[Holley111]

I am very new to this. I found this thread through the combofix site. I did the scan and I will post the results.

I use AVG, Sypbot, Adaware, Windows Defender, and Trojan Scanner.

My computer has been freezing and running slow. It said today that the virtual memory was low and was resizing it. I had no idea what it was doing. From time to time, an add will just up and pop up. I use Mozilla FireFox and run the add pop up blocker. So, I am not sure as to why this keeps on happening. Also, my clock won't keep the right time. It seems to always go back two hours for some reason?

Thank you so much for your time and effort.

Here is the Log Notepad:

ComboFix 08-04-16.5 - Holley 2008-04-17 10:04:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -7:00]
Running from: C:\Documents and Settings\Holley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Holley\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Holley\Application Data\urlredir.cfg
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\iebrowserc.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\Ultra.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 08:48 . 2008-04-17 09:35 <DIR> d-------- C:\Program Files\Crawler
2008-04-15 08:47 . 2008-04-15 08:47 <DIR> d-------- C:\Documents and Settings\Holley\Application Data\TuneUp Software
2008-04-15 08:47 . 2008-04-15 08:48 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-15 08:47 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-15 08:46 . 2008-04-15 08:48 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-15 08:46 . 2008-04-15 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-04-15 08:44 . 2008-04-15 08:44 <DIR> d-------- C:\WINDOWS\Bookworm Adventures
2008-04-15 08:44 . 2008-04-15 08:44 <DIR> d-------- C:\Program Files\Bookworm Adventures
2008-04-08 22:15 . 2008-04-08 22:15 <DIR> d-------- C:\Program Files\Eye Candy 4000
2008-04-08 22:15 . 1999-06-25 10:56 127,184 --a------ C:\Program Files\UNWISE.EXE
2008-04-06 04:02 . 2008-04-06 04:02 <DIR> d-------- C:\ec467052d94113dcd7f6d01277
2008-04-05 08:26 . 2008-04-05 08:26 <DIR> d-------- C:\Documents and Settings\Holley\Application Data\Simply Super Software
2008-04-05 08:26 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-05 08:26 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-05 08:26 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-05 08:26 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-05 08:26 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-05 08:01 . 2003-09-13 00:18 1,432,518 --------- C:\WINDOWS\dc2000.CAB
2008-04-05 08:01 . 2008-04-05 08:01 73,216 --a------ C:\WINDOWS\temp.003
2008-04-05 08:01 . 2008-04-05 08:01 73,216 --a------ C:\WINDOWS\temp.002
2008-04-05 08:01 . 2008-04-05 08:01 73,216 --a------ C:\WINDOWS\temp.001
2008-04-05 08:01 . 2008-04-05 08:01 73,216 --a------ C:\WINDOWS\temp.000
2008-04-05 08:01 . 2008-04-05 08:01 1,659 --a------ C:\WINDOWS\ST6UNST.000
2008-04-05 08:00 . 2008-04-05 08:00 249,856 --------- C:\WINDOWS\Setup1.exe
2008-04-05 08:00 . 2008-04-05 08:00 73,216 --------- C:\WINDOWS\ST6UNST.EXE
2008-04-05 07:49 . 2008-04-15 08:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 07:44 . 2008-04-05 08:32 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-31 16:50 . 2008-03-31 16:56 <DIR> d-------- C:\Program Files\PcBugDoctor
2008-03-31 07:40 . 2008-03-31 07:40 <DIR> d-------- C:\Program Files\7-Zip
2008-03-25 22:25 . 2008-03-25 22:25 179,543 --a------ C:\WINDOWS\Photo Pos Pro Uninstaller.exe
2008-03-24 21:09 . 2008-03-25 00:50 <DIR> d-------- C:\Program Files\Registry Help Pro
2008-03-24 21:09 . 2008-03-24 21:13 <DIR> d-------- C:\Documents and Settings\Holley\Application Data\Registry Help Pro
2008-03-24 20:51 . 2008-03-24 20:51 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-24 20:03 . 2008-03-24 20:03 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-03-24 20:02 . 2008-03-24 20:02 <DIR> d-------- C:\Sierra
2008-03-24 19:30 . 2008-03-24 19:30 <DIR> d-------- C:\Program Files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 17:08 17,360,928 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-17 15:47 --------- d-----w C:\Documents and Settings\Holley\Application Data\Spyware Terminator
2008-04-17 15:41 204,584 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-17 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-16 09:23 --------- d-----w C:\Documents and Settings\Holley\Application Data\AVG7
2008-04-15 15:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 13:05 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-14 06:31 2,097,664 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-14 05:45 --------- d-----w C:\Program Files\Java
