[Topic Locked]Please help me analyze my HiJack this Log !!! :(

  • 13 Replies
  • 2795 Views
*

Offline aBcDeFg

  • Bronze Member
  • 8
[Topic Locked]Please help me analyze my HiJack this Log !!! :(
« on: November 17, 2008, 06:22:22 PM »
In internet options under restricted sites, theres all kinds of random sites listed. I can delete them all, apply and save changes, and when I open it back up, they're there again!! I don't know what to do! I ran the Trend Micro HiJack this program, and this is the log file.

Please help me!!  ???


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:53 PM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
O24 - Desktop Component 0: (no name) - http://homepages.pathfinder.gr/BlaCKLadY/easter/bunnyroseegg.gif

--
End of file - 11393 bytes
« Last Edit: November 19, 2008, 12:16:35 PM by PCBruiser »

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
« Reply #1 on: November 17, 2008, 08:29:35 PM »
Hi,

My name is PCBruiser (or PCB for short), and I will be helping you to remove any malware on your system.

Please copy and print out these instructions using Notepad so they will be readily available to you. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, please ask your question(s) before doing anything further.

1.  Run HijackThis again, but this time choose Do a system scan only, that is the second option from the top in the HijackThis What would you like to do choices.  After HijackThis completes the system scan, check the box immediately to the left of the following item(s):

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 http://www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O20 - AppInit_DLLs: karna.dat


Please be very careful, do NOT check any other boxes.

Next, click on Fix checked on the bottom left side of the HijackThis screen.

Next, reboot.

2.  Your system does not have a software firewall installed.  This exposes you to many malware exploits you really don't want to have on your system.  Please download and install Online Armor Free from here:

http://www.tallemu.com/

The link to the free version is on the left hand side of that page.

If you would prefer to use a different firewall, two other good free ones are: Comodo and Sunbelt Personal Firewall (Free). If one of those do not meet your needs, you can try a different one, but check it with me first to make sure it is legitimate firewall software.

3.  Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan.

    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
     If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
      • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
      • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
      • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
      • Click OK to close the message box and continue with the removal process.
      • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
      • Make sure that everything is checked, and click Remove Selected.
      • When removal is completed, a log report will open in Notepad.
      • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      • Copy and paste the contents of that report in your next reply and exit MBAM.

      Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.  Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

      4.  Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

      Link 1
      Link 2
      Link 3


      **Note:  It is important that it is saved directly to your desktop**

      --------------------------------------------------------------------

      a. Close any open browsers.

      b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

      --------------------------------------------------------------------

      Double click on combofix.exe & follow the prompts.
      When finished, it will produce a report for you.

      Note:  Do not click combofix's window with your mouse while it's running. That may cause it to stall.

      5.  Please post the following:

      a. the MBAM log file
      b. combofix.txt
      c. a fresh HJT log
      Don't Read?  Can't learn!

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #2 on: November 17, 2008, 10:13:15 PM »
      Malwarebytes' Anti-Malware 1.30
      Database version: 1406
      Windows 5.1.2600 Service Pack 2

      11/17/2008 10:14:52 PM
      mbam-log-2008-11-17 (22-14-52).txt

      Scan type: Quick Scan
      Objects scanned: 62146
      Time elapsed: 13 minute(s), 0 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 24
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 12

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\TypeLib\{2850bdc7-2330-4e31-9fa0-88268846539a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{a916af3c-976d-4358-8736-95bea0b5fd2c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{be45f056-e005-437b-be88-23acf70b0b6a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\CLSID\{f02c0ae1-d796-42c9-81e1-084d88f79b8e} (Adware.WhenUSave) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\WINDOWS\system32\GnucDNA.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
      C:\WINDOWS\temp\TDSS6a2.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
      C:\WINDOWS\temp\TDSS838.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
      C:\WINDOWS\temp\TDSS913.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
      C:\WINDOWS\temp\TDSSaa9.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
      C:\WINDOWS\temp\TDSSd49.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
      C:\Documents and Settings\Carrie\Local Settings\Temp\TDSSe6f1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\Documents and Settings\Carrie\Local Settings\Temp\TDSSe5d8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
      C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.






