# iexplore.exe



## abloke (Jun 21, 2008)

hi everybody, hope 2009 has kicked off well for you all.

Could anybody please enlighten me on what iexplore.exe is,
is it harmful, virus related? Should it be removed & how would i do this?

Thankx


----------



## karbo (Sep 3, 2003)

It's you Internet Explorer executable file. You need it!


----------



## Cookiegal (Aug 27, 2003)

But of course it depends where the file is located. Can you give us the entire path?

Even the correct iexplore.exe can be infected.

Are you having any specific problems? 

What is causing you to ask about this?


----------



## RetroGuy (Dec 5, 2008)

It is usually the internet explorer executable, but some viruses try to hide themselves by taking on the name of windows executables like svchost.exe, iexplore.exe etc.
Please give more information of any problems you are facing. If this process is running even when you are not using Internet Explorer then it's a cause of concern.


----------



## abloke (Jun 21, 2008)

Thankx for all the your replies, when i shut down will make a note of
the error message. I googled ixplore.exe and some suggestions there
were to remove it. 
Then remembered i could ask the learned crew on TSG.
Pc has been behaving odd for a while, ie, indicates it is sending mail,
but i have none in outbox that i wish to send out,
I'll get the whole error message, which may help,
Thankx again


----------



## Cookiegal (Aug 27, 2003)

This time you spelled the name of the file as : ixplore.exe 

This is a whole new kettle of fish. 

Please confirm the spelling and the location when you can.


----------



## karbo (Sep 3, 2003)

Is it iexplore.exe or ixplore.exe? 

ixplore.exe could be the Backdoor Trojan Troj/Sdbot-CY.


----------



## Cookiegal (Aug 27, 2003)

karbo said:


> Is it iexplore.exe or ixplore.exe.
> 
> ixplore.exe could be the Backdoor Trojan Troj/Sdbot-CY.


Did you not see my post?


----------



## karbo (Sep 3, 2003)

Yes I did but you did not mention what could be ixplore.exe. It was only to let him know that there was possibly a real threat involved here. I only completed the info.

I don't even understand why you're asking me this. 

I've put past issues between us behind in case you haven't noticed...


----------



## Cookiegal (Aug 27, 2003)

Adding information is one thing but It just seems unnecessarily repetitious, as does post no. 4, as the questions have already been asked. 

And for the record, the past issues are not "between us" but rather regarding your conduct at TSG.


----------



## atnskyline (Aug 7, 2008)

also there is explorer.exe which is basically the windows desktop as a whole. i don't recommend this but you CAN terminate explorer.exe. remember which i am saying not iexplorer. and this will "refresh" the desktop. kind of. 

But remember terminating process with out knowing the effects can kill your system. so don't go around saying "ohhhhh, this is microsoft activesync for pm wm phone, i don't need it running i will exit it". what will happen.... the blue screen o' death. I had it happen last night. now it isnt running because i disabled it from start up and restarted. but seriously don't mess with it unless you know what your doing. you may cause run time errors and other issues.


----------



## Kenny94 (Dec 16, 2004)

atnskyline said:


> But remember terminating process with out knowing the effects can kill your system. so don't go around saying "ohhhhh, this is microsoft activesync for pm wm phone, i don't need it running i will exit it". *what will happen.... the blue screen o' death. I had it happen last night*.


No, what caused the "The Blue Screen of Death" in your computer, was all the antivirus programs you have installed...Or the Registry Cleaners...

Sorry I went off your topic with your thread abloke...


----------



## karbo (Sep 3, 2003)

Cookiegal said:


> Adding information is one thing but It just seems unnecessarily repetitious, as does post no. 4, as the questions have already been asked.
> 
> And for the record, the past issues are not "between us" but rather regarding your conduct at TSG.


You're never going to let it go aren't you!

And look all around this forum, people are giving plenty of information on top of each other. It's the whole purpose of a forum! Why only hit on me?!?


----------



## Cookiegal (Aug 27, 2003)

Sorry abloke. I've moved this thread to the Malware Removal and HijackThis Logs forum where we can focus on the issue at hand.


----------



## abloke (Jun 21, 2008)

Thank-you cookiegal i did receive your post.

It is indeed the iexplore.exe application error. Apologies for the delay,
have been working out of town.

The error message was that the memory could not be read,
but don't want to waste anymore of your time.

Thankx to you and all the other contributors.


----------



## Cookiegal (Aug 27, 2003)

Do you wish to pursue the issue?


----------



## abloke (Jun 21, 2008)

Hello Cookiegal
Thank-you for your advice & patience. I am a beginner & learning
slowly, don't spend enough time on the pc. The iexplore.exe popping
up confused me a bit, ok a lot, but if it's regarding internet explorer,
I'll accept you word on the matter.
feel bad about asking advice from you as it's 56k posts vs 30.
You mentioned something about a path in your previous posts & I really had not the faintest idea of what you were referring to.
Thank-you once again.


----------



## Cookiegal (Aug 27, 2003)

The path means where the file is located. For instance, the valid iexplore.exe should be located at:

C:\Program Files\Internet Explorer\iexplore.exe

Please do the following:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Then do a search for the following and let me know the location of every instance found.

*iexplore.exe*


----------



## abloke (Jun 21, 2008)

hi cookiegirl, did the search as per your mail & found 31 files relating to iexplore.
they are
iexplore.exe page 2 forums tsg
iexplore.exe c:\windows\$NT service
iexplore.exe c:\windows\internet explorer
iexploreexe 271223 c:\windows\prefetch
iexplore.exe.mni c:\programfiles\internet
iexplore.exe c:\windows\ie7updates (12 files)
iexplore.exe c:\windows\servicepac
iexplore.exe c:\windows\system32
iexplore.exe c\windows\$hf_mig$\...... (11 files)

Thank-you for your time & advice


----------



## abloke (Jun 21, 2008)

Hey cookiegal

been anticipating your mail..but seems my pc problem is
minor???????????????????


----------



## Cookiegal (Aug 27, 2003)

Sorry, I couldn't get to you until now. The site was down most of yesterday for a major upgrade.

It looks like you indeed have an infection so please do the following:

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## abloke (Jun 21, 2008)

Hi and thank-you for your as always informative post.
I followed your prompts up to " Do system scan & save a log file",
it has scanned, but hasn't asked me to confirm saving a log.
It may well have saved the log, just I have no idea where to find it?
Apologies again, this must be a bit of a pain for you.
Thankx all the same your assistance is Greatly appreciated!!


----------



## abloke (Jun 21, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:09 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USBToolbox\Res.EXE"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://192.168.4.252/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 7646 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *


----------



## abloke (Jun 21, 2008)

Malwarebytes' Anti-Malware 1.33
Database version: 1670
Windows 5.1.2600 Service Pack 3

1/20/2009 6:11:35 PM
mbam-log-2009-01-20 (18-11-35).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 120322
Time elapsed: 1 hour(s), 16 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log (Rogue.SpywareBot) -> Files: 419 -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\DataBaseNew.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\fp.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Log\2008 Mar 06 - 05_29_24 PM_359.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rogue\Application Data\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Thank-you & TSG very much for your advice & patience.


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome. 

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## abloke (Jun 21, 2008)

hi Cookiegal
Thankx for your above mail, will visit combofix in due course &
report back to you. Meant to aplogize for my impatience the other
evening!!


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> hi Cookiegal
> Thankx for your above mail, will visit combofix in due course &
> report back to you. Meant to aplogize for my impatience the other
> evening!!


Apology accepted and thanks for that. Please post the ComboFix log when you can but I probably won't be able to get to it until sometime this evening so I just wanted to let you know that.


----------



## abloke (Jun 21, 2008)

Thank-you !! Will attempt to get log to you later, my son not here to 
assist. Think it's only my pc that gets me to hyperventilate more than blondes. Have a great day


----------



## abloke (Jun 21, 2008)

hi again cookiegal
am affraid that i won't get combofix log to you tonite.
Hope i'm not wasting your time with just iexplore,
cos from my limited knowledge, think my pc is cooked?
Are we only permitted to chat in this forum?
or can we personalize e-mail?
Hope to have assistance tomorrow to copy n paste log for you.


----------



## Cookiegal (Aug 27, 2003)

That's fine. 

Why do you think the computer is cooked?

This is not chat but yes, this is the only acceptable method of providing assistance.

Please post the log when you can.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal

Sorry, was getting ahead of myself again, realize this is not a chat room,
albeit that I've been receiving some very informative advice from you!

There have been several issues in this last year, have changed ISP,
from broadband to dial up, certain e-mails do not reach my desktop,
and outlook is continually trying to send mail, even thu there is no mail
in outbox.

I've probably extended your goodwill quota in solving a single problem,
and now i'm bordering on adding more fuel on the fire.

Have a great day, sorry pm, you on the otherside!


----------



## Cookiegal (Aug 27, 2003)

While wating for the ComboFix log, I wanted to ask you how many other user accounts are there on this computer?


