Author Topic: [Resolved] Yahoo Mail Contact List Spammed  (Read 2422 times)

0 Members and 1 Guest are viewing this topic.

Offline Liza

  • Bronze Member
  • Posts: 14
[Resolved] Yahoo Mail Contact List Spammed
« on: October 28, 2010, 03:35:09 pm »
HI,

I'm not sure exactly what my problem could be.  I have a yahoo mail account that I use for a specific thing.  When I open my mail today I had returned mail notices from several of my contact list.  Most of the contacts at this email address are mailing list type addresses that do not accept mail.  I do not know how this spammer got into my account and contact list.

I ran my av program avast and malewarebytes and both said no infections where found.

Here is a copy of my HJT log.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:26:48 PM, on 10/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\hkcmd.exe
H:\WINDOWS\system32\igfxpers.exe
H:\Program Files\Canon\BJPV\TVMon.exe
H:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
H:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
H:\Program Files\SpywareGuard\sgmain.exe
H:\Program Files\SpywareGuard\sgbhp.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\CSHelper.exe
H:\WINDOWS\eHome\ehRecvr.exe
H:\WINDOWS\eHome\ehSched.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\dllhost.exe
H:\Documents and Settings\Liz\My Documents\Games\Grim\Game.exe
H:\WINDOWS\system32\wiaacmgr.exe
H:\Program Files\ISP.COM Internet Services\dialer.exe
H:\Program Files\Microsoft Reader\msreader.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\plugin-container.exe
H:\Program Files\Free Download Manager\fdm.exe
H:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - H:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - H:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BJPD HID Control] H:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [WinPatrol] H:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avast5] H:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "H:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - Startup: SpywareGuard.lnk = H:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - H:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152125757078
O16 - DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} (Invoke Solutions MILiveParticipantPadHelper Control) - http://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6E0C58F-75F6-4A0B-A4F2-3D725EA69C47}: NameServer = 205.208.227.13 205.208.227.14
O20 - AppInit_DLLs:  
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - H:\WINDOWS\system32\CSHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6873 bytes


Thanks for your help.

Liza




« Last Edit: October 28, 2010, 04:56:03 pm by 1972vet »



Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Yahoo Mail Contact List Spammed
« Reply #1 on: October 28, 2010, 05:26:52 pm »
Greetings Liza and Welcome to our Forums,

The log shows nothing that would account for your email issue. There are a few questionable items and your security setup is a bit of overkill.

Having Avast and Comodo installed works well as long as you leave Comodo's antivirus engine disabled as I see you evidently have (at least while the scan produced that log).

As the "Comodo Internet Security" is different than Comodo's stand alone firewall, it comes along with the Comodo antivirus engine. You apparently are already of aware of it...so I trust you have been educated in consumer security to some degree. That's good!

I would suspect you may have a small performance issue as well which could be the result of the many security products you have installed.

Winpatrol is Excellent! That, and Avast I would say is enough as for your real time protection. Comodo's firewall is good but is also fairly resource intensive. The SpywareGuard is absolutely unnecessary and should be uninstalled. Not that it's a bad product. By no means! It is also very good but not needed along with everything else you have installed. In other words, it is redundant.

There is just a myriad of ways for a spammer to harvest email addresses. Because you have been spammed is no reason to suspect a problem with your email. The problem, perhaps, lies with your email client.

I would like to take a deeper look at things. Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please perform these steps in order as they appear:

Step 1
Please download the free utility DDS. Double click dds.scr to run the tool
  • When it completes, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from  here or here.
  • Extract the contents of the zipped file to your desktop
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (In other words, uncheck anything that is NOT your System drive. Your system drive is where Windows is installed which is typically C:\)
    • Show All <--don't miss this one
    • Then click the Scan button & wait for it to finish
    • Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save it where you can easily find it, such as your desktop
    • If you have trouble scanning with gmer then try the scan again but this time with everything unchecked except for "sections"...and after trying that with no result then boot to safe mode and run the scan there. GMER is one of the rootkit scanners that will run fine in safe mode.
    **Caution**
    Rootkit scans often produce false positives.
    Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

    Please include the following logs in your next reply, Thanks!:
    • DDS.txt
    • Attach.txt
    • ark.txt
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #2 on: October 29, 2010, 07:56:48 am »
    Thanks for the fast response 1972vet.

