# Solved: ComboFix/HijackThis Log's, Pc Slowed down.



## vash1987 (May 12, 2008)

Ok first off I want to say that I have 2 differ logs, 1 from hijack this and one from Combofix, 
Details,

Operating System:
Windows XP Sp2

Description: I'll try to be descriptive as much as I can, I play this online game called (Counterstrike: Source) Anyways, At times when I try to open up Internet explorer, It will give me "This page cannot be displayed" Page, And It will do that on every page, But I have a Link scanner from AVG, And I'll usually go to www.google.com and search whatever I'm searching for, Music and etc, But when this happens, Little grey "?" Pops up to the link, When you hold your mouse over the "?" It sais "AVG Couldn't connect to this site" And when I click on it, It gives me the "Page cannot be displayed" Page, But "www.google.com" (My home page) Works everytime, But once I search 1-5 pages, There will be one site that I can go to sometimes, It acts as tho my internet is disconnected, But while this is happening, I can go on this game, Counterstrike and connect to servers, But after while, It disconnects me, I'll restart and the problem is fixed for time been. 
But about the time it started, My cousin sent me a program called "Apocolypse Generator" And I accepted and opened it, Nothing opened anyways, S&D caught it, It was trying to access my Modem.exe file, So I deleted it, Then also in my startup was CTFLoader, I wasn't quite sure what this was but I took it off startup (Kinda figured it was for Adobe Photoshop)

What I've Tried: Resetting my modem, Virus/Spyware/Malware/Diskcleanup/DiskDefrag but nothing seems to help.

Programs I run: Limewire, Ares, Windows Live Messanger, Yahoo Messanger, Steam, Counterstrike, Maplestory, Adobe Photoshop 7.0.

Antiviruses/Spyware Programs I use:
Ace Utilties - System Registry Cleaner
Tuneup Utilties - Registery Cleaner, Defrag, Registry Defrag
Avg 8.0 - Rootkit Scanner, Link Scanner, Antivirus.
MicroTrend - Online Virus Cleaner
Hijack This - Logs proccess and other applications
Combofix- Another Log, Fixes some errors.
Spybot Search and Destroy - Spyware Cleaner.

Here is the log I got from ComboFix (The website I got combofix from, Sais to post a log of the file with another log from Hijack this)
ComboFix Log

ComboFix 08-05-11.1 - Lee 2008-05-12 15:53:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.810 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\ttstv.bak1

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 15:02 . 2008-02-24 23:51	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 14:30 . 2008-05-12 15:38 d--------	C:\WINDOWS\system32\drivers\Avg
2008-05-10 14:30 . 2008-05-10 14:30	96,520	--a------	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-10 14:30 . 2008-05-10 14:30	75,272	--a------	C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-10 14:30 . 2008-05-10 14:30	12,424	--a------	C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-10 14:30 . 2008-05-10 14:30	10,520	--a------	C:\WINDOWS\system32\avgrsstx.dll
2008-05-10 10:50 . 2008-05-10 10:50 d--------	C:\WINDOWS\SxsCaPendDel
2008-05-09 21:46 . 2008-05-09 21:47 d--------	C:\Program Files\Ace Utilities
2008-05-09 21:25 . 2008-05-09 21:38 d--------	C:\Program Files\Windows Live
2008-05-09 21:25 . 2008-05-09 21:26 d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-09 21:24 . 2008-05-09 21:24 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-03 21:36 . 2008-05-03 21:36	0	--ah-----	C:\Documents and Settings\LocalService\NTUSER.DAT_TU_53942.LOG
2008-05-03 21:36 . 2008-05-03 21:36	0	--ah-----	C:\Documents and Settings\Lee\ntuser.dat_TU_44112.LOG
2008-05-03 21:35 . 2008-05-03 21:35	0	--ah-----	C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_47425.LOG
2008-05-03 19:16 . 2008-05-10 14:32 d--h-----	C:\$AVG8.VAULT$
2008-05-03 19:10 . 2008-05-03 19:10 d--------	C:\Program Files\AVG
2008-05-03 19:10 . 2008-05-10 14:30 d--------	C:\Documents and Settings\All Users\Application Data\avg8
2008-05-01 16:51 . 2008-05-01 16:51 d--------	C:\WINDOWS\Fashion Solitaire
2008-05-01 15:22 . 2008-05-01 15:22 d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-01 09:11 . 2008-05-01 09:11	7,840	--a------	C:\WINDOWS\system32\mcdmsg5.dll
2008-04-30 21:45 . 2008-04-30 23:30 d--------	C:\WINDOWS\system32\Adobe
2008-04-30 20:19 . 2008-05-01 16:22 d--------	C:\Documents and Settings\All Users\Application Data\Fashion Solitaire 1.2
2008-04-21 07:38 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-21 06:47 . 2008-04-21 06:47	0	--ah-----	C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_86755.LOG
2008-04-21 06:47 . 2008-04-21 06:47	0	--ah-----	C:\Documents and Settings\LocalService\NTUSER.DAT_TU_77101.LOG
2008-04-21 06:47 . 2008-04-21 06:47	0	--ah-----	C:\Documents and Settings\Lee\ntuser.dat_TU_74941.LOG
2008-04-21 06:36 . 2008-04-21 06:36 d--------	C:\Documents and Settings\Lee\Application Data\TuneUp Software
2008-04-21 06:36 . 2008-04-21 06:36 d--------	C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-04-21 06:36 . 2008-04-21 06:36	307,968	--a------	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-21 06:36 . 2008-02-27 13:15	28,416	--a------	C:\WINDOWS\system32\uxtuneup.dll
2008-04-21 06:35 . 2008-05-09 02:06 d--------	C:\Program Files\TuneUp Utilities 2008
2008-04-13 21:47 . 2008-04-13 21:47	2,560	--a------	C:\WINDOWS\_MSRSTRT.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 22:53	---------	d--h--r	C:\Documents and Settings\Lee\Application Data\yahoo!
2008-05-12 18:19	---------	d-----w	C:\Program Files\Steam
2008-05-11 00:40	---------	d-----w	C:\Documents and Settings\Lee\Application Data\LimeWire
2008-05-04 02:16	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SysMon
2008-03-24 13:18	---------	d-----w	C:\Program Files\LimeWire
2008-03-20 01:33	---------	d-----w	C:\Documents and Settings\Lee\Application Data\Nexon
2008-03-19 13:11	---------	d-----w	C:\Program Files\Common Files\INCA Shared
2008-03-19 09:47	1,845,248	----a-w	C:\WINDOWS\system32\win32k.sys
2008-03-11 02:51	691,545	----a-w	C:\WINDOWS\unins000.exe
2008-03-05 23:03	479,752	----a-w	C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03	238,088	----a-w	C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00	25,608	----a-w	C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56	3,786,760	----a-w	C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56	1,420,824	----a-w	C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-03 09:10	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-01 13:06	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51	282,624	----a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32	45,568	----a-w	C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-10 14:30 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-18 20:14:57 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CJPG"= ctwbjpg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Lee^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-29 19:37 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 13:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-10 14:30]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-10 14:30]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-10 14:30]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-10 14:30]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-10 14:30]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 16:56]
S3 Dua1;Dua1;C:\Documents and Settings\Lee\My Documents\Programs\DualEngine2\DualEngi.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-21 06:36]
S3 WBCGOHAL;WBCGOHAL;C:\WINDOWS\system32\DRIVERS\Wbcgohal.sys [2001-12-22 01:11]
S3 WBCGOVID;Video Blaster WebCam Go (WDM);C:\WINDOWS\system32\DRIVERS\wbcgovid.sys [2001-12-21 01:21]
S3 xp1;xp1;C:\Documents and Settings\Lee\My Documents\Programs\XPEngine\xp.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - TMCOMM
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 22:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 15:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 15:57:26
ComboFix-quarantined-files.txt 2008-05-12 22:56:39