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
will get the log to you over weekend, as far as i know there are
only 2 user accounts on this pc, mine & my son, and he normally
goes in via my account, be it to facebook,gmail or sport.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
The regcure log as promised

registry items errors cleared ignored

Com/activex 32 0 0
Uninstall 0 0 0
font entry 0 0 0
shared DLL entry 3 0 0
application path error 3 0 0
help file info 2 0 0
windows startup items 19 0 0
pathfile file ref 514 0 0
empty registry item 364 0 0
program shortcut 70 0 0
file association 1 0 0

errors found 1008

Soz couldn't get the copy & paste to work excuse rudimentary
log presented. not sure what all the above means, but for sure
as opposed to my old windows 98, somebody(s) else seems to control
this pc.
Thankx again


----------



## abloke (Jun 21, 2008)

Hey Again Cookiegal
This is not amusing, just sent you the regcure log,
but TSG shows I'm not on line ( red Dot),
as I'm looking at screen it changes???


----------



## abloke (Jun 21, 2008)

ok only the regcure log posts remains in red,
my last post shows I'm on line,
somebody else driving this pc


----------



## Cookiegal (Aug 27, 2003)

I didn't ask for a RegCure log. In fact you should uninstall that program. I don't recommend running registry cleaners as they can cause more harm than good.

Please follow my instructions for running ComboFix and post that log.


----------



## abloke (Jun 21, 2008)

morning Cookiegal
I went back to your post of 21st Jan & downloaded "the Combofix",
and it was that same regcure i posted yesterday, the one you didn't
show any affinity for.
Any suggestions?
Thankx


----------



## Cookiegal (Aug 27, 2003)

You're not looking in the right place. That is an advertisement on the left side of th epage. You need to follow the instructions from the index down.


----------



## abloke (Jun 21, 2008)

> You're quite welcome.
> 
> Please visit *Combofix Guide & Instructions *for instructions for installing the recovery console and downloading and running ComboFix.
> 
> ...


I can only see Combofix guide & instructions...even with specs i see no
other place to download from?
If i send mail to TSG box no will it reach you?
There are quite a few other issues apart from iexplore,
and I suspect I'm wasting your time?


----------



## Cookiegal (Aug 27, 2003)

I'm sorry but I don't assist by e-mail and all replies must be done on the boards as it's less confusing and we can see what is being done.

Do you not see this under "Using ComboFix?

*Next you should download ComboFix from one of the following URLs:

BleepingComputer.com 
ForoSpyware.com 
GeeksTogo.com *

You just need to click on one of those at the other site as they are clickable links to the download.


----------



## abloke (Jun 21, 2008)

ComboFix 09-01-21.04 - Rogue 2009-01-25 12:19:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.178 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.
2009-01-24 13:16 . 2009-01-24 13:16 d----c--- c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-20 16:48 d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 16:48 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 06:31 . 2009-01-19 06:31 d-------- c:\program files\Trend Micro
2008-12-31 14:28 . 2008-12-31 14:28 dr-h-c--- C:\MSOCache
2008-12-31 14:28 . 2009-01-04 03:04 d----c--- c:\documents and settings\All Users\Application Data\Microsoft Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 06:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-13 05:31 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-09 10:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-09 10:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-31 12:31 --------- d-----w c:\program files\Microsoft Works
2008-12-29 18:20 --------- d-----w c:\documents and settings\Rogue\Application Data\AVGTOOLBAR
2008-12-23 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 08:45 --------- d-----w c:\program files\D-Link
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-06-21 66912]
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-21 21:06 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-09 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-09 12:28 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-24 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-24 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-09 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-09 1339600]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder
2009-01-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-01-21 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot\SpywareBot.exe []
2009-01-21 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 12:24:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-25 12:27:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 10:26:58
Pre-Run: 52,375,412,736 bytes free
Post-Run: 53,216,448,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
175 --- E O F --- 2009-01-22 19:01:09

Finally!!


----------



## abloke (Jun 21, 2008)

Hey Cookiegal

Thank-you & TSG so much! You need a medal for your perseverance
with this thread & my inaptitude & impatience @ times.
The intial problem was iexplore.exe, which popped up after existing
internet explorer- which is not the case now, albeit that i have other
pc issues, will give you a 6 months sabtical to recover, before bugging you again.
Thankx again!
R


----------



## Cookiegal (Aug 27, 2003)

You're welcome but we're not done yet.

I assume what normally shows up as your G drive is an external or flash drive? It is also infected so be sure to insert it before going through all of the following instructions so we disinfect it.

Download *Flash_Disinfector.exe by sUBs* from *here* and save it to your desktop.
 Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
 The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
 Wait until it has finished scanning and then exit the program.
 Reboot your computer when done.
*Note*: _Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection._