    So you think that maybe someone was able to gain access to my yahoo mail account and address book from their end, and then sent out the spam from my email address and to all my contacts?

    I was able to do the scan with the dds application and have posted the one here.  I was not sure about the attach one as it said to attach but am posting here as you instructed.

    When I ran gmer I got a blue screen and it said that Windows had shut down because it detected a problem with:

    awtoqkow.sys
    Page_Fault_In_Nonpaged_Area.

    I was able to restart and decided I had better wait to hear from you before I run it again.  

    I used Zonealarm for a firewall for many years.  Recently they upgraded their program and I was unhappy with it.  I just installed Comdo to see if I would like it.  ( I don't by the way and would appreciate any suggestions).


    Here are the two logs:  (Do I need to save them to the desktop or just somewhere that I can remember?)

    DDS (Ver_10-10-21.02) - NTFSx86  
    Run by Liz at  9:30:38.82 on Fri 10/29/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.86 [GMT -4:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated)   {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *enabled*   {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============

    H:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    H:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    H:\WINDOWS\Explorer.EXE
    H:\WINDOWS\system32\igfxpers.exe
    H:\Program Files\Canon\BJPV\TVMon.exe
    H:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    H:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    H:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    H:\WINDOWS\system32\CSHelper.exe
    H:\WINDOWS\eHome\ehRecvr.exe
    H:\WINDOWS\eHome\ehSched.exe
    H:\Program Files\Java\jre6\bin\jqs.exe
    svchost.exe
    H:\WINDOWS\system32\svchost.exe -k imgsvc
    H:\WINDOWS\system32\dllhost.exe
    H:\Program Files\ISP.COM Internet Services\dialer.exe
    H:\Program Files\Mozilla Firefox\firefox.exe
    H:\Program Files\Windows NT\Accessories\wordpad.exe
    H:\WINDOWS\system32\wuauclt.exe
    H:\WINDOWS\system32\msiexec.exe
    H:\Documents and Settings\Liz\My Documents\Downloads\AppDL\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.isp.com/members/
    uWindow Title =
    uDefault_Page_URL = hxxp://www.isp.com/members/
    mStart Page = hxxp://www.isp.com/members/
    mWindow Title =
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - h:\program files\flashget\jccatch.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - h:\program files\flashget\getflash.dll
    mRun: [igfxtray] h:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] h:\windows\system32\hkcmd.exe
    mRun: [igfxpers] h:\windows\system32\igfxpers.exe
    mRun: [BJPD HID Control] h:\program files\canon\bjpv\TVMon.exe
    mRun: [WinPatrol] h:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [avast5] h:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [SunJavaUpdateSched] "h:\program files\java\jre6\bin\jusched.exe"
    mRun: [COMODO Internet Security] "h:\program files\comodo\comodo internet security\cfp.exe" -h
    IE: &Download All with FlashGet - h:\program files\flashget\jc_all.htm
    IE: &Download with FlashGet - h:\program files\flashget\jc_link.htm
    IE: Download all with Free Download Manager - file://h:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://h:\program files\free download manager\dlselected.htm
    IE: Download with Free Download Manager - file://h:\program files\free download manager\dllink.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - h:\program files\flashget\FlashGet.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152125757078
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {C6E0C58F-75F6-4A0B-A4F2-3D725EA69C47} = 205.208.227.13 205.208.227.14
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1   www.spywareinfodotcom edited by 1972vet to remove the active link

    ================= FIREFOX ===================

    FF - ProfilePath - h:\docume~1\liz\applic~1\mozilla\firefox\profiles\profile.knconnector\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: h:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: h:\program files\mozilla firefox\plugins\npArtistScope42.dll
    FF - plugin: h:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll
    FF - plugin: h:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: h:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
    h:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 MrFilter;EasyWrite Driver;h:\windows\system32\drivers\MRFilter.sys [2009-5-2 12384]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2008-4-5 165584]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\drivers\cmdGuard.sys [2010-6-4 239240]
    R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2008-4-5 17744]
    R2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast5\AvastSvc.exe [2010-4-10 40384]
    R2 cmdAgent;COMODO Internet Security Helper Service;h:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1901056]
    R2 CSHelper;CopySafe Helper Service;h:\windows\system32\CSHelper.exe [2010-9-5 266240]
    R2 McrdSvc;Media Center Extender Service;h:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R3 avast! Mail Scanner;avast! Mail Scanner;h:\program files\alwil software\avast5\AvastSvc.exe [2010-4-10 40384]
    R3 avast! Web Scanner;avast! Web Scanner;h:\program files\alwil software\avast5\AvastSvc.exe [2010-4-10 40384]
    S4 ASKService;ASKService;h:\program files\askbardis\bar\bin\askservice.exe --> h:\program files\askbardis\bar\bin\AskService.exe [?]
    S4 Boonty Games;Boonty Games;"h:\program files\common files\boonty shared\service\boonty.exe" --> h:\program files\common files\boonty shared\service\Boonty.exe [?]
    S4 gupdate;Google Update Service (gupdate);"h:\program files\google\update\googleupdate.exe" /svc --> h:\program files\google\update\GoogleUpdate.exe [?]

