20:45 . 2008-02-09 20:45 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Tenebril
2008-02-09 20:36 . 2008-02-09 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-02-09 20:32 . 2008-02-09 20:32 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2008-02-09 20:32 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2008-02-09 19:25 . 2008-02-09 19:25 <DIR> d-------- C:\Program Files\Agnitum
2008-02-09 19:25 . 2008-02-09 19:25 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Ringjacker
2008-01-19 21:59 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-19 21:57 . 2008-01-20 10:10 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 10:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\OnlineArmor
2008-02-18 10:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\MailWasherPro
2008-02-18 07:48 --------- d-----w C:\Program Files\eSignal
2008-02-17 20:15 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Skype
2008-02-17 20:14 --------- d-----w C:\Documents and Settings\Kevin\Application Data\skypePM
2008-02-16 18:42 --------- d-----w C:\Program Files\Lx_cats
2008-02-16 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 14:19 --------- d-----w C:\Program Files\Qlock
2008-02-16 14:12 --------- d-----w C:\Program Files\MailWasher
2008-02-16 14:12 --------- d-----w C:\Program Files\Lexmark 5400 Series
2008-02-10 16:41 --------- d-----w C:\Program Files\Satellite TV for PC
2008-02-09 21:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-09 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 23:54 921,632 ----a-w C:\PA7311.DAT
2008-01-09 23:37 --------- d-----w C:\Program Files\MySpeed PC2
2008-01-09 23:36 30,601 ----a-w C:\Documents and Settings\Kevin\x.exe
2007-12-27 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\OnlineArmor
2007-12-27 20:04 --------- d-----w C:\Program Files\Tall Emu
2007-12-27 19:56 --------- d-----w C:\Program Files\iVocalize Web Conference 4
2007-12-27 19:56 --------- d-----w C:\Program Files\eMini-Master.com
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\PCCamera
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\InstallerA
2007-12-27 19:56 --------- d-----w C:\Program Files\CCleaner
2007-12-27 19:56 --------- d-----w C:\Program Files\BTopenworld
2007-12-27 19:56 --------- d-----w C:\Program Files\BT Home Hub
2007-12-27 19:56 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-27 19:56 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Media Player Classic
2007-12-24 15:56 --------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-12-22 09:51 557,056 ----a-w C:\Documents and Settings\Kevin\GoToAssist_phone__306_en.exe
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-11-16 19:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-12-02 02:05 557,056 ----a-w C:\Documents and Settings\Kevin\chatlnk.exe
2006-08-14 15:20 4,334 ----a-w C:\Program Files\Deploy4.log
2006-06-22 20:51 131,072 ----a-w C:\Documents and Settings\All Users\mapi32.dll
2006-02-13 12:08 138 ----a-w C:\Program Files\INSTALL.LOG
2006-02-12 23:31 37 ------w C:\Documents and Settings\Kevin Ford\getfile.dat
2005-06-16 11:08 4,121 ----a-w C:\Program Files\Deploy3.log
2005-02-22 20:13 3,669 ----a-w C:\Program Files\Deploy2.log
2005-01-03 13:35 3,930 ----a-w C:\Program Files\Deploy.log
2003-08-27 14:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
Infected C:\WINDOWS\system32\user32.dll hex repaired

C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:09:30 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
561,152 2005-03-02 18:20:03 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
528,896 2002-11-01 22:26:46 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
560,128 2003-03-31 12:00:00 C:\WINDOWS\$NtUninstallKB826939$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
560,128 2003-09-25 16:49:02 C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
265,649 2003-03-31 12:00:00 C:\WINDOWS\I386\USER32.DL_
12,288 2001-10-24 13:16:16 C:\WINDOWS\mui\FALLBACK\0405\user32.dll.mui
14,336 2001-08-18 05:40:06 C:\WINDOWS\mui\FALLBACK\0407\user32.dll.mui
14,336 2001-11-27 00:20:06 C:\WINDOWS\mui\FALLBACK\0408\user32.dll.mui
12,800 2001-10-05 17:23:26 C:\WINDOWS\mui\FALLBACK\040B\user32.dll.mui
13,824 2001-08-23 18:55:38 C:\WINDOWS\mui\FALLBACK\040C\user32.dll.mui
13,312 2001-08-30 23:50:56 C:\WINDOWS\mui\FALLBACK\0410\user32.dll.mui
14,336 2001-09-15 19:17:54 C:\WINDOWS\mui\FALLBACK\0413\user32.dll.mui
12,288 2001-09-06 21:40:30 C:\WINDOWS\mui\FALLBACK\041D\user32.dll.mui
13,312 2001-11-20 17:46:44 C:\WINDOWS\mui\FALLBACK\0816\user32.dll.mui
13,312 2001-08-22 23:22:50 C:\WINDOWS\mui\FALLBACK\0C0A\user32.dll.mui
577,024 2004-08-04 07:56:46 C:\WINDOWS\ServicePackFiles\i386\user32.dll
577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\user32.dll
577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\dllcache\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-19 21:00 335872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 15:19 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 15:18 499712]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 16:46 45056 C:\WINDOWS\system32\ico.exe]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-12-02 00:36 94208]
"SonyPowerCfg"="C:\Program Files\sony\vaio power management\SPMgr.exe" [2003-10-24 17:21 167936]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 19:27 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Motive SmartBridge"="C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe" [2006-02-06 18:52 462935]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 12:27 106496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 22:56 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 07:51 5029952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 22:56 219136]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2007-12-20 09:23:27 5541888]
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2006-03-20 09:04:32 4070912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-16 07:50 633344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe

R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 00:06]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-08 06:37]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 00:06]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2007-11-16 07:51]
S3 PAC7311;Phenix-Q8;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-10-18 10:48]
S3 PPDrv;Protector Plus Driver (UnRegistered);C:\Protector Plus\PPDrv.sys []
S3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys []
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 12:22]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 10:33:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
.
**************************************************************************
.
Completion time: 2008-02-18 10:39:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 10:39:21
ComboFix2.txt 2008-02-16 19:11:47
ComboFix3.txt 2007-09-16 18:53:56
.
2008-02-13 10:16:07 --- E O F ---



Now I'll do the HJT.......


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:27, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Qlock\qlock.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kevin\Desktop\mobmeter.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...ent1.7.20.5.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe

--
End of file - 9652 bytes


All done!

Edited by mrblue, 18 February 2008 - 04:47 AM.

[Advertisements]

Hi Harry.

Seems like I have an infection. Do you know how I go about dealing with it?

Regards

[mrblue]

Hi Harry.

Seems like I have an infection. Do you know how I go about dealing with it?

Regards

[harrythook]

Hey mrblue,
Really sorry for the delay, got caught up at work for the last 2 days. I really don't like it when they make me work for my pay

I got the next 2 days off, I will review where we stand and give some direction shortly.

Harry

[harrythook]

Hey mrblue,
I am researching something in your log right now, but I need you to run combofix again and post the log.
Also one other scan:
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Harry

[mrblue]