Open Notepad and copy and paste the text in the code box below into it:


```
File::
g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
G:\xn1i9x.com
c:\windows\Tasks\SpywareBot Scheduled Scan.job

Folder::
c:\program files\SpywareBot

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## abloke (Jun 21, 2008)

Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Thank-you for picking that up, i have not used a flash drive on
this pc for a long time, could be one of family members?
But will follow your prompts this evening.
The mobile phone too? It isn't connected to pc?


----------



## Cookiegal (Aug 27, 2003)

It could be the mobile phone if it has a memory card and has been connected to the computer.


----------



## abloke (Jun 21, 2008)

As usual thankx for your posts & input. Managed to do flash_disinfector.exe yesterday, just have to get that log to you.
We did connect my phone a long time ago to get a semi decent ringtone.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
I just can't open autorun, to copy & paste you the log.
Have a great day


----------



## abloke (Jun 21, 2008)

ComboFix 09-01-21.04 - Rogue 2009-01-28 0:43:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.168 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rogue\Desktop\CFScript.exe.lnk
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.
2009-01-26 20:57 . 2009-01-26 20:57 d--hs---- c:\documents and settings\Rogue\UserData
2009-01-24 13:16 . 2009-01-24 13:16 d----c--- c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-20 16:48 d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 16:48 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 06:31 . 2009-01-19 06:31 d-------- c:\program files\Trend Micro
2008-12-31 14:28 . 2008-12-31 14:28 dr-h-c--- C:\MSOCache
2008-12-31 14:28 . 2009-01-04 03:04 d----c--- c:\documents and settings\All Users\Application Data\Microsoft Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 06:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-13 05:31 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-09 10:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-09 10:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-09 10:28 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-31 12:31 --------- d-----w c:\program files\Microsoft Works
2008-12-29 18:20 --------- d-----w c:\documents and settings\Rogue\Application Data\AVGTOOLBAR
2008-12-23 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 08:45 --------- d-----w c:\program files\D-Link
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-06 16:22 50,968 ----a-w c:\windows\system32\avgfwdx.dll
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-06-21 66912]
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-21 21:06 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-09 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-09 12:28 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-24 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-24 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-09 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-09 1339600]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder
2009-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-01-27 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot\SpywareBot.exe []
2009-01-27 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 00:47:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-01-28 0:49:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-27 22:49:28
ComboFix2.txt 2009-01-25 10:27:05
Pre-Run: 53,173,227,520 bytes free
Post-Run: 53,194,059,776 bytes free
165 --- E O F --- 2009-01-26 22:08:12


----------



## abloke (Jun 21, 2008)

well eventually got it to you.
Hope this helps, and if you feel up to it we can go into other
pc issues?


----------



## Cookiegal (Aug 27, 2003)

It looks like you named the CFScript with an .exe extension instead of .txt. Please run the script again and follow the instructions carefully. You need to save it as CFScript.txt.


----------



## abloke (Jun 21, 2008)

Why is this pc soo unwilling to accept copy & paste of the CFScript.txt
log?


----------



## Cookiegal (Aug 27, 2003)

If you can't copy and paste it then upload it as an attachment please.


----------



## abloke (Jun 21, 2008)

For you guess it won't be an issue.
Reasoning behind contacting you via fax or hand written mode,
was due to pc being controlled from elsewhere?
I will attempt it once more, failure of which i'm out of here,
there are other issues apart from iexplore.exe, and thank-you
for all your help advice, and all your input!


----------



## Cookiegal (Aug 27, 2003)

I don't understand what you posted. Can you clarify a little?


----------



## abloke (Jun 21, 2008)

Was referring to it being easy for you to upload as attachment,
And frustrated @ not being to copy & paste this last log,
when I have copy & pasted numerous logs prior to this last one.
Will make "another" attempt later in day.
Thankx


----------



## Cookiegal (Aug 27, 2003)

Are you not able to upload it as an attachment? Do you need instructions on how to do that?


----------



## abloke (Jun 21, 2008)

yes please Cookiegal, that would be greatly appreciated.


----------



## Cookiegal (Aug 27, 2003)

OK. Open a reply dialogue box and then scroll down under Additional Options where it says Attach Files and click on the button that says Manage Attachments. Then click on "Browse" in the box that opens up and locate the file on your computer. Once you've located it, click "Open" and then click on "Upload". Once you've done that then click on Submit Reply.


----------



## abloke (Jun 21, 2008)

Thank-you, will " attempt" to execute your advice this evening!


----------



## abloke (Jun 21, 2008)

I think you will be muttering some obscenities soon...
Are you looking for the autorun log, that i had to rename CFScript.txt?
The log from flash_disinfector?
I can't seem to open any of the autoruns?
Which all seem to require a program to open them?
Really sorry about this.
If you do reply..how do i save a new autorun to desktop,
they all seem to end up in my pc disk c/d or f?


----------



## abloke (Jun 21, 2008)

Hi again Cookiegal
Forgot to include in my last post, a good few posts back,
you mentioned that my pc seemed infected.
How bad is it? If the patient be permitted to ask the Doctor?


----------



## Cookiegal (Aug 27, 2003)

I'm looking for you to run the fix described in post no. 46. It has nothing to do with the autoruns log. This is completely separate.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
It's not for lack of trying...went back to post 46,
followed all your prompts up to dragging CFScript.txt into combofix.exe
Combofix did not start again, even after a manual reboot from me.
If there is a log, I can't see it, hence can't copy & paste it to you?
Any Suggestions? Sure a lot come to mind,


----------



## Cookiegal (Aug 27, 2003)

Try deleting these files manually. You will have to insert your flash or external drive that normally shows up as your G drive:

g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\*ise32.exe*
G:\*xn1i9x.com*
c:\windows\Tasks\*SpywareBot Scheduled Scan.job*

Then drag and drop ComboFix into the recycle bin, grab the latest version, run a new scan and post that log please.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.


----------



## abloke (Jun 21, 2008)

g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\*ise32.exe*
G:\*xn1i9x.com*
c:\windows\Tasks\*SpywareBot Scheduled Scan.job*

hi cookiegal
Are these the files you want me to delete?
You deserve the Nobel peace prize for your patience & goodwill
in this thread!


----------



## abloke (Jun 21, 2008)

Just noticed again, post 68 shows I'm on line, whereas, post 66 shows I'm off line?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\*ise32.exe*
> G:\*xn1i9x.com*
> c:\windows\Tasks\*SpywareBot Scheduled Scan.job*
> 
> ...


Yes. Those are the files.


----------



## abloke (Jun 21, 2008)

Hi Sorry for delay.
Couldn't find any of the files you mentioned.
Was an error message of these files are on the hard drive or network
or something very similar to that.
Think it may be better going back to sending smoke signals, only the wind factor?


----------



## Cookiegal (Aug 27, 2003)

Please remove ComboFix by dragging it to the recycle bin and get the latest version, scan again and post the log please.


----------



## abloke (Jun 21, 2008)

ComboFix 09-02-06.04 - Rogue 2009-02-08 8:42:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.178 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-01-24 13:16 . 2009-01-24 13:16 d----c--- c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-20 16:48 d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 16:48 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 06:31 . 2009-01-19 06:31 d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 06:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-13 05:31 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-09 10:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-09 10:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-04 01:04 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-31 12:31 --------- d-----w c:\program files\Microsoft Works
2008-12-29 18:20 --------- d-----w c:\documents and settings\Rogue\Application Data\AVGTOOLBAR
2008-12-23 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 08:45 --------- d-----w c:\program files\D-Link
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-06-21 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-21 21:06 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-09 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-09 12:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-24 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-24 107272]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-09 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-09 1339600]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-08 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot\SpywareBot.exe []

2009-02-08 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 08:46:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-02-08 8:48:34 - machine was rebooted [Rogue]
ComboFix-quarantined-files.txt 2009-02-08 06:48:30
ComboFix2.txt 2009-01-31 16:29:31
ComboFix3.txt 2009-01-28 12:14:34
ComboFix4.txt 2009-01-27 22:49:34
ComboFix5.txt 2009-02-03 18:20:53

Pre-Run: 53,344,092,160 bytes free
Post-Run: 53,359,071,232 bytes free

163 --- E O F --- 2009-02-06 04:34:20


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Thank-you for your time, effort and patience,
post above, hopefully the right one.


----------



## Cookiegal (Aug 27, 2003)

OK, let's try this again.

Please insert whatever normally shows up as your G drive.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\Tasks\SpywareBot Scheduled Scan.job
g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
G:\xn1i9x.com

Folder::
c:\program files\SpywareBot

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## abloke (Jun 21, 2008)

ComboFix 09-02-08.02 - Rogue 2009-02-09 18:33:14.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.260 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-08 18:31 . 2009-02-08 18:31 d----c--- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-08 17:07 . 2009-02-08 17:07 d--hs---- c:\documents and settings\Rogue\UserData
2009-01-24 13:16 . 2009-01-24 13:16 d----c--- c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 16:48 . 2009-01-20 16:48 d-------- c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-20 16:48 d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 16:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 16:48 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 06:31 . 2009-01-19 06:31 d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 06:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-13 05:31 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-09 10:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-09 10:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-04 01:04 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-31 12:31 --------- d-----w c:\program files\Microsoft Works
2008-12-29 18:20 --------- d-----w c:\documents and settings\Rogue\Application Data\AVGTOOLBAR
2008-12-23 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 08:45 --------- d-----w c:\program files\D-Link
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((( [email protected]_12.26.01.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 15:04:36 502,120 ----a-w c:\windows\system32\OGAAddin.dll
+ 2008-12-31 15:04:42 691,560 ----a-w c:\windows\system32\OGACheckControl.dll
+ 2008-12-31 15:04:42 528,744 ----a-w c:\windows\system32\OGAVerify.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-06-21 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-21 21:06 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-09 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-09 12:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-24 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-24 107272]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-09 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-09 1339600]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-24 29208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-08 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-09 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot\SpywareBot.exe []

2009-02-09 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 18:37:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\adsldpc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-02-09 18:40:22 - machine was rebooted [Rogue]
ComboFix-quarantined-files.txt 2009-02-09 16:40:18
ComboFix2.txt 2009-02-08 06:48:36
ComboFix3.txt 2009-01-31 16:29:31
ComboFix4.txt 2009-01-28 12:14:34
ComboFix5.txt 2009-02-09 16:21:40

Pre-Run: 53,277,171,712 bytes free
Post-Run: 53,271,134,208 bytes free

176 --- E O F ---  2009-02-09 16:16:03


----------



## abloke (Jun 21, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:24 PM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USBToolbox\Res.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://192.168.4.252/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 6422 bytes


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
As always, Thank-you for your time and advice. Have posted the 2
logs as you requested in your last post.
Hopefully i executed the procedure correctly this time?


----------



## Cookiegal (Aug 27, 2003)

No because if you did it would show this at the top:

Command switches used :: c:\documents and settings\Rogue\Desktop\CFScript.txt


----------



## abloke (Jun 21, 2008)

My apologies for that. I have assistance on Saturday
and will go through your post # 75 again.


----------



## Cookiegal (Aug 27, 2003)

OK, sounds good.


----------



## abloke (Jun 21, 2008)

Hey
If we gonna sort this won't be here on tsg!
Really need your ph no?


----------



## Cookiegal (Aug 27, 2003)

Sorry, no can do. We only provide assistance in the forums. Have you followed my instructions in post no. 75?


----------



## abloke (Jun 21, 2008)

ComboFix 09-02-19.01 - Rogue 2009-02-21 12:30:53.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.98 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\program files\TweakNow WinSecret
2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\documents and settings\Rogue\Application Data\TweakNow WinSecret
2009-02-08 18:31 . 2009-02-08 18:31 d----c--- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-08 17:07 . 2009-02-08 17:07 d--hs---- c:\documents and settings\Rogue\UserData
2009-01-24 13:16 . 2009-01-24 13:16 d----c--- c:\documents and settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 12:37 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-20 14:48 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 14:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-20 14:48 --------- d-----w c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-19 04:31 --------- d-----w c:\program files\Trend Micro