      ComboFix 08-11-16.05 - Carrie 2008-11-17 22:38:50.1 - NTFSx86
      Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.223 [GMT -5:00]
      Running from: c:\documents and settings\Carrie\Desktop\ComboFix.exe
       * Created a new restore point
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\docume~1\Carrie\LOCALS~1\Temp\tmp1.tmp
      c:\docume~1\Carrie\LOCALS~1\Temp\tmp2.tmp
      c:\windows\IE4 Error Log.txt

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_XPROTECTOR
      -------\Service_XPROTECTOR


      (((((((((((((((((((((((((   Files Created from 2008-10-18 to 2008-11-18  )))))))))))))))))))))))))))))))
      .

      2008-11-17 22:16 . 2008-11-17 22:46   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\OnlineArmor
      2008-11-17 22:16 . 2008-11-17 22:16   <DIR>   d--------   c:\documents and settings\All Users\Application Data\OnlineArmor
      2008-11-17 22:15 . 2008-11-17 22:15   <DIR>   d--------   c:\program files\Tall Emu
      2008-11-17 22:15 . 2008-10-07 00:09   178,376   --a------   c:\windows\system32\drivers\OADriver.sys
      2008-11-17 22:15 . 2008-10-07 00:09   30,920   --a------   c:\windows\system32\drivers\OAmon.sys
      2008-11-17 22:15 . 2008-10-07 00:09   28,872   --a------   c:\windows\system32\drivers\OAnet.sys
      2008-11-17 21:59 . 2008-11-17 21:59   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
      2008-11-17 21:59 . 2008-11-17 21:59   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\Malwarebytes
      2008-11-17 21:59 . 2008-11-17 21:59   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
      2008-11-17 21:59 . 2008-10-22 16:27   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
      2008-11-17 21:59 . 2008-10-22 16:27   15,504   --a------   c:\windows\system32\drivers\mbam.sys
      2008-11-17 19:09 . 2008-11-17 19:09   <DIR>   d--------   c:\program files\Trend Micro
      2008-11-17 02:04 . 2008-11-17 03:39   <DIR>   d--h-----   C:\$AVG8.VAULT$
      2008-11-17 01:57 . 2008-11-17 11:38   <DIR>   d--------   c:\windows\system32\drivers\Avg
      2008-11-17 01:57 . 2008-11-17 01:57   <DIR>   d--------   c:\program files\AVG
      2008-11-17 01:57 . 2008-11-17 01:57   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\AVGTOOLBAR
      2008-11-17 01:57 . 2008-11-17 01:57   <DIR>   d--------   c:\documents and settings\All Users\Application Data\avg8
      2008-11-17 01:57 . 2008-11-17 01:57   97,928   --a------   c:\windows\system32\drivers\avgldx86.sys
      2008-11-17 01:57 . 2008-11-17 01:57   10,520   --a------   c:\windows\system32\avgrsstx.dll
      2008-11-17 01:45 . 2008-11-17 01:47   <DIR>   d--------   c:\documents and settings\Carrie\.housecall6.6
      2008-11-17 01:45 . 2008-11-17 01:45   102,664   --a------   c:\windows\system32\drivers\tmcomm.sys
      2008-11-17 01:14 . 2008-11-17 01:15   <DIR>   d--------   C:\15c15d81896379e36e4af95ecc03
      2008-11-17 00:55 . 2008-11-17 01:15   654   --a------   c:\documents and settings\Carrie\nah_log.dat
      2008-11-17 00:46 . 2008-11-17 01:09   527   --a------   c:\windows\system32\TDSSosvd.dat
      2008-11-14 19:13 . 2000-05-18 15:35   163,840   --a------   c:\windows\system32\12KUBUSD.DLL
      2008-11-14 18:52 . 1998-10-01 02:55   906,512   --a------   c:\windows\system32\A255_R35.bpl
      2008-11-14 18:52 . 1998-02-09 03:00   245,912   --a------   c:\windows\system32\vclx35.bpl
      2008-11-14 18:52 . 1998-06-24 00:00   244,024   --a------   c:\windows\system32\Msflxgrd.OCX
      2008-11-14 11:11 . 2008-11-14 11:11   <DIR>   d--------   c:\documents and settings\Carrie\LocalLow
      2008-11-14 11:11 . 2008-11-14 11:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TVU Networks
      2008-11-12 00:20 . 2008-11-12 00:20   <DIR>   d--------   c:\windows\SHELLNEW
      2008-11-12 00:17 . 2008-11-12 00:17   <DIR>   dr-h-----   C:\MSOCache
      2008-11-11 23:55 . 2008-11-11 23:55   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\Runaware
      2008-11-11 23:55 . 2008-11-11 23:55   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\ICAClient
      2008-11-11 23:33 . 2008-11-11 23:33   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\MySpace
      2008-11-11 23:32 . 2008-11-11 23:32   <DIR>   d--------   c:\program files\MySpace
      2008-11-10 18:01 . 2008-11-14 11:11   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\MP3Rocket
      2008-11-10 18:00 . 2008-11-10 18:01   <DIR>   d--------   c:\program files\MP3 Rocket
      2008-11-10 17:36 . 2008-11-10 17:50   28   --a------   c:\windows\ODBC.INI
      2008-11-10 17:33 . 2008-11-12 00:26   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Microsoft Help
      2008-11-10 17:13 . 2008-11-12 00:31   <DIR>   d--------   c:\documents and settings\Carrie\Application Data\GetRightToGo
      2008-11-10 15:23 . 2008-11-17 22:36   <DIR>   d--------   c:\windows\system32\CatRoot_bak
      2008-11-10 15:21 . 2008-06-13 08:10   272,128   -----c---   c:\windows\system32\dllcache\bthport.sys
      2008-11-10 15:20 . 2008-08-14 04:51   138,368   -----c---   c:\windows\system32\dllcache\afd.sys
      2008-11-10 15:19 . 2008-05-01 09:30   331,776   -----c---   c:\windows\system32\dllcache\msadce.dll
      2008-11-10 10:21 . 2008-11-10 10:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Motive
      2008-11-10 10:20 . 2008-11-10 10:20   <DIR>   d--------   c:\program files\windstream_act
      2008-11-10 10:20 . 2008-11-10 10:21   <DIR>   d--------   c:\program files\Common Files\Motive