Pre-Run: 61,213,282,304 bytes free
Post-Run: 61,628,424,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

159	--- E O F ---	2008-04-09 10:02:16

[End]

Here is the Log I got from Hijack This.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:53 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm492LUUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - 
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - 
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - 
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lilmomma01.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbabeldeluxe/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) - 
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - 
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6413 bytes

[End]

Comments:
Any Help would be great, I bought this computer off of my cousin about 6 months ago for $700, A few people have told me just to reformatt the computer, But I have no idea how to, I don't have a windows XP Cd/Key, I'm a single father, And don't have the money to even buy another key/cd, My cousin doesn't have the xp disk/key for this pc, So kind of out of the question. I appreciate it alot, Thank you guys for the site, Hopefully can get support soon.


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply along with a new *HijackThis log*.


----------



## vash1987 (May 12, 2008)

Dr. Web Cureit Log:

popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Moved.;
RegUBP2b-Lee.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0238567.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP475;Trojan.StartPage.1505;Deleted.;
A0238727.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP476;Trojan.StartPage.1505;Deleted.;
A0239016.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP480;Trojan.StartPage.1505;Deleted.;
A0239132.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP480;Trojan.StartPage.1505;Deleted.;
A0239224.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP481;Trojan.StartPage.1505;Deleted.;
A0239312.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP481;Trojan.StartPage.1505;Deleted.;
A0239476.bat;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP482;Probably SCRIPT.Virus;Incurable.Moved.;
A0239665.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP482;Trojan.StartPage.1505;Deleted.;
A0239816.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP483;Trojan.StartPage.1505;Deleted.;
A0239927.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP483;Trojan.StartPage.1505;Deleted.;
A0240117.reg;C:\System Volume Information\_restore{C075C52F-0113-47EC-B78B-4ED8FDC8F10F}\RP484;Trojan.StartPage.1505;Deleted.;
[END]

Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:10 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lee\Desktop\launch.exe
C:\DOCUME~1\Lee\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\Lee\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm492LUUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - 
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - 
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - 
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lilmomma01.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbabeldeluxe/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) - 
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - 
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6519 bytes
[END]

Comments:
I know that you guys, Probly go through all of the threads, But not quite sure if you just scan through them or carefully look at each and every one, But I have found a few thiings in the HJT log that brings attention to my eyes, I have no experiance with HJT But here is a one thing that caught my eye, Think you could explain what this is?
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll


----------



## cybertech (Apr 16, 2002)

*Run HJT again, Run as Administrator, and put a check in the following:*

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O8 - Extra context menu item: &Search - ?p=ZCxdm492LUUS
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - 
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - 
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) - 
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

*Close all applications and browser windows before you click "fix checked".*

BHO: WormRadar.com IESiteBlocker.NavFilter is a part of AVG Antivirus.

Are you having any problems now?


----------



## vash1987 (May 12, 2008)

Thank you very much, It helped no problems now.


----------



## cybertech (Apr 16, 2002)

You're welcome!

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools


----------