2009-01-16 06:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-14 14:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 14:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 05:31 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-09 10:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-09 10:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-31 12:31 --------- d-----w c:\program files\Microsoft Works
2008-12-29 18:20 --------- d-----w c:\documents and settings\Rogue\Application Data\AVGTOOLBAR
2008-12-23 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 08:45 --------- d-----w c:\program files\D-Link
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((( [email protected]_12.26.01.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2007-08-24 05:01:22 147,304 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\DWGCNV.DLL
- 2009-01-14 04:45:41 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-02-11 12:37:34 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-01-14 04:45:41 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-11 12:37:34 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-01-14 04:45:41 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-02-11 12:37:34 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-01-14 04:45:41 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-11 12:37:34 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-01-14 04:45:41 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-11 12:37:34 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-01-14 04:45:41 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-02-11 12:37:34 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-01-14 04:45:41 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-02-11 12:37:34 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-01-14 04:45:41 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-02-11 12:37:34 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-01-14 04:45:41 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-02-11 12:37:34 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-01-14 04:45:41 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-02-11 12:37:34 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-01-14 04:45:41 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-02-11 12:37:35 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-01-14 04:45:41 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-11 12:37:34 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-01-14 04:45:40 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-02-11 12:37:34 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-01-04 01:02:28 20,240 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-11 12:37:02 20,240 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-04 01:02:29 217,864 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-11 12:37:02 217,864 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2009-01-04 01:02:28 18,704 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-11 12:37:02 18,704 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-04 01:02:29 35,088 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-11 12:37:02 35,088 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-04 01:02:29 327,952 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
+ 2009-02-11 12:37:02 327,952 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-16 19:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-16 19:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-31 15:04:36 502,120 ----a-w c:\windows\system32\OGAAddin.dll
+ 2008-12-31 15:04:42 691,560 ----a-w c:\windows\system32\OGACheckControl.dll
+ 2008-12-31 15:04:42 528,744 ----a-w c:\windows\system32\OGAVerify.exe
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Hope the above post is what you required?


----------



## abloke (Jun 21, 2008)

Hi again Cookiegal
Forgot to mention and also don't know if it has relevance to current
thread issue, but after the combo-Fix.exe, the pc shut down, it is supposed to i know, but then would not reboot, till i removed the 
memory stick?


----------



## Cookiegal (Aug 27, 2003)

That is not the entire ComboFix log. Please post the rest of the log.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
You have dilegently navigated me to areas of this pc where I not
been before. I am positive that I copied & pasted the entire page
of the combo log, where the missing portions of the log are...well
think I'm the wrong person to ask.
I am logged in, yet page shows I'm offline. There, to my limited
pc knowledge appears to be other parties or person who has access
to this pc.
In one of your previous posts you asked how many users on this pc,
and again as far as i know it's only my son & myself ( some family & friends) have gone in to check their mail, but this happens so infrequently hardly wrth mentioning.
Is it not an option that this pc has been hi-jacked? But then I'm
getting into an area that I know even less about.


----------



## abloke (Jun 21, 2008)

Hey I'm on line now,
Let's do this together?


----------



## abloke (Jun 21, 2008)

It's Kewl
You Pc guys stick together!
If one day i can repay you pc guys for your actual informative
advice I will, hope this site stimulates u accordingly?
I'm out of TSG!!!


----------



## abloke (Jun 21, 2008)

Bye


----------



## Cookiegal (Aug 27, 2003)

I'm sorry but this is not live tech support. I'm sorry you feel this way and wish you luck.


----------



## abloke (Jun 21, 2008)

My apologies again Cookiegal, for throwing my toys out of the cot!
You have been very patient & helpful & you don't deserve to be on 
the receiving end of my frustrations with my pc.
Every time I have posted a log, I have followed your prompts,
yet I never seem to get it right.
Anyway, I understand if you want to to can this thread!!
Label it solved..perhaps..Dementia!!
As this may be my last post, Thank-you & TSG very much!!


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Want to send you some chocolates, as a peace-token.
Suppose I was already on my 2nd chance, do miss chatting to
you, and having you send me to places on this pc I didn't
know existed.
If you can this thread I understand...If I start a new thread,
will you assist me again. Have stocked up on Prozac so should
be more mild & mellow?


----------



## Cookiegal (Aug 27, 2003)

Well you had to mention chocolate, eh? 

OK, let's remove ComboFix by dragging it to the recycle bin and download a new version and post a new complete log please.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.


----------



## abloke (Jun 21, 2008)

Muito Obrigado Cookiegal

Possibly the only time I will be ahead of you, I did download a new
version of Combo, before posting my last log.
Why? you ask....well the combo icon disappeared from my desktop.

I don't have the time right now, but can follow your above prompts over the week-end. Think, you also requested a new hijack log?

Thank you and TSG again!


----------



## Cookiegal (Aug 27, 2003)

That's fine. Yes please post a new HijackThis log taken after running ComboFix.


----------



## abloke (Jun 21, 2008)

Hello Cookiegal
Just want to get my ducks in a row for when I do get around to the logs.
What was not complete with my last submission of the combo log?
Also know we are on the iexplore.exe lurgy, but this pc is odd at the best of times, have the bought version of AVG 8, and for about 3 weeks now, have not found any new updates?
So just warning you, I do follow your prompts religiously,
But if there are omissions, it's the pc, think you've realized that I have
limited qualifications to be a reasonable hacker!


----------



## Cookiegal (Aug 27, 2003)

The end of the ComboFix log you posted was this:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 


There should be several registry entries, list of drivers,and other items after that until it reaches the end where you would see E O F at the bottom.


----------



## abloke (Jun 21, 2008)

Thank-you for the info.
Should no entries be shown, how do i make them visible?


----------



## Cookiegal (Aug 27, 2003)

If they aren't there then the program didn't run properly. That could be due to not disabling all of your security programs. In that case, remove the copy you have, as it's likely damaged, and reodwnload another one. Then be sure to disconnect from the Internet and disable all security programs before running ComboFix.


----------



## abloke (Jun 21, 2008)

Hello Cookiegal
Just tried to post combo log full version, even you would have been
 , but get an error message that the text is too long 36943
& I must shorten it to 30000.
So back to square one, what must I take out?


----------



## Cookiegal (Aug 27, 2003)

Please upload it as an attachment.

f you can't upload it as one attachment then break into two attachments.


----------



## abloke (Jun 21, 2008)

ComboFix 09-02-28.01 - Rogue 2009-03-01 10:00:38.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.
2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\program files\TweakNow WinSecret
2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\documents and settings\Rogue\Application Data\TweakNow WinSecret
2009-02-08 18:31 . 2009-02-08 18:31 d----c--- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-08 17:07 . 2009-02-08 17:07 d--hs---- c:\documents and settings\Rogue\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 16:39 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-21 13:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 12:37 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-24 11:16 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 14:48 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 14:48 --------- d-----w c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-19 04:31 --------- d-----w c:\program files\Trend Micro
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2009-01-01 10:15 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.
((((((((((((((((((((((((((((( SnapShot_2009-02-21_14.16.37.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-26 16:19:52 68,608 ----a-w c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-02-26 16:20:04 72,192 ----a-w c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-02-26 16:20:05 4,308,992 ----a-w c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-02-26 16:20:06 482,304 ----a-w c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-02-26 16:20:01 2,878,976 ----a-w c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-02-26 16:19:46 258,048 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-02-26 16:19:46 114,176 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-02-26 16:20:11 260,096 ----a-w c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-02-26 16:19:56 5,025,792 ----a-w c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-02-26 16:19:51 10,752 ----a-w c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-02-26 16:19:46 503,808 ----a-w c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-02-26 16:19:48 13,312 ----a-w c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-02-26 16:20:02 8,192 ----a-w c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-02-26 16:20:03 36,864 ----a-w c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-02-26 16:20:03 5,632 ----a-w c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-02-26 16:19:49 413,696 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-02-26 16:19:49 36,864 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-02-26 16:19:50 647,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-02-26 16:19:50 73,728 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-02-26 16:19:48 745,472 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-02-26 16:20:13 110,592 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-02-26 16:20:13 372,736 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-02-26 16:19:44 28,672 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-02-26 16:20:12 667,648 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-02-26 16:20:13 5,632 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-02-26 16:19:45 12,800 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-02-26 16:19:44 32,768 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-02-26 16:19:45 7,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-02-26 16:20:08 110,592 ----a-w c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-02-26 16:19:52 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-02-26 16:20:09 389,120 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-02-26 16:20:06 716,800 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-02-26 16:19:47 884,736 ----a-w c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-02-26 16:20:01 5,050,368 ----a-w c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-02-26 16:19:54 188,416 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-02-26 16:19:53 397,312 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-02-26 16:19:54 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-02-26 16:20:10 700,416 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-02-26 16:20:07 368,640 ----a-w c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-02-26 16:20:11 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-02-26 16:20:07 299,008 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-02-26 16:20:08 131,072 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-02-26 16:19:51 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-02-26 16:19:54 114,688 ----a-w c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-02-26 16:20:12 835,584 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-02-26 16:19:57 86,016 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-02-26 16:19:57 823,296 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-02-26 16:19:58 5,316,608 ----a-w c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-02-26 16:19:59 2,035,712 ----a-w c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-02-26 16:20:10 3,018,752 ----a-w c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-02-26 17:06:12 26,624 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\38ef9867d0dbf34a9c7156e602f55592\Accessibility.ni.dll
+ 2009-02-26 17:06:14 860,160 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\88ed7cf0148a184e99f9ce6dd3b717df\AspNetMMCExt.ni.dll
+ 2009-02-26 17:06:15 237,568 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\5dbdfa762feb204dae62137f1f5955be\CustomMarshalers.ni.dll
+ 2009-02-26 17:06:14 15,360 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\8b2d3561654ddb44bcb8ddb0ab492f09\dfsvc.ni.exe
+ 2009-02-26 17:06:16 880,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\696fde021c85854eae35360a10b7a9b7\Microsoft.Build.Engine.ni.dll
+ 2009-02-26 17:06:17 81,920 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e8d78c28302e03409e2aeb01cb65eedc\Microsoft.Build.Framework.ni.dll
+ 2009-02-26 17:06:20 1,691,648 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d2fb2a5551757f48b61488e0e97d590d\Microsoft.Build.Tasks.ni.dll
+ 2009-02-26 17:06:20 163,840 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\04b07274b677e5449b326a63452561d9\Microsoft.Build.Utilities.ni.dll
+ 2009-02-26 16:20:55 11,415,552 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\d9799756b88d134caa0b1a790e4ff1b4\mscorlib.ni.dll
+ 2009-02-26 17:06:22 1,712,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\37ee13404b2632448395c2ca5d5bc45e\System.Deployment.ni.dll
+ 2009-02-26 17:06:24 1,220,608 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a6ae8893940f0d408779a2a52fa30d9b\System.DirectoryServices.ni.dll
+ 2009-02-26 17:06:25 512,000 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\d0c6de75634bd14190655b01400b5341\System.DirectoryServices.Protocols.ni.dll
+ 2009-02-26 17:06:26 229,376 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\645acb53d142b6458134d6bfe8a2e8f3\System.Drawing.Design.ni.dll
+ 2009-02-26 17:06:27 659,456 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\213656796b994d48b71096bc449e4356\System.EnterpriseServices.ni.dll