    =============== Created Last 30 ================

    2010-10-24 19:08:36   --------   d-----w-   h:\windows\system32\vmm32
    2010-10-24 18:58:22   --------   d-----w-   h:\program files\Dell
    2010-10-24 17:24:32   --------   d-----w-   h:\docume~1\alluse~1\applic~1\COMODO
    2010-10-24 17:18:00   --------   d-----w-   h:\program files\COMODO
    2010-10-24 17:09:47   --------   d-----w-   h:\windows\Internet Logs
    2010-10-13 18:11:47   617472   -c----w-   h:\windows\system32\dllcache\comctl32.dll
    2010-10-13 18:00:15   974848   -c----w-   h:\windows\system32\dllcache\mfc42.dll
    2010-10-13 18:00:15   953856   -c----w-   h:\windows\system32\dllcache\mfc40u.dll
    2010-10-08 23:37:25   --------   d-----w-   h:\docume~1\liz\applic~1\EternalEden
    2010-10-06 22:25:19   --------   d-----w-   h:\docume~1\liz\locals~1\applic~1\PCHealth
    2010-10-05 18:11:09   --------   d-----w-   h:\program files\Calibre2

    ==================== Find3M  ====================

    2010-10-24 18:33:55   285480   ----a-w-   h:\windows\system32\guard32.dll
    2010-09-18 16:23:26   974848   ----a-w-   h:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25   974848   ----a-w-   h:\windows\system32\mfc42.dll
    2010-09-18 06:53:25   954368   ----a-w-   h:\windows\system32\mfc40.dll
    2010-09-18 06:53:25   953856   ----a-w-   h:\windows\system32\mfc40u.dll
    2010-09-10 12:50:37   73728   ----a-w-   h:\windows\system32\javacpl.cpl
    2010-09-10 12:50:36   423656   ----a-w-   h:\windows\system32\deployJava1.dll
    2010-09-10 05:58:08   916480   ----a-w-   h:\windows\system32\wininet.dll
    2010-09-10 05:58:06   43520   ----a-w-   h:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06   1469440   ------w-   h:\windows\system32\inetcpl.cpl
    2010-09-07 15:12:17   38848   ----a-w-   h:\windows\avastSS.scr
    2010-09-05 11:06:29   266240   ----a-w-   h:\windows\system32\CSHelper.exe
    2010-09-05 11:06:29   225280   ----a-w-   h:\windows\system32\CSInstru.DLL
    2010-09-01 11:51:14   285824   ----a-w-   h:\windows\system32\atmfd.dll
    2010-08-31 13:42:52   1852800   ----a-w-   h:\windows\system32\win32k.sys
    2010-08-27 08:02:29   119808   ----a-w-   h:\windows\system32\t2embed.dll
    2010-08-27 05:57:43   99840   ----a-w-   h:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45   5120   ----a-w-   h:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04   617472   ----a-w-   h:\windows\system32\comctl32.dll
    2010-08-23 12:30:45   1682   --sha-w-   h:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2010-08-17 13:17:06   58880   ----a-w-   h:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00   590848   ----a-w-   h:\windows\system32\rpcrt4.dll
    2010-08-10 00:44:56   253099   ----a-w-   h:\windows\Eternal Sunrise Uninstaller.exe
    2010-08-07 14:00:34   1682   --sha-w-   h:\windows\system32\KGyGaAvL.sys

    ============= FINISH:  9:31:52.60 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/5/2006 1:19:19 PM
    System Uptime: 10/29/2010 8:58:34 AM (1 hours ago)