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-11-12 05:23   ---------   d-----w   c:\program files\Microsoft Works
      2008-11-10 22:48   ---------   d-----w   c:\program files\FamilyFeudHollywood_at
      2008-10-24 11:10   453,632   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
      2008-10-16 19:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
      2008-10-16 19:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
      2008-10-16 19:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
      2008-10-16 19:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
      2008-10-16 19:09   92,696   ----a-w   c:\windows\system32\cdm.dll
      2008-10-16 19:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
      2008-10-16 19:09   43,544   ----a-w   c:\windows\system32\wups2.dll
      2008-10-16 19:08   34,328   ----a-w   c:\windows\system32\wups.dll
      2008-09-15 11:57   1,846,016   ----a-w   c:\windows\system32\win32k.sys
      2008-09-04 16:42   1,106,944   ----a-w   c:\windows\system32\msxml3.dll
      2008-08-30 01:06   1,350,664   ----a-w   c:\windows\system32\msxml6.dll
      2008-08-26 07:24   826,368   ----a-w   c:\windows\system32\wininet.dll
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3084288]
      "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-03-07 26112]
      "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
      "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-17 1234712]
      "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-10-07 6223048]
      "CHotkey"="mHotkey.exe" [2002-07-23 c:\windows\mHotkey.exe]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]
      "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

      c:\documents and settings\Carrie\Start Menu\Programs\Startup\
      MP3 Rocket (Minimized).lnk - c:\program files\MP3 Rocket\MP3Rocket.exe [2008-02-21 116224]

      c:\documents and settings\All Users\Start Menu\Programs\Startup\
      BigFix.lnk - c:\program files\BigFix\BigFix.exe [2003-03-07 1742384]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-10-07 886984]