+ 2009-02-26 17:06:27 294,912 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\213656796b994d48b71096bc449e4356\System.EnterpriseServices.Wrapper.dll
+ 2009-02-26 17:06:29 729,088 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\e1d33f5d07e3f1498c5d4280ff0dbc36\System.Security.ni.dll
+ 2009-02-26 16:21:13 8,093,696 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System\16eb2a9fdc7ae54abc83250756be0555\System.ni.dll
+ 2005-09-23 05:28:52 72,704 ----a-w c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_iehost.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2005-09-23 05:29:04 5,632 ----a-w c:\windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2005-09-23 05:29:04 5,120 ----a-w c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2005-09-23 05:28:52 7,680 ----a-w c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 05:28:56 7,680 ----a-w c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2005-09-23 05:28:58 7,680 ----a-w c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 05:28:56 7,680 ----a-w c:\windows\Microsoft.NET\Framework\SharedReg12.dll
- 2003-02-20 16:43:50 131,072 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 05:28:52 86,528 ----a-w c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 05:28:36 18,944 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 05:28:42 136,192 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2005-09-23 05:28:44 4,608 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 05:29:04 183,808 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 05:28:28 208,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 05:28:56 10,752 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 05:28:58 138,240 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 05:28:36 87,552 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2005-09-23 05:28:58 55,488 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 05:28:32 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2005-09-23 05:28:32 10,752 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2005-09-23 05:28:32 8,192 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2005-09-23 05:28:32 23,552 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2005-09-23 05:28:32 70,656 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2005-09-23 05:28:32 13,824 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2005-09-23 05:28:32 26,824 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 05:28:32 106,496 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2005-09-23 05:28:32 29,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2005-09-23 05:28:32 29,888 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2005-09-23 05:28:32 503,808 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 05:28:56 106,496 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2005-09-23 05:28:56 88,576 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2005-09-23 05:28:42 76,984 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2005-09-23 05:28:42 1,144,832 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2005-09-23 05:28:42 13,312 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 05:28:58 17,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 05:28:56 68,608 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 05:28:44 31,936 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 05:28:38 52,736 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2005-09-23 05:28:38 4,608 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2005-09-23 05:29:12 547,840 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2005-09-23 05:28:56 788,992 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 05:28:50 9,216 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2005-09-23 05:28:56 9,728 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2005-09-23 05:28:56 8,192 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2005-09-23 05:28:56 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 05:28:56 5,632 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2005-09-23 05:28:56 224,952 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2005-09-23 05:28:56 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 05:28:56 55,296 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2005-09-23 05:28:56 72,192 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 05:28:48 40,960 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 05:01:16 609,472 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2005-09-23 04:29:48 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1025.dll
+ 2005-09-23 04:32:24 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1028.dll
+ 2005-09-23 04:34:10 82,944 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1029.dll
+ 2005-09-23 04:34:12 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1030.dll
+ 2005-09-23 04:34:44 85,504 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1031.dll
+ 2005-09-23 04:36:24 87,552 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1032.dll
+ 2005-09-23 01:46:14 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1033.dll
+ 2005-09-23 04:38:26 81,408 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1035.dll
+ 2005-09-23 04:38:52 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1036.dll
+ 2005-09-23 04:40:30 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1037.dll
+ 2005-09-23 04:40:32 83,968 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1038.dll
+ 2005-09-23 04:40:56 84,480 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1040.dll
+ 2005-09-23 04:42:58 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1041.dll
+ 2005-09-23 04:44:58 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1042.dll
+ 2005-09-23 04:46:38 83,456 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1043.dll
+ 2005-09-23 04:46:38 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1044.dll
+ 2005-09-23 04:46:40 83,456 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1045.dll
+ 2005-09-23 04:47:04 82,432 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1046.dll
+ 2005-09-23 04:47:30 82,432 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1049.dll
+ 2005-09-23 04:47:32 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1053.dll
+ 2005-09-23 04:47:32 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1055.dll
+ 2005-09-23 04:30:18 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2052.dll
+ 2005-09-23 04:47:06 84,480 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2070.dll
+ 2005-09-23 04:29:50 80,896 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3076.dll
+ 2005-09-23 04:36:48 85,504 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3082.dll
+ 2005-09-23 05:57:06 245,408 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\unicows.dll
+ 2005-09-23 05:28:48 413,696 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2005-09-23 05:28:48 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2005-09-23 05:28:48 647,168 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2005-09-23 05:28:48 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2005-09-23 05:28:48 745,472 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2005-09-23 05:29:10 110,592 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2005-09-23 05:29:10 372,736 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 05:29:08 667,648 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 05:28:30 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 05:29:10 5,632 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2005-09-23 05:28:30 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2005-09-23 05:28:30 12,800 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 05:28:30 7,168 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 05:28:32 87,552 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2005-09-23 05:28:48 69,632 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2005-09-23 05:28:56 800,768 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 05:28:56 73,216 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2005-09-23 05:28:56 288,768 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2005-09-23 05:28:56 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2005-09-23 05:28:56 326,144 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2005-09-23 05:28:56 81,408 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2005-09-23 05:28:56 4,308,992 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2005-09-23 05:28:56 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2005-09-23 05:29:00 330,752 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 05:28:56 67,072 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 05:28:50 9,216 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2005-09-23 05:28:56 226,816 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2005-09-23 05:28:56 66,240 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2005-09-23 05:28:56 10,240 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2005-09-23 05:28:50 5,615,616 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2005-09-23 05:29:00 22,528 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2005-09-23 05:28:56 96,440 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2005-09-23 05:28:56 14,848 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 05:28:56 78,336 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2005-09-23 05:28:50 136,192 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 05:28:56 53,248 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 05:28:56 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 05:29:02 59,072 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2005-09-23 05:28:58 7,680 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2005-09-23 05:28:56 107,520 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2005-09-23 05:29:00 85,504 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2005-09-23 05:28:56 377,344 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2005-09-23 05:28:56 110,592 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2005-09-23 05:28:58 389,120 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2005-09-23 05:28:56 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2005-09-23 05:28:56 2,878,976 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2005-09-23 05:28:56 482,304 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2005-09-23 05:28:56 716,800 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2005-09-23 05:28:38 884,736 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2005-09-23 05:28:56 5,050,368 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 05:28:56 397,312 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2005-09-23 05:28:56 188,416 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2005-09-23 05:28:56 3,018,752 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2005-09-23 05:28:56 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2005-09-23 05:28:56 700,416 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll


----------



## abloke (Jun 21, 2008)

+ 2005-09-23 05:28:56 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2005-09-23 05:28:56 47,616 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2005-09-23 05:28:56 114,176 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2005-09-23 05:28:56 368,640 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2005-09-23 05:28:56 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2005-09-23 05:28:56 299,008 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2005-09-23 05:28:56 131,072 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2005-09-23 05:28:56 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2005-09-23 05:28:56 114,688 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2005-09-23 05:28:56 260,096 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2005-09-23 05:28:56 5,025,792 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2005-09-23 05:28:56 835,584 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2005-09-23 05:28:56 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2005-09-23 05:28:56 823,296 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2005-09-23 05:28:56 5,316,608 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2005-09-23 05:28:56 2,035,712 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2005-09-23 05:28:56 71,680 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2005-09-23 05:29:06 1,140,920 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2005-09-23 05:28:30 1,306,624 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2005-09-23 05:28:32 298,496 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 05:28:56 28,160 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2005-09-23 05:28:38 83,456 ----a-w c:\windows\system32\dfshim.dll
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
+ 2005-09-23 05:28:52 270,848 ----a-w c:\windows\system32\mscoree.dll
+ 2005-09-23 05:28:52 150,016 ----a-w c:\windows\system32\mscorier.dll
- 2003-02-20 17:09:14 106,496 ----a-w c:\windows\system32\mscories.dll
+ 2005-09-23 05:28:52 74,240 ----a-w c:\windows\system32\mscories.dll
+ 2005-09-23 05:29:00 6,144 ----a-w c:\windows\system32\mui\0409\mscorees.dll
+ 2005-09-23 05:28:56 32,768 ----a-w c:\windows\system32\netfxperf.dll
- 2008-12-13 13:05:05 40,952 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-26 16:20:22 52,220 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-13 13:05:05 314,816 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-26 16:20:22 340,128 ----a-w c:\windows\system32\perfh009.dat
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2009-02-26 16:19:46 258,048 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-02-26 16:19:46 114,176 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-06-21 66912]
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-21 21:06 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder
2009-03-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-02-28 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
2009-03-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
2009-02-27 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot\SpywareBot.exe []
2009-02-27 c:\windows\Tasks\SpywareBot Scheduled Scan.job
- c:\program files\SpywareBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 10:03:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-03-01 10:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 08:05:52
ComboFix2.txt 2009-02-21 12:18:13
ComboFix3.txt 2009-02-09 16:40:24
ComboFix4.txt 2009-02-08 06:48:36
ComboFix5.txt 2009-03-01 08:00:01
Pre-Run: 52,896,260,096 bytes free
Post-Run: 52,927,025,152 bytes free
394 --- E O F --- 2009-02-27 10:22:25


----------



## abloke (Jun 21, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:03 AM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USBToolbox\Res.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://192.168.4.252/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
--
End of file - 5546 bytes


----------



## abloke (Jun 21, 2008)

Hope I dished up correctly today?


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Seems I got the menu wrong again!...?


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Thankx for all you assistance & effort with this thread & my
non compliant pc status. Haven't heard from you this week, so 
assuming that I incorrectly submitted logs or that you've reached the
end of your goodwill quota with this thread.
Thank-you & TSG again.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry, I didn't abandon you. I've just been swamped lately. 

Go to the Control Panel - Add or Remove programs and remove:

*Ask Toolbar*

Insert your external drive that normally shows as you G drive before doing all of the following:

Download *Flash_Disinfector.exe by sUBs* from *here* and save it to your desktop.
 Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
 The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
 Wait until it has finished scanning and then exit the program.
 Reboot your computer when done.
*Note*: _Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection._

Open Notepad and copy and paste the text in the code box below into it:


```
File::
G:\xn1i9x.com
g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
C:\windows\Tasks\SpywareBot Scheduled Scan.job

Folder::
c:\program files\AskSBar
c:\program files\SpywareBot

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ed8122-3ff2-11db-bcdb-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0af2c6-e31f-11dd-b782-00138f8db7d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81c-1863-11dd-bf69-001349ab199f}]
[B][/B]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## abloke (Jun 21, 2008)

Glad you are ok, and it was just being swamped that kept you away,
infact i can hear the Lynyrd Skynyrd swamp music playing in the background.
Sorry your last post, is that the same instructions as post 46, 75, & 110?
So my log submission was not correct then?


----------



## abloke (Jun 21, 2008)

ok see it's not the same as the previous posts.

Whilst attempting to remove ask toolbar

received the following error message.

Rundll
Error loading C:\PROGRA~1\ASKSBAR\bar\1Bin\AskSBar.dll

The specified module could not be found.

Thank-you


----------



## Cookiegal (Aug 27, 2003)

That's OK. Were you able to run the ComboFix CFSCript? If, so, I need to see the log after running it please.


----------



## abloke (Jun 21, 2008)

ComboFix 09-03-04.01 - Rogue 2009-03-07 12:36:22.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.251 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rogue\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\SpywareBot Scheduled Scan.job
g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
G:\xn1i9x.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSBar
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\00035380.bin
c:\program files\AskSBar\bar\Cache\000360AF.bin
c:\program files\AskSBar\bar\Cache\00036F93.bin
c:\program files\AskSBar\bar\Cache\00037679.bin
c:\program files\AskSBar\bar\Cache\00037C65.bin
c:\program files\AskSBar\bar\Cache\000382CD.bin
c:\program files\AskSBar\bar\Cache\00038E47.bin
c:\program files\AskSBar\bar\Cache\000396F2.bin
c:\program files\AskSBar\bar\Cache\00A7810A
c:\program files\AskSBar\bar\Cache\014BDD94
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
c:\windows\Tasks\SpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\program files\TweakNow WinSecret
2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\documents and settings\Rogue\Application Data\TweakNow WinSecret
2009-02-08 18:31 . 2009-02-08 18:31 d----c--- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 16:39 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-21 13:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 12:37 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-24 11:16 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 14:48 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 14:48 --------- d-----w c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-19 04:31 --------- d-----w c:\program files\Trend Micro
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-28 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 12:39:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP000000067C4E75DCD7B8A748 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-03-07 12:41:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 10:41:34
ComboFix2.txt 2009-03-01 08:05:56
ComboFix3.txt 2009-02-21 12:18:13
ComboFix4.txt 2009-02-09 16:40:24
ComboFix5.txt 2009-03-07 10:35:39

Pre-Run: 52,868,452,352 bytes free
Post-Run: 52,925,984,768 bytes free

153 --- E O F --- 2009-03-06 09:15:08


----------



## abloke (Jun 21, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:26 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USBToolbox\Res.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://192.168.4.252/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 5243 bytes


----------



## abloke (Jun 21, 2008)

Correct menu today? Thank-you!!


----------



## Cookiegal (Aug 27, 2003)

Yes, that's correct.

What is it that normally shows up as you G drive?


----------



## abloke (Jun 21, 2008)

Looking under my computer 
Local disk (C)
Local disk (D)
New Volume (F)
Which are all part of the 160gig hard drive
Devices with removable storage
3 1/2 inch Floppy A
DVD/CD RW drive (E)
Am sure your spectacles are not as tinted as mine,
and that you are picking up a G drive
Could you please advise me where to look to find
that G spot, sorry G drive.


----------



## abloke (Jun 21, 2008)

Have had a look at some other threads and can now see how busy
you are on TSG. Which makes me appreciate all your advice even more!!


----------



## Cookiegal (Aug 27, 2003)

It's because this file may or may not exist at this point but it's drive letter is G:

*G:\xn1i9x.com*

It could be any USB device you connect.

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb3d81e-1863-11dd-bf69-001349ab199f}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## abloke (Jun 21, 2008)

Hi again, in previous posts you've asked me to plug in my memory stick,
don't know if it's relevant, but when the kids were home 3 other memory
sticks were also plugged into the home pc, and I obviously don't
have those here now to plug in?


----------



## abloke (Jun 21, 2008)

ComboFix 09-03-06.02 - Rogue 2009-03-09 13:07:50.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT 2:00]
Running from: c:\documents and settings\Rogue\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rogue\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-02-16 21:42 . 2009-03-07 17:11 d-------- c:\program files\TweakNow WinSecret
2009-02-16 21:42 . 2009-02-16 21:42 d-------- c:\documents and settings\Rogue\Application Data\TweakNow WinSecret

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 16:39 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-21 13:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 12:37 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 16:31 --------- dc----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-24 11:16 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-20 14:48 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 14:48 --------- d-----w c:\documents and settings\Rogue\Application Data\Malwarebytes
2009-01-19 04:31 --------- d-----w c:\program files\Trend Micro
2009-01-09 18:50 --------- d-----w c:\documents and settings\Rogue\Application Data\Skype
2009-01-09 15:54 --------- d-----w c:\documents and settings\Rogue\Application Data\skypePM
2007-09-01 14:15 1 -c--a-w c:\documents and settings\Rogue\SI.bin
2008-10-13 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2002-01-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-03-08 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C58BEB5-922E-440D-BD69-3894C5BD6EAD} = 196.43.34.190,196.43.46.190
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.4.252/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Rogue\Application Data\Mozilla\Firefox\Profiles\u3eksgh2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 13:11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-03-09 13:13:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-09 11:13:07
ComboFix2.txt 2009-03-07 10:41:39
ComboFix3.txt 2009-03-01 08:05:56
ComboFix4.txt 2009-02-21 12:18:13
ComboFix5.txt 2009-03-09 11:07:06

Pre-Run: 52,955,922,432 bytes free
Post-Run: 52,954,783,744 bytes free

118 --- E O F --- 2009-03-06 09:15:08


----------



## abloke (Jun 21, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:49 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USBToolbox\Res.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://192.168.4.252/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C58BEB5-922E-440D-BD69-3894C5BD6EAD}: NameServer = 196.43.34.190,196.43.46.190
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 5308 bytes


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
have posted the 2 logs as requested.
As always, thank-you for your time and advice.