2008-04-13 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 10:48 806,912 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-10 10:48 2,088,960 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-10 09:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-09 12:00 3,787,615 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-09 05:15 891 ----a-w C:\Program Files\INSTALL.LOG
2008-04-09 05:00 --------- d-----w C:\Documents and Settings\Holley\Application Data\Alien Skin
2008-04-08 15:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 17:53 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2008-03-27 06:33 --------- d-----w C:\Documents and Settings\Holley\Application Data\LimeWire
2008-03-26 05:25 --------- d-----w C:\Program Files\Photo Pos Pro
2008-03-23 21:16 --------- d-----w C:\Program Files\AIMTunes
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 06:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 06:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-02 02:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 17:50 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-26 02:06 --------- d-----w C:\Program Files\BladePro
2008-02-26 01:43 13,154 ----a-w C:\Program Files\setuplog.txt
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-08 12:54 32,768 ----a-w C:\WINDOWS\system32\PosHistoryHelper.exe
2008-02-07 21:58 1,863,168 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-07 21:58 1,388,544 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-30 07:26 680 ----a-w C:\WINDOWS\Fonts\FrownyFont.pfm
2008-01-27 07:28 44,544 ------w C:\WINDOWS\AWuninstall.exe
2008-01-25 12:21 46,300 ----a-w C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
2008-01-25 06:09 12,252,877 ------w C:\avg7qt.dat
2008-01-18 15:00 1,760,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-17 10:41 614,530 ----a-w C:\WINDOWS\system32\PosIpLiB.dll
2001-04-10 21:30 1,949 ----a-w C:\Program Files\Alien Skinformation.html
2001-04-02 23:31 550,602 ----a-w C:\Program Files\EyeCand3.8bf
2001-04-02 23:22 409,600 ----a-w C:\Program Files\EC3-ENG.8BF
2000-08-02 00:37 7,944 ----a-w C:\Program Files\Girlpill.gif
1997-03-17 19:33 812,297 ----a-w C:\Program Files\EyeCandy.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04 1415824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 02:22 579584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-27 10:50 2957824]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-02 20:52 868432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-01 20:42 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"Pando"="C:\Program Files\Pando Networks\Pando\pando.exe" /Minimized
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7142:TCP"= 7142:TCP:BitComet 7142 TCP
"7142:UDP"= 7142:UDP:BitComet 7142 UDP
"56217:TCP"= 56217:TCP:Pando P2P TCP Listening Port
"56217:UDP"= 56217:UDP:Pando P2P UDP Listening Port

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-02-27 10:50]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-10 05:00]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-15 08:48]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 17:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-01-14 17:56:55 C:\WINDOWS\Tasks\AVG Test Center.job"
- C:\PROGRA~1\Grisoft\AVG7\avgw.exe
"2008-01-14 17:56:36 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-17 15:44:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-17 14:06:05 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-18 14:49:57 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 10:08:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 10:09:44
ComboFix-quarantined-files.txt 2008-04-17 17:09:37

Pre-Run: 83,577,278,464 bytes free
Post-Run: 86,827,720,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-16 03:08:29 --- E O F ---

[Advertisements]

Hi,
Welcome to the site. Sorry about the delay.

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions (including Combofix). Combofix is not a standard Anti Virus program, this and other tools are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

As it has been a few days, can you please post a fresh Hijack This log. This is because your computers condidtion may have changed.

[sarahw]

Hi,
Welcome to the site. Sorry about the delay.

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions (including Combofix). Combofix is not a standard Anti Virus program, this and other tools are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

As it has been a few days, can you please post a fresh Hijack This log. This is because your computers condidtion may have changed.

[sarahw]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.