    Motherboard: Dell Inc.           |  | 0JC474
    Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    C: is Removable
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is FIXED (NTFS) - 149 GiB total, 114.216 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1219: 7/31/2010 11:57:33 AM - System Checkpoint
    RP1220: 8/1/2010 3:17:00 PM - System Checkpoint
    RP1221: 8/2/2010 3:46:26 PM - System Checkpoint
    RP1222: 8/3/2010 4:26:38 PM - System Checkpoint
    RP1223: 8/3/2010 9:18:08 PM - Software Distribution Service 3.0
    RP1224: 8/5/2010 6:17:12 PM - System Checkpoint
    RP1225: 8/6/2010 9:16:13 PM - System Checkpoint
    RP1226: 8/8/2010 6:31:37 AM - System Checkpoint
    RP1227: 8/9/2010 10:02:42 AM - System Checkpoint
    RP1228: 8/10/2010 6:26:16 PM - System Checkpoint
    RP1229: 8/11/2010 7:53:28 PM - System Checkpoint
    RP1230: 8/11/2010 8:32:56 PM - Software Distribution Service 3.0
    RP1231: 8/12/2010 4:58:13 PM - Software Distribution Service 3.0
    RP1232: 8/13/2010 6:07:27 PM - System Checkpoint
    RP1233: 8/13/2010 8:23:45 PM - Software Distribution Service 3.0
    RP1234: 8/15/2010 10:22:51 AM - System Checkpoint
    RP1235: 8/15/2010 6:15:02 PM - Software Distribution Service 3.0
    RP1236: 8/17/2010 8:33:47 AM - System Checkpoint
    RP1237: 8/18/2010 6:04:51 PM - System Checkpoint
    RP1238: 8/20/2010 5:59:32 PM - System Checkpoint
    RP1239: 8/22/2010 5:44:27 PM - System Checkpoint
    RP1240: 8/23/2010 6:01:07 PM - System Checkpoint
    RP1241: 8/24/2010 8:49:09 PM - System Checkpoint
    RP1242: 8/26/2010 7:36:26 AM - System Checkpoint
    RP1243: 8/27/2010 11:18:15 AM - System Checkpoint
    RP1244: 8/28/2010 1:22:16 PM - System Checkpoint
    RP1245: 8/30/2010 3:21:53 PM - System Checkpoint
    RP1246: 9/1/2010 6:29:51 AM - System Checkpoint
    RP1247: 9/2/2010 12:43:28 PM - System Checkpoint
    RP1248: 9/3/2010 2:26:41 PM - System Checkpoint
    RP1249: 9/4/2010 6:13:33 PM - System Checkpoint
    RP1250: 9/6/2010 12:15:17 PM - System Checkpoint
    RP1251: 9/7/2010 12:20:41 PM - System Checkpoint
    RP1252: 9/8/2010 5:48:35 PM - System Checkpoint
    RP1253: 9/9/2010 6:06:55 PM - System Checkpoint
    RP1254: 9/10/2010 8:49:39 AM - Removed Java(TM) 6 Update 13
    RP1255: 9/10/2010 8:50:28 AM - Installed Java(TM) 6 Update 21
    RP1256: 9/10/2010 9:06:34 AM - Installed Java(TM) 6 Update 13
    RP1257: 9/11/2010 1:59:45 PM - System Checkpoint
    RP1258: 9/12/2010 2:47:37 PM - System Checkpoint
    RP1259: 9/13/2010 6:02:40 PM - System Checkpoint
    RP1260: 9/14/2010 6:03:50 PM - System Checkpoint
    RP1261: 9/15/2010 6:05:28 PM - System Checkpoint
    RP1262: 9/16/2010 6:06:04 PM - System Checkpoint
    RP1263: 9/17/2010 2:37:31 AM - Software Distribution Service 3.0
    RP1264: 9/18/2010 12:55:59 PM - System Checkpoint
    RP1265: 9/19/2010 1:35:20 PM - System Checkpoint
    RP1266: 9/20/2010 6:07:35 PM - System Checkpoint
    RP1267: 9/21/2010 10:16:01 PM - System Checkpoint
    RP1268: 9/23/2010 6:16:56 PM - System Checkpoint
    RP1269: 9/25/2010 10:02:25 AM - System Checkpoint
    RP1270: 9/26/2010 11:19:21 AM - System Checkpoint
    RP1271: 9/27/2010 6:03:52 PM - System Checkpoint
    RP1272: 9/29/2010 1:11:59 PM - System Checkpoint
    RP1273: 9/30/2010 2:27:53 PM - System Checkpoint
    RP1274: 9/30/2010 9:07:52 PM - Software Distribution Service 3.0
    RP1275: 10/2/2010 2:57:37 PM - System Checkpoint