----------



## abloke (Jun 21, 2008)

Forgot to mention earlier, but after your post of March 6th,
"Ask Toolbar", where you requested inserting memory stick,
before downloading Flash_Disinfector.
I followed your prompts, but pc refused to reboot, until i removed the
memory stick.
Not sure if this has any relevance, but it is G drive related?
Thank-you


----------



## Cookiegal (Aug 27, 2003)

I can't know what would have shown up as the letter G drive. That depends on what devices you have plugged in at the time. One of those devices may still be infected.

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 12*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 12 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

How are things now?


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Followed your prompts as per usual, and will see improvement in time,
I'm sure.
I have a few other items to add to the agenda,
Should I start a new thread, or can we continue on the iexplore.exe?
Thank-you and TSG again for your patience & input!!


----------



## abloke (Jun 21, 2008)

Hi again Cookiegal
Again don't know how relevant this is?,
Mass usb storage box?
I so seldom use a memory stick via usb ports
& with your reference to G drive?,
don't know if it's related?


----------



## Cookiegal (Aug 27, 2003)

If it's something that has memory and you plug into a USB port then it could be it.

Please list your other issues here and then I can tell you if you should ask for assistance elsewhere.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Managed to Flash disinfect scan my mobile, didn't pick up anything.
There are quite a few other issues, but also don't want to swamp you
any further, as you are coming to so many other user's rescue.
Maybe we can try them as per one a week?
First one is outlook related.
Even with no messages in my outbox, the send/receive box keeps popping up ( every 30 seconds) indicating that pc is sending 1 of 1
or 2 of 3 messages, but there is nothing I'm actually trying to send or forward.
I'm sure you will have some words of wisdom on this and I thank -you
in advance!


----------



## Cookiegal (Aug 27, 2003)

After it has done that, if you look in sent items is there anything showing as just being sent?


----------



## abloke (Jun 21, 2008)

Hi C-Gal
No did check if there was anything sent, about 9 months ago,
and nobody, even ISP can tell me why I keep getting "those send/receive messages.
In my limited capacity I'm looking at Desktop Hijacking?


----------



## abloke (Jun 21, 2008)

also, with your experience, over 2K viewing for this mundane
post of iexplore? Somebody is checking on our progress?
No. I'm not paranoid, either.


----------



## abloke (Jun 21, 2008)

Was listening to some Guns & Roses, when screen would not allow me access To music player?
Did notice a long time ago that whatever music I loaded was converted to mp3 mode, and I don.t know how to do that!


----------



## Cookiegal (Aug 27, 2003)

You could post about the outlook problem in the Web and E-mail forum but I honestly think that with the number and type of problems you're having, it would be best to back up anything important and then wipe the drive and reformat. It's the only way you'll be sure to be clean and then you can reload your programs that may be corrupt.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Thank-you for your post and advice!!
I will get some outside assistance to back-up correctly,
and with wiping & reformatting.
Presumably we don't want to reload corrupted programs?
will report back to you once we've done the above.
Thank-you again!!


----------



## Cookiegal (Aug 27, 2003)

Well what I meant was the programs have become corrupt on the computer but if you reinstall them from their media then they will not be corrupt.

Please do post an update on how you're doing.


----------



## abloke (Jun 21, 2008)

Thank-you, with your method of laying the steps out, even I will
get it right..eventually.
This continual pop up of send/receive box has really started to irritate me
in this last year, 
and hopefully i can report back with numerous beaming


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## abloke (Jun 21, 2008)

Just sent you some "other mail"
hope it get's thru to you'
and thankx for all your assistance!
Going to be a long week!!


----------



## Cookiegal (Aug 27, 2003)

Yes I received it. You should be fine. At least you will be better off starting fresh after that.

Just be sure you get all your MS service packs and critical updates right away.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Have missed your daily informative mail.
Regretably i've been too busy to follow your advice,
but have scouted for techies that can assist.
Hope to wrap it all up before end of month.
Have a good week!


----------



## Cookiegal (Aug 27, 2003)

Good luck with it. I'm sure everything will be fine.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Thank-you for your reply.
You were not in favour of my choice, but didn't
add your preferred AV?
You never committed yourself to how many users
you picked up?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> Hi Cookiegal
> Thank-you for your reply.
> You were not in favour of my choice, but didn't
> add your preferred AV?
> ...


Are you going to make me read the entire thread again? 

What do you mean by "how many users I've picked up?" 

My preferred anti-virus would be Nod32 or Kaspersky.


----------



## abloke (Jun 21, 2008)

No in one of your many previous posts you asked
how many users on this pc, don't expect you to read through
the entire thread again.
Also thank-you, took a 30 day trial with Nod32,
will see how that goes, only picked up one infection on first scan.
Not reluctant either, just don't want to loose the little bit of stuff
i have on the pc.


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> No in one of your many previous posts you asked
> how many users on this pc, don't expect you to read through
> the entire thread again.
> Also thank-you, took a 30 day trial with Nod32,
> ...


What infection did Nod32 pick up and what was the file name?


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
No that i didn't pick up, maybe you can advise me where to look?
Nod32 also advised that it was blocking a potentially unsafe.....
Maybe these "synthetic demons" that i imagined are there?


----------



## abloke (Jun 21, 2008)

Suppose I better start working on how to get a Nod32 log to you.
Sorry the kids were here, and happy Easter weekend to you too


----------



## abloke (Jun 21, 2008)

Can't even do a log report for you.
I'm wasting your time, and only a new pc will help
i suspect, just when we seem to go forward..............


----------



## Cookiegal (Aug 27, 2003)

Why can't you get a log from Nod32?


----------



## abloke (Jun 21, 2008)

Would you be able to advise where to see the log?


----------



## abloke (Jun 21, 2008)

Does Nod32 have a virus vault? can seem to find it, and would
be the place to find the info you require?


----------



## Cookiegal (Aug 27, 2003)

I don't have it but I think it should have a place called Tools and then under there Logs.


----------



## abloke (Jun 21, 2008)

As usual your info is spot on.
there are 2 items in the vault, hope i got all the info down correctly.
C:\System Volume Information\_restore{23548ED5-E4DD-49F7-A95B-CC6EDBF1A0C3} \RP1055\A0488334.DLL
Win32/Toolbar.AskSBAR potentially unwanted application

C:\Qoobox\Quarantine\C\program files\AskSBAR\SrchASK\1Bin\AZSRCHAS.DLL.vir
Win32/Toolbar.AskSBAR potentially unwanted application

After all your help & patience hope i got info down correct?

Thank-you once again, my tab must be huge?


----------



## Cookiegal (Aug 27, 2003)

One of those is in system restore and you can flush out the restore points to take care of that.

The other is already quarantined by ComboFix.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combo-Fix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------



## abloke (Jun 21, 2008)

Thank-you for your speedy response. 
I can't give you the asurety that my reply will
be on your desktop by tomorrow..but you certainly
cook on pc issues!!


----------



## abloke (Jun 21, 2008)

Can't pick up up Combo-Fix on run, think i will recharge & try this early tomorrow am


----------



## abloke (Jun 21, 2008)

Have managed to execute your instructions.
See there is no log to be posted?


----------



## Cookiegal (Aug 27, 2003)

That's correct. No log was necessary.


----------



## abloke (Jun 21, 2008)

Thank-you for all your input, have downloaded numerous updates
and pc appears to be running just fine.
Where would i be able to get more info on dual desktop or shared
computer usage?
Thank-you


----------



## abloke (Jun 21, 2008)

hi cookiegal
was almost cerain that i followed the removal of combo-fix /u
as per your post, but see combo-fix is still on the pc?
So maybe I didn't execute a restore point correctly?


----------



## abloke (Jun 21, 2008)

See you are not online at the moment,
Why would Nod32 only cover outlook & not gmail or facebook?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> hi cookiegal
> was almost cerain that i followed the removal of combo-fix /u
> as per your post, but see combo-fix is still on the pc?
> So maybe I didn't execute a restore point correctly?


You were not supposed to execute a system restore. So everything is working fine now?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> Thank-you for all your input, have downloaded numerous updates
> and pc appears to be running just fine.
> Where would i be able to get more info on dual desktop or shared
> computer usage?
> Thank-you


If you mean dual desktop display then that would be hardware.

For computer sharing, that would be Networking.

As for Nod32, there must be some configuration necessary. You can ask about that in the General Security forum.


----------



## abloke (Jun 21, 2008)

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start* - *All Programs* - *Accessories* - *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

" was i not supposed to have executed the above?"