      [HKEY_LOCAL_MACHINE\software\microsoft\security center]
      "AntiVirusDisableNotify"=dword:00000001
      "UpdatesDisableNotify"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
      "c:\\Program Files\\Messenger\\msmsgs.exe"=
      "c:\\Program Files\\LimeWire\\LimeWire.exe"=
      "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
      "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
      "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

      R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-17 97928]
      R1 OADevice;OADriver;\??\c:\windows\system32\drivers\OADriver.sys [2008-11-17 178376]
      R1 OAmon;OAmon;\??\c:\windows\system32\drivers\OAmon.sys [2008-11-17 30920]
      R1 OAnet;OAnet;\??\c:\windows\system32\drivers\OAnet.sys [2008-11-17 28872]
      S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [2008-11-10 19712]
      S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
      S3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [2008-11-10 18304]
      S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
      S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2004-09-03 15104]
      .
      - - - - ORPHANS REMOVED - - - -

      HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
      HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe


      .
      ------- Supplementary Scan -------
      .
      FireFox -: Profile - c:\documents and settings\Carrie\Application Data\Mozilla\Firefox\Profiles\rn5b2yek.default\
      .

      **************************************************************************

      catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-11-17 22:46:20
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\program files\Tall Emu\Online Armor\oasrv.exe
      c:\windows\system32\LEXBCES.EXE
      c:\windows\system32\LEXPPS.EXE
      c:\progra~1\AVG\AVG8\avgwdsvc.exe
      c:\program files\Common Files\Motive\McciCMService.exe
      c:\program files\Tall Emu\Online Armor\oacat.exe
      c:\windows\wanmpsvc.exe
      c:\progra~1\AVG\AVG8\avgrsx.exe
      c:\program files\Tall Emu\Online Armor\oahlp.exe
      c:\windows\SoftwareDistribution\Download\8434d48f46ed0f72046e730a838b6254\update\update.exe
      .
      **************************************************************************
      .
      Completion time: 2008-11-17 23:06:51 - machine was rebooted
      ComboFix-quarantined-files.txt  2008-11-18 04:05:58

      Pre-Run: 56,276,242,432 bytes free
      Post-Run: 56,077,856,768 bytes free

      WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
      [operating systems]
      c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

      179   --- E O F ---   2008-11-18 03:38:55






      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 11:12:42 PM, on 11/17/2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16735)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Tall Emu\Online Armor\oasrv.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
      C:\Program Files\Common Files\Motive\McciCMService.exe
      C:\Program Files\Tall Emu\Online Armor\oacat.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\wanmpsvc.exe
      C:\PROGRA~1\AVG\AVG8\avgrsx.exe
      C:\WINDOWS\System32\alg.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\mHotkey.exe
      C:\Program Files\Real\RealPlayer\RealPlay.exe
      C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
      C:\Program Files\Tall Emu\Online Armor\oaui.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\BigFix\BigFix.exe
      C:\Program Files\Tall Emu\Online Armor\oahlp.exe
      C:\WINDOWS\SoftwareDistribution\Download\8434d48f46ed0f72046e730a838b6254\update\update.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\notepad.exe
      C:\WINDOWS\system32\NOTEPAD.EXE
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\WINDOWS\System32\wbem\wmiprvse.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
      O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
      O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
      O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
      O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
      O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
      O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
      O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
      O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
      O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
      O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
      O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
      O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
      O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
      O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
      O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
      O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
      O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
      O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
      O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
      O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
      O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
      O24 - Desktop Component 0: (no name) - http://homepages.pathfinder.gr/BlaCKLadY/easter/bunnyroseegg.gif

      --
      End of file - 6687 bytes

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #3 on: November 17, 2008, 10:17:03 PM »
      Ok. I did everything you suggested, however when I go to the internet options, and restricted sites, the sites are still there, and when I delete them they still come right back.