    RP1276: 10/3/2010 5:21:42 PM - System Checkpoint
    RP1277: 10/5/2010 1:16:00 PM - System Checkpoint
    RP1278: 10/5/2010 2:10:53 PM - Installed calibre
    RP1279: 10/5/2010 2:18:46 PM - Removed calibre
    RP1280: 10/5/2010 8:18:09 PM - Software Distribution Service 3.0
    RP1281: 10/6/2010 2:44:15 PM - Software Distribution Service 3.0
    RP1282: 10/7/2010 4:52:03 AM - Software Distribution Service 3.0
    RP1283: 10/8/2010 3:40:24 PM - System Checkpoint
    RP1284: 10/12/2010 6:04:47 PM - System Checkpoint
    RP1285: 10/13/2010 6:12:16 PM - System Checkpoint
    RP1286: 10/13/2010 7:27:43 PM - Software Distribution Service 3.0
    RP1287: 10/14/2010 8:18:59 PM - Software Distribution Service 3.0
    RP1288: 10/15/2010 9:11:45 PM - System Checkpoint
    RP1289: 10/18/2010 4:59:08 AM - Software Distribution Service 3.0
    RP1290: 10/20/2010 11:52:20 AM - System Checkpoint
    RP1291: 10/21/2010 3:23:09 PM - System Checkpoint
    RP1292: 10/24/2010 1:06:54 PM - comodo
    RP1293: 10/24/2010 1:17:46 PM - Installed COMODO Internet Security
    RP1294: 10/25/2010 6:13:22 PM - System Checkpoint
    RP1295: 10/27/2010 9:08:16 AM - System Checkpoint
    RP1296: 10/28/2010 12:39:00 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Digital Editions
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.8
    Applet_App
    Applet_Copy
    Applet_Creativity
    Applet_Email
    Applet_Epp
    Applet_File
    Applet_OCR
    Applet_Web
    ArcSoft PhotoImpression 3.0
    ArtistScope Plugin FX
    avast! Free Antivirus
    Big Fish Games: Game Manager
    calibre
    Canon i470D
    CCleaner
    Chicktionary
    COMODO Internet Security
    Conexant D850 56K V.9x DFVc Modem
    Copy Utility
    Crystal Cave Lost Treasures 1.00
    Dell Resource CD
    EPSON Photo Print
    EPSON Smart Panel
    EPSON TWAIN 5
    Eternal Eden
    Eternal Sunrise
    FlashGet 1.9.6.1073
    Free Download Manager 2.1
    Google Earth
    Google Update Helper
    Grimoire Chronicles
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Invoke Solutions Participant 6.2.0.1452
    ISP.COM Internet Services
    Java Auto Updater
    Java(TM) 6 Update 13
    Java(TM) 6 Update 21
    Keynote Connector
    Laxius Force III
    Legionwood (v3.12)
    Mahjongg Mania!
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Reader
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mortimer Beckett And The Secrets of Spooky Manor
    Mozilla Firefox (3.6.11)
    OpenAL
    OpenOffice.org 3.1
    PowerDVD 5.5
    RGSS-RTP Standard
    RM2k3 English RTP 1.0
    Roxio DLA
    Roxio EasyWrite Reader
    Roxio MyDVD LE
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    RPG Maker 2000 -  Dragon Fantasy REMAKE
    RPG Maker 2000 1.03
    RPG Maker 2000 1.05
    RPG Maker VX
    RPG Maker VX RTP
    RPGXP
    RTP 1.32 Add-On for RM2k
    RTP de RPG Maker 2003
    RTP for RM2K (Png, Wav, Midi, Fonts)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Skymist - The Lost Spirit Stones
    Sonic Update Manager
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SpywareBlaster 4.3
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    VC 9.0 Runtime
    WebFldrs XP
    Whisper of a Rose Gold 1.00
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Media Center Edition 2005 KB908250
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinPatrol 2009
    WinRAR archiver
    Women's Murder Club 3  Twice in a Blue Moon 1.00