Also thank-you re the nod32 config...will bug them in general security,
and give you a breather.


----------



## Cookiegal (Aug 27, 2003)

That is not executing a restore point, that is merely flushing them out and setting a new one. Executing, to me, would be performing a system restore, which was not in my instructions.


----------



## abloke (Jun 21, 2008)

So I'm not in the dawg box?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> So I'm not in the dawg box?


Apparently not.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
So, apart from our customary mail is the end of iexplore.exe?
Thank-you again for all your patience, advice & perseverance.


----------



## Cookiegal (Aug 27, 2003)

Weren't you supposed to reformat?


----------



## abloke (Jun 21, 2008)

You are correct again,Do need some time away tho, son's 21st next week, will be out of town, have also requested some info from alternate to TSG, my current AV, so hope to have more info to bring to the next party....hope to see you there


----------



## abloke (Jun 21, 2008)

Funny, the last post i replied to was posted by you, yet after my above post, still shows last post posted by cookiegal, there is some deception or interventions amongst the ranks? Moi Thinks


----------



## abloke (Jun 21, 2008)

Just read some other threads, you Re indeed Mother's little helper on this forum....how do you put up with us mullets, seems I'm not the only one here


----------



## abloke (Jun 21, 2008)

just went back to some old posts and picked up on something retroguy posted a while ago, svchost.exe, have seen that on this pc, can't tell you where, but yes did recognise that!


----------



## Cookiegal (Aug 27, 2003)

svchost.exe is a valid critical system file.


----------



## abloke (Jun 21, 2008)

Thank-you!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.

Note that malware can use files with that name but they are normally is a different location and the size would also be different. It's normal to have several instances of svchost.exe running in the processes.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Trust you are well, has been a while.
Was thinking of backing up just outlook,
removing it and re-loading. a techie advised that i
would find outlook under
C:/Documents & Settings/
My name/Local Settings/
Application Data/Microsoft/
Outlook/Outlook.pst:

Have followed his prompts, but still don't see outlook anywhere,
have checked on other drives aswell.

Do you have any words of wisdom?

Thank-you


----------



## Cookiegal (Aug 27, 2003)

You don't see the outlook.pst file in there?


----------



## abloke (Jun 21, 2008)

No, have gone thru the techie's advice a few times, no outlook
picked up on my pc?


----------



## abloke (Jun 21, 2008)

Know you are busy, so will wait till i here from you, maybe my dual
desktop theory wasn't too far off?
Thank-you for all your time and effort?
In your absence managed to upgrade to Nod32 purchased,
you and TSG have made me look at this pc with refreshed respect/
Thank-you for that too!!


----------



## abloke (Jun 21, 2008)

okay, can't connect via outlook now...running scared?
Will come on here at TSG to check for your reply...?


----------



## Cookiegal (Aug 27, 2003)

Why not continue with the techy? I have no idea what you're trying to do.


----------



## abloke (Jun 21, 2008)

no cloak n dagger.
Just wanted to back-up"my" outlook.
Remove and reload....you have been my 
advisory agent throughout this thread,
so no don't particularily want to change that?


----------



## Cookiegal (Aug 27, 2003)

This is not really my area of expertise but this article should help you accomplish what you're doing.

http://support.microsoft.com/kb/196492


----------



## abloke (Jun 21, 2008)

Thank-you Cookiegal!
Will get onto it after footie/diner


----------



## Cookiegal (Aug 27, 2003)

Ah....ok.


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Sorry if i confused you...normally only confuse myself.
had a look at your suggestion, seems to be for windows 2000 & '98.
This really is a bit Too technical for me, and want to get outside help in, will update you accordingly!
Thank-you


----------



## Cookiegal (Aug 27, 2003)

Sorry. I didn't realize it was quite an old article.


----------



## abloke (Jun 21, 2008)

HI Cookiegal
Don't think I've once posted a positive/good news post on this thread.
My local techy sorted my outlook problem.
That Dreaded sending mail when there was no mail in the outbox,
was due to smtp field still having my old ISP detail.
He (techy) that is, is going to help me backing up everything, and reloading, but as I'm typing the initial iexplore.exe has not raised it's head again, and my outllook is not sending ghost mail from my outbox.
Will also have to check if my Eset Nod32 is set up correctly,
the techy was not all that impressed with how the drives have been
partioned, but we didn't have time to get into that.
So Again, Thank-you and TSG for all your time, advice & patience.


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome and I'm glad you're on the road to getting your machine sorted and in tip top shape. :up:


----------



## abloke (Jun 21, 2008)

Needless to say I'm going to miss your informative posts,
will have to start up another thread?
What about Nod32 set up?
It's better to sit here @ home and work on this pc,
vs carting the tower all over town?


----------



## Cookiegal (Aug 27, 2003)

Yes, please start a new thread for those other questions.


----------



## abloke (Jun 21, 2008)

Thank-you again, bet you are glad to see the end of this thread!


----------



## Cookiegal (Aug 27, 2003)

It has been a bit of a marathon.


----------



## abloke (Jun 21, 2008)

At least we got the dreaded Lurgy in the end!
And apart from a few grey hairs for you, I got Nod32,Win patrol, malewarebytes, and a few contacts on TSG!!!


----------



## Cookiegal (Aug 27, 2003)

Yeah, you really should pay for my next bottle of hair colour.  

Just, kidding as I'm naturally mousy.


----------



## abloke (Jun 21, 2008)

Nah you need a medal, maybe a few bottles of good South African red wine for your persverance with my in aptitude!
Sure i came accross as paranoid at times, but you won't know how irritating a pop up is.......








So you are going to let me have your postal address?
My sister is in the USA, will ask her to track you down


----------



## abloke (Jun 21, 2008)

Ok I can even better that, if you come to our beautiful country, you welcome to stay here, in perhaps one of the most scenic towns
on the Garden Route!??
Can take you & partner on some scenic drives, and introduce you to
some amasing Joe Satriani abums, incase you don't have any of his music


----------



## abloke (Jun 21, 2008)

Rolling over and playing dead is what my dawg does...so not buying
your silence!!
Africa is great, sure sign of domesticated wildlife is crocs with their tail
chopped off.....?
Sooo if you not coming for 2010 world cup, how about a postal address
then?


----------



## abloke (Jun 21, 2008)

Hey Cookiegal
Just when you were thinking I'm free of "that dreaded lurgy"
Managed to get pc to local techie, reformatted drive, loaded
new memory & graphics cards & CD/DVD writer.
There are still issues he will come & sort out at home, have mail in inbox
going back to 2004, and have also lost valuable stuffage, so not out of the woods just yet...thought it would be a good gesture, that I actually
did take your advice..


----------



## abloke (Jun 21, 2008)

Hello Cookiegal
Did mail you a progress report, think we would both be pleased
to see the end of this thread!


----------



## abloke (Jun 21, 2008)

Hi Cookiegal
Well, since our last communication, managed to upgrade to IE8 & for
good measure reloaded Mozilla, in all honesty, can't say the reloaded
pc is misbehaving!

Trust you are keeping well, glad to see this thread retiring!

Thank-you ( you have been here from page one) & TSG so so much
for all your assistance! Needless to say have been promoting TSG to
such lengths, that your board has hopefully, picked up a huge sign-up from this part of the world.?

If I'm permitted one last question... can't remember if you where the source? 

Is Nod32 not kosher with mozilla?

Why I'm asking, @ times mozilla opens various sites quickly, and @ times it doesn't, whereas IE doesn't seem to have any time delay?


----------



## Cookiegal (Aug 27, 2003)

No, there is no problem with Nod32 and Firefox.


----------



## abloke (Jun 21, 2008)

Now that pc is running so well, won't have a valid reason for bugging you! o you only give advise on pc related matters or do you have knowledge on cooking/recipes/?


----------



## Cookiegal (Aug 27, 2003)

abloke said:


> Now that pc is running so well, won't have a valid reason for bugging you! o you only give advise on pc related matters or do you have knowledge on cooking/recipes/?


I've been know to burn a few things but we do have a thread in Random with cooking recipes.


----------



## abloke (Jun 21, 2008)

Just remembered, think I asked you for the URL of malwarebytes?
Would be most appreciative!
Thank-you


----------



## Cookiegal (Aug 27, 2003)

Here you go:

http://www.malwarebytes.org/mbam-download.php


----------



## abloke (Jun 21, 2008)

Thank-you, got that done, my collection is almost complete,
unless you have additional suggestions?
Ok will leave you in peace for a while....


----------



## Cookiegal (Aug 27, 2003)

I think that should be it.


----------



## abloke (Jun 21, 2008)

Yes indeed Cookiegal, you have assisted in sorting the intial iexplore.exe
and quite a "few" other issues whilst your were at it!!
Thank-you & TSG once again!!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## abloke (Jun 21, 2008)

Ok you/tsg have sorted this pc, but miss your informative posts!
Are you keeping well?


----------