      Does that mean theres still something wrong with my computer..? ???

      *

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • 8146
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #4 on: November 18, 2008, 08:15:49 AM »
      Hi,

      Yes, don't expect that the first steps will fix everything.  We got rid of a significant amount of malware on the first steps, and there is still more to do.

      Please open your Add or Remove Programs Control Panel and uninstall Limewire if you can find it.  Post whether you were able to find and uninstall it or not.

      Please update the definitions for MBAM and run it one more time.  Often the second run finds things the first run does not.  And, the first run for both MBAM and CF found some very nasty stuff, including a rootkit.  Do not run CF again unless I ask you to do so.  Just rerun MBAM and post the log from it, and post a fresh HJT log.
      « Last Edit: November 18, 2008, 08:19:59 AM by PCBruiser »
      Don't Read?  Can't learn!

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #5 on: November 18, 2008, 09:47:02 AM »
      Ok, I can do all of that except delete Limewire. This isn't my computer, and they bought Limewire Pro, and if I deleted it, they would kill me.  :-\ Would that cause anything bad if I didn't delete it?

      *

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • 8146
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #6 on: November 18, 2008, 10:09:02 AM »
      We will not fix systems that have P2P installed.  http://spywarehammer.com/simplemachinesforum/index.php?topic=110.0  And, even more importantly, I cannot help you fix this system without the express approval of the owner.  We can only fix systems for their owners.  You are not the owner, you do not have the authority to authorize me to repair the system.

      Please have the owner of this system register here, and post to this topic their express approval for me continuing to fix this system.  Until then, I cannot provide any further help.
      Don't Read?  Can't learn!

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #7 on: November 18, 2008, 10:14:14 AM »
      Malwarebytes' Anti-Malware 1.30
      Database version: 1406
      Windows 5.1.2600 Service Pack 2

      11/18/2008 11:13:48 AM
      mbam-log-2008-11-18 (11-13-48).txt

      Scan type: Quick Scan
      Objects scanned: 53542
      Time elapsed: 7 minute(s), 54 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      (No malicious items detected)

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #8 on: November 18, 2008, 10:17:51 AM »
      It's my moms computer.... She doesn't know how to do any of this, hence why I'm doing it for her

      *

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • 8146
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #9 on: November 18, 2008, 10:26:50 AM »
      Sorry, I still must have Limewire uninstalled.  And, you used the word "they" twice in your last post.  That makes me think that there may be multiple owners other than yourself.  I am very uncomfortable providing any additional help until an owner approves our work.
      Don't Read?  Can't learn!

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #10 on: November 18, 2008, 06:58:53 PM »
      They can be used as a pronoun when referring to someone else but not directly stating their gender. I really need help with this, before something bad happens to the computer. I can't for the life of me see why you can't help me simply because it's my mothers computer. I'm sorry, but a 50 year old woman isn't likely to know how to fix a spyware problem.


      Can you please help me, or not?  ???

      *

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • 8146
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #11 on: November 19, 2008, 08:11:07 AM »
      Unless you can provide authorization from the owner, and uninstall Limewire, then I am afraid I cannot provide any further assistance.  That's our rules here and I will not violate them.  Sorry.
      Don't Read?  Can't learn!

      *

      Offline aBcDeFg

      • Bronze Member
      • 8
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #12 on: November 19, 2008, 10:51:44 AM »
      Well that's about retarded when a mother asks her 20 year old daughter to fix her computer for her, and you want a permission slip.

      What does my mommy need to sign for you so that you'll help me?

      *

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • 8146
      Re: [In Progress]Please help me analyze my HiJack this Log !!! :(
      « Reply #13 on: November 19, 2008, 12:15:46 PM »
      I am locking this topic since we are unable to provide you with any additional assistance under our rules here.
      Don't Read?  Can't learn!