    ==== Event Viewer Messages From Past Week ========

    10/24/2010 1:06:21 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}

    ==== End Of File ===========================
    « Last Edit: October 29, 2010, 10:15:08 am by 1972vet »

    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #3 on: October 29, 2010, 10:12:59 am »
    OK, no need to look any further as I can see now from your DDS log how things came to be as they are. We'll get to it in a moment.

    I'd also like to point out that you have a few other issues that we can remove by uninstalling and updating. There are at least three out dated applications on board (maybe more as we might learn later), but for now...let's do this:

    Please uninstall the following:
    Adobe Reader 7.0.8 <--Both outdated and exploited. We will install the latest version when the system is cleaned
    Java(TM) 6 Update 13 <--Another out of date and exploited...You already have the latest version installed. Regardless, this one is unnecessary

    The program below:
    OpenOffice.org 3.1
    ...has been updated. Older versions of software are always subject to hackers whims. In time, they all can be exploited so it is absolutely essential to keep an eye on your programs and update them from time to time.

    The best antivirus product on the market cannot do a thing about an unpatched exploited piece of software you have on board. This goes for the operating system as well. Having unpatched software is the quickest way to compromise an operating system.

    Said that for emphasis...Now, as to OpenOffice, when you install it, Java will come along with it unless you change settings from a default install. If you know how to do that, fine. If not, just open any of the OpenOffice programs, click Help from the menu at the top, then scroll to and select Check for Updates. This should update the product without installing another older (by the way) Java version. At least, that's the way it was the last time I checked it. To be sure, after you update it, check your add/remove programs again. If you find an older Java component, other than Java 6 update 22, then please uninstall it (let me know too please as it's been a while since I checked on this) .

    For your firewall concern, comodo is really quite good. I have said in the past though, it may just be left to the advanced user. If you do not consider yourself one of those, you should uninstall it. For now, as you should only be using that system to come here and respond to these instructions, you should be fine with just the Windows on board firewall.

    Quote
    So you think that maybe someone was able to gain access to my yahoo mail account and address book from their end, and then sent out the spam from my email address and to all my contacts?
    OK, I was afraid this is what you meant but your original description wasn't quite clear. The short answer is No. That's not what I thought lol...if one receives a spam email it can be certain to have come from some robot that scans and harvests email addresses from the web. If one has spam sent from THEIR email account, then some malicious software had to have entered the system and your email password is what was harvested. Trojan software does this, as well as countless other malicious codes.

    By the way, your hosts file entry here:
    Hosts: 127.0.0.1   hxxp://www.spywareinfo.com
    Is allowing a malicious web site access so this may be one way you got yourself into these troubles. If you were attempting to guarantee access to the old SpywareInfo forum then you have an out dated link for it. That one is infected now and the new web site for SpywareInfo is SpywareInfoForum.com

    Now, let's get to it:
    Please download combofix from This Webpage...and read through the instructions there for running the tool.

    ***Important Note***
    Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

    If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


    The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

    Once installed, a blue screen prompt should appear that reads as follows:

    The Recovery Console was successfully installed.

    When you see that screen, please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

    Note:
    Do not mouseclick combofix's window while it's running....that may cause the scan to stall
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #4 on: October 30, 2010, 09:49:40 am »


    Thanks again for your help.

    I had already removed the Java 6 13 it was just still in the add/remove programs.  I also unistalled Adobe Reader.  Did not update Openoffice yet.
    I downloaded combofix but am unable to run it.  I closed all windows turned off avast all shields, comodo and winpatrol, and am still conected to the internet.

    Combofix starts to run then I get bombarded with these windows I have attached pictures.


    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #5 on: October 30, 2010, 10:11:53 am »
    Boot to safe mode and run it there. My thought is, your protective applications are wrestling with it. Regardless that you have disabled avast/comodo, if you check I would bet you'd see their related driver still in the process list. There are some applications that I have asked users to uninstall so that combofix will run unhindered. Comodo is one of those. If you still have problems running in safe mode, try uninstalling comodo/avast. Lemme know how it goes. Thanks!
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #6 on: October 30, 2010, 11:02:06 am »
    Just a quick question.  I started to run combofix and it said that there is a newer version and do I want to download it?  Should I?