OK, here is the combofix log:-



ComboFix 08-02-17.2 - Kevin 2008-02-20 19:50:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.457 [GMT 0:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-16 20:08 . 2008-02-16 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 19:22 . 2008-02-16 19:22 <DIR> d-------- C:\Deckard
2008-02-16 17:05 . 2008-02-16 17:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 16:19 . 2008-02-16 16:16 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-16 16:19 . 2008-02-16 16:19 3,446 --a------ C:\WINDOWS\unins000.dat
2008-02-16 13:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 13:18 . 2008-02-16 15:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 13:18 . 2008-02-16 13:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 13:18 . 2008-02-16 13:18 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 13:18 . 2008-02-16 13:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 09:13 . 2008-02-16 09:13 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Grisoft
2008-02-16 09:09 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-15 19:50 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-02-15 19:49 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-15 19:48 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-15 19:47 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-15 19:46 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-15 19:45 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-15 19:44 . 2003-03-31 12:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 19:44 . 2003-03-31 12:00 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-02-15 19:44 . 2003-03-31 12:00 111,104 --a--c--- C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-02-15 19:44 . 2001-08-17 12:50 103,296 --a--c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-02-15 19:44 . 2003-03-31 12:00 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2008-02-15 19:44 . 2004-08-04 07:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-02-15 19:44 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-02-15 19:44 . 2004-08-04 07:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-02-15 19:44 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-02-15 19:44 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-02-15 19:44 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-02-15 19:42 . 2003-03-31 12:00 315,452 --a--c--- C:\WINDOWS\system32\dllcache\imskf.dll
2008-02-15 19:41 . 2003-03-31 12:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 19:40 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-15 19:39 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-15 19:38 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-02-15 19:37 . 2003-03-31 12:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-15 19:36 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-15 19:35 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-02-15 19:34 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-10 22:57 . 2008-02-11 22:24 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVG7
2008-02-10 22:56 . 2008-02-10 22:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 22:56 . 2008-02-10 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 22:56 . 2008-02-16 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 20:45 . 2008-02-09 20:45 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Tenebril
2008-02-09 20:36 . 2008-02-09 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-02-09 20:32 . 2008-02-09 20:32 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2008-02-09 20:32 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2008-02-09 19:25 . 2008-02-09 19:25 <DIR> d-------- C:\Program Files\Agnitum
2008-02-09 19:25 . 2008-02-09 19:25 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Ringjacker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 20:01 --------- d-----w C:\Documents and Settings\Kevin\Application Data\OnlineArmor
2008-02-20 20:01 --------- d-----w C:\Documents and Settings\Kevin\Application Data\MailWasherPro
2008-02-20 07:51 --------- d-----w C:\Program Files\eSignal
2008-02-20 07:42 --------- d-----w C:\Program Files\Lx_cats
2008-02-17 20:15 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Skype
2008-02-17 20:14 --------- d-----w C:\Documents and Settings\Kevin\Application Data\skypePM
2008-02-16 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 14:19 --------- d-----w C:\Program Files\Qlock
2008-02-16 14:12 --------- d-----w C:\Program Files\MailWasher
2008-02-16 14:12 --------- d-----w C:\Program Files\Lexmark 5400 Series
2008-02-10 16:41 --------- d-----w C:\Program Files\Satellite TV for PC
2008-02-09 21:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-09 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-20 10:10 --------- d-----w C:\Program Files\Google
2008-01-10 23:54 921,632 ----a-w C:\PA7311.DAT
2008-01-09 23:37 --------- d-----w C:\Program Files\MySpeed PC2
2008-01-09 23:36 30,601 ----a-w C:\Documents and Settings\Kevin\x.exe
2007-12-27 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\OnlineArmor
2007-12-27 20:04 --------- d-----w C:\Program Files\Tall Emu
2007-12-27 19:56 --------- d-----w C:\Program Files\iVocalize Web Conference 4
2007-12-27 19:56 --------- d-----w C:\Program Files\eMini-Master.com
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\PCCamera
2007-12-27 19:56 --------- d-----w C:\Program Files\Common Files\InstallerA
2007-12-27 19:56 --------- d-----w C:\Program Files\CCleaner
2007-12-27 19:56 --------- d-----w C:\Program Files\BTopenworld
2007-12-27 19:56 --------- d-----w C:\Program Files\BT Home Hub
2007-12-27 19:56 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-27 19:56 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Media Player Classic
2007-12-24 15:56 --------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-12-22 09:51 557,056 ----a-w C:\Documents and Settings\Kevin\GoToAssist_phone__306_en.exe
2007-11-16 19:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-12-02 02:05 557,056 ----a-w C:\Documents and Settings\Kevin\chatlnk.exe
2006-08-14 15:20 4,334 ----a-w C:\Program Files\Deploy4.log
2006-06-22 20:51 131,072 ----a-w C:\Documents and Settings\All Users\mapi32.dll
2006-02-13 12:08 138 ----a-w C:\Program Files\INSTALL.LOG
2006-02-12 23:31 37 ------w C:\Documents and Settings\Kevin Ford\getfile.dat
2005-06-16 11:08 4,121 ----a-w C:\Program Files\Deploy3.log
2005-02-22 20:13 3,669 ----a-w C:\Program Files\Deploy2.log
2005-01-03 13:35 3,930 ----a-w C:\Program Files\Deploy.log
2003-08-27 14:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
Infected C:\WINDOWS\system32\user32.dll hex repaired

C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:09:30 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
561,152 2005-03-02 18:20:03 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
528,896 2002-11-01 22:26:46 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
560,128 2003-03-31 12:00:00 C:\WINDOWS\$NtUninstallKB826939$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
560,128 2003-09-25 16:49:02 C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
265,649 2003-03-31 12:00:00 C:\WINDOWS\I386\USER32.DL_
12,288 2001-10-24 13:16:16 C:\WINDOWS\mui\FALLBACK\0405\user32.dll.mui
14,336 2001-08-18 05:40:06 C:\WINDOWS\mui\FALLBACK\0407\user32.dll.mui
14,336 2001-11-27 00:20:06 C:\WINDOWS\mui\FALLBACK\0408\user32.dll.mui
12,800 2001-10-05 17:23:26 C:\WINDOWS\mui\FALLBACK\040B\user32.dll.mui
13,824 2001-08-23 18:55:38 C:\WINDOWS\mui\FALLBACK\040C\user32.dll.mui
13,312 2001-08-30 23:50:56 C:\WINDOWS\mui\FALLBACK\0410\user32.dll.mui
14,336 2001-09-15 19:17:54 C:\WINDOWS\mui\FALLBACK\0413\user32.dll.mui
12,288 2001-09-06 21:40:30 C:\WINDOWS\mui\FALLBACK\041D\user32.dll.mui
13,312 2001-11-20 17:46:44 C:\WINDOWS\mui\FALLBACK\0816\user32.dll.mui
13,312 2001-08-22 23:22:50 C:\WINDOWS\mui\FALLBACK\0C0A\user32.dll.mui
577,024 2004-08-04 07:56:46 C:\WINDOWS\ServicePackFiles\i386\user32.dll
577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\user32.dll
577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\dllcache\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-19 21:00 335872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 15:19 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 15:18 499712]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 16:46 45056 C:\WINDOWS\system32\ico.exe]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-12-02 00:36 94208]
"SonyPowerCfg"="C:\Program Files\sony\vaio power management\SPMgr.exe" [2003-10-24 17:21 167936]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 19:27 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Motive SmartBridge"="C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe" [2006-02-06 18:52 462935]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 12:27 106496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 22:56 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 07:51 5029952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 22:56 219136]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2007-12-20 09:23:27 5541888]
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2006-03-20 09:04:32 4070912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-16 07:50 633344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe

R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 00:06]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-08 06:37]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 00:06]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2007-11-16 07:51]
S3 PAC7311;Phenix-Q8;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-10-18 10:48]
S3 PPDrv;Protector Plus Driver (UnRegistered);C:\Protector Plus\PPDrv.sys []
S3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys []
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 12:22]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 20:01:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
.
**************************************************************************
.
Completion time: 2008-02-20 20:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 20:08:42
ComboFix2.txt 2008-02-18 10:39:34
ComboFix3.txt 2008-02-16 19:11:47
ComboFix4.txt 2007-09-16 18:53:56
.
2008-02-13 10:16:07 --- E O F ---



next the scan.....

[mrblue]

OK. The scan took just over 3 hours. It found nothing!!

Over to you Harry!!

[harrythook]

Ok mrblue,
Looks like some sysytem files got damaged there, I am waiting for a confirmation on something, then we will finish the repairs there.
Hang in there, almost done.

Harry

[harrythook]

Hey mrblue,
Sorry, I lost you in the pile of work I have here, but I did not forget about you.

The next step I would like to do is run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:
My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.

Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:
My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.

Harry

[mrblue]

Hi Harry

Did the scan (it didn't prompt me for a CD) and finished with no errors or messages.

Checked for Windows Updates, and it found only 1: Microsoft Office 2003. (Office 2003 Service Pack 3) 119MB.

As I hardly ever use Office I won't bother with it. I do need to reorganise my C: drive because as you can see there's not much space left out of the 18GB, and loading another 119MB certainly won't help! Difficult to delete/move folders around though if I can't browse windows folders!!!!!!!

Incidentally I got the error message this morning immediately after booting up my laptop! Seems to be getting worse.

Regards

[harrythook]

Hey mrblue,
I am beginning to believe that there are other than malware problems there.
The system file checker should have come up with something if a windows file was corrupted
Some of these programs might be competing against each other, this is a partial list of what I see:

C:\Documents and Settings\Kevin\x.exe
C:\Documents and Settings\All Users\Application Data\OnlineArmor
C:\Program Files\Tall Emu
C:\Program Files\MailWasher
C:\Program Files\Spybot - Search & Destroy
C:\Program Files\CCleaner

Lets clean up a bit:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

I would like you to review your installed programs, try to delete unused/unwanted items.
Post a fresh HJT log, lets look that over again.

Harry

[mrblue]

Ok, all done.

I'm thinking that I DON'T have any malware, or spyware, but perhaps some conflicting software as you suggest. I haven't been using Online Armor for very long. I was using Agnitum Outpost Firewall for years with no problem, then it started stopping me from sending emails for some strange reason. So I had to uninstall it. Maybe I should try a different firewall??

Anyway, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:23, on 24/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Qlock\qlock.exe
C:\Documents and Settings\Kevin\Desktop\mobmeter.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...ent1.7.20.5.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe

--
End of file - 8529 bytes



regards

[harrythook]

Little more to cleanup:
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Program Files\Ares
  C:\Program Files\SpyCatcher

• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

[mrblue]

OK, done all that. That was weird because the folders now aren't there!!

File/Folder C:\Program Files\Ares not found.
File/Folder C:\Program Files\SpyCatcher not found.

OTMoveIt2 v1.0.20 log created on 02242008_190514



Anyway, I'm going to reboot the machine now, as I haven't done that yet. Let's see if anything changes....


Regards

[mrblue]

Ok, problem still comes and goes. I ran ccleaner also, that cleans a little more than ATF seems to.

Just found something strange....


I was just deleting old Programs that had I had previously allowed in my Firewall application.


It also allows me to look at the "hosts" file (whatever that is). This is normally empty. However, it now has hundreds of entries with names of shall we say an "adult" nature!!! They are all "allowed" in the firewall too!!!!!

It will take me ages to delete them 1 by 1. Is there a way I can clear this file in one go???

The entries in here can't be legitamate, surely.


Regards

[harrythook]

I must have missed something, a corrupted host file is usually very evident.

Download the HostsXpert 3.7 - Hosts File Manager.

• Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Different scan again, just to see. I really hate making you do all this work, but I have to make sure we are going in the right direction.

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of WinpFind35U.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with WinpFind35U or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

I am off to New York for work tomorrow, might take a bit to reply, hang in there

Harry