    Also it was comodo that was the problem.  I unstalled and will go back to zonearlarm when this is all over.


    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #7 on: October 30, 2010, 11:18:12 am »
    Yes, let the new version download.
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #8 on: October 30, 2010, 12:22:26 pm »
    I'm just cursed.  Combofix had run and was rebooting when windows update decided it wanted to connect to the internet and my isp connect window popped up and messed up the whole thing.  What should I do now?

    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #9 on: October 31, 2010, 03:18:39 am »
    If Combofix rebooted the machine, it produced a log. Look for it here:
    C:\Combofix.txt
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #10 on: October 31, 2010, 05:44:33 am »
    No combofix.txt.  It froze during the reboot.  Should I go ahead and reboot and start again?

    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #11 on: October 31, 2010, 09:16:04 am »
    If it already rebooted, combofix did something. See if you have a folder named qoobox located here:
    c:\qoobox
    ...tell me what's inside. If no qoobox there, then just go ahead and run combofix again and post the results. Thanks!
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #12 on: October 31, 2010, 09:29:50 am »
    Happy Halloween.


    Combofix froze at the place where I attached the picture in my previous post.  It said it was rebooting. 

    I do have that qoobox folder. There are 5 folders in the folder.  I have attached a picture here.

    Offline Liza

    • Bronze Member
    • Posts: 14
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #13 on: October 31, 2010, 10:31:50 am »
    I went ahead and rebooted.  When it came back up combofix created a logfile.

    Here it is:

    ComboFix 10-10-29.04 - Liz 10/30/2010  13:56:14.1.2 - x86
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.295 [GMT -4:00]
    Running from: h:\documents and settings\Liz\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_BOONTY_GAMES
    -------\Service_Boonty Games


    (((((((((((((((((((((((((   Files Created from 2010-09-28 to 2010-10-31  )))))))))))))))))))))))))))))))
    .

    2010-10-24 19:08 . 2010-10-24 19:08   --------   d-----w-   h:\windows\system32\vmm32
    2010-10-24 18:58 . 2010-10-24 18:58   --------   d-----w-   h:\program files\Dell
    2010-10-24 17:25 . 2010-10-24 17:25   --------   d-sh--w-   h:\documents and settings\NetworkService\IETldCache
    2010-10-24 17:24 . 2010-10-30 16:41   --------   d-----w-   h:\documents and settings\All Users\Application Data\COMODO
    2010-10-24 17:09 . 2010-10-24 17:09   --------   d-----w-   h:\windows\Internet Logs
    2010-10-13 18:11 . 2010-08-23 16:12   617472   -c----w-   h:\windows\system32\dllcache\comctl32.dll
    2010-10-13 18:00 . 2010-09-18 06:53   974848   -c----w-   h:\windows\system32\dllcache\mfc42.dll
    2010-10-13 18:00 . 2010-09-18 06:53   953856   -c----w-   h:\windows\system32\dllcache\mfc40u.dll
    2010-10-08 23:37 . 2010-10-11 23:33   --------   d-----w-   h:\documents and settings\Liz\Application Data\EternalEden
    2010-10-06 22:25 . 2010-10-06 22:25   --------   d-----w-   h:\documents and settings\Liz\Local Settings\Application Data\PCHealth
    2010-10-05 18:11 . 2010-10-05 18:12   --------   d-----w-   h:\program files\Calibre2

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2004-08-10 11:00   974848   ----a-w-   h:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 11:00   974848   ----a-w-   h:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 11:00   954368   ----a-w-   h:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 11:00   953856   ----a-w-   h:\windows\system32\mfc40u.dll
    2010-09-10 12:50 . 2010-09-10 12:50   73728   ----a-w-   h:\windows\system32\javacpl.cpl
    2010-09-10 12:50 . 2010-09-10 12:50   423656   ----a-w-   h:\windows\system32\deployJava1.dll
    2010-09-10 05:58 . 2004-08-10 11:00   916480   ----a-w-   h:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 11:00   43520   ----a-w-   h:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 11:00   1469440   ------w-   h:\windows\system32\inetcpl.cpl
    2010-09-07 15:12 . 2010-06-30 17:32   38848   ----a-w-   h:\windows\avastSS.scr
    2010-09-07 15:11 . 2006-07-06 13:18   167592   ----a-w-   h:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-04-10 14:11   46672   ----a-w-   h:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-04-06 00:28   165584   ----a-w-   h:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2006-07-06 13:18   23376   ----a-w-   h:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2006-07-05 18:10   100176   ----a-w-   h:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2006-07-05 18:10   94544   ----a-w-   h:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-04-06 00:28   17744   ----a-w-   h:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2006-07-05 18:10   28880   ----a-w-   h:\windows\system32\drivers\aavmker4.sys
    2010-09-05 11:06 . 2010-09-05 11:06   266240   ----a-w-   h:\windows\system32\CSHelper.exe
    2010-09-05 11:06 . 2010-09-05 11:06   225280   ----a-w-   h:\windows\system32\CSInstru.DLL
    2010-09-01 11:51 . 2004-08-10 11:00   285824   ----a-w-   h:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 11:00   1852800   ----a-w-   h:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-10 11:00   119808   ----a-w-   h:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 11:00   99840   ----a-w-   h:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 11:00   357248   ----a-w-   h:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-05-13 12:20   5120   ----a-w-   h:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-10 11:00   617472   ----a-w-   h:\windows\system32\comctl32.dll
    2010-08-23 12:30 . 2010-03-19 16:04   1682   --sha-w-   h:\documents and settings\All Users\Application Data\KGyGaAvL.sys
    2010-08-17 13:17 . 2004-08-10 11:00   58880   ----a-w-   h:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-08-10 11:00   590848   ----a-w-   h:\windows\system32\rpcrt4.dll
    2010-08-10 00:44 . 2010-08-10 00:44   253099   ----a-w-   h:\windows\Eternal Sunrise Uninstaller.exe
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="h:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="h:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="h:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "BJPD HID Control"="h:\program files\Canon\BJPV\TVMon.exe" [2003-01-21 45056]
    "WinPatrol"="h:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
    "avast5"="h:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "h:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "h:\\Program Files\\FlashGet\\flashget.exe"=

    R0 MrFilter;EasyWrite Driver;h:\windows\system32\drivers\MRFilter.sys [5/2/2009 8:30 AM 12384]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [4/5/2008 8:28 PM 165584]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [4/5/2008 8:28 PM 17744]
    R2 CSHelper;CopySafe Helper Service;h:\windows\system32\CSHelper.exe [9/5/2010 7:06 AM 266240]
    S4 ASKService;ASKService;h:\program files\AskBarDis\bar\bin\AskService.exe --> h:\program files\AskBarDis\bar\bin\AskService.exe [?]
    S4 gupdate;Google Update Service (gupdate);"h:\program files\Google\Update\GoogleUpdate.exe" /svc --> h:\program files\Google\Update\GoogleUpdate.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper   REG_MULTI_SZ      getPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.isp.com/members/
    mStart Page = hxxp://www.isp.com/members/
    mWindow Title =
    IE: &Download All with FlashGet - h:\program files\FlashGet\jc_all.htm
    IE: &Download with FlashGet - h:\program files\FlashGet\jc_link.htm
    IE: Download all with Free Download Manager - file://h:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://h:\program files\Free Download Manager\dlselected.htm
    IE: Download with Free Download Manager - file://h:\program files\Free Download Manager\dllink.htm
    TCP: {C6E0C58F-75F6-4A0B-A4F2-3D725EA69C47} = 205.208.227.13 205.208.227.14
    DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
    FF - ProfilePath - h:\documents and settings\Liz\Application Data\Mozilla\Firefox\Profiles\profile.knconnector\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: h:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: h:\program files\Mozilla Firefox\plugins\npArtistScope42.dll
    FF - plugin: h:\program files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll
    FF - plugin: h:\program files\Mozilla Firefox\plugins\NPcol400.dll
    FF - plugin: h:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
    h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
    h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - h:\program files\Java\jre6\bin\jusched.exe
    AddRemove-Eternal Eden - h:\program files\Eternal Eden\Uninstall.exe
    AddRemove-RTP - h:\program files\Yume Team\RM03\RTP\uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-31 12:10
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4008)
    h:\windows\system32\WININET.dll
    h:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    h:\windows\system32\ieframe.dll
    h:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\program files\Alwil Software\Avast5\AvastSvc.exe
    h:\windows\eHome\ehRecvr.exe
    h:\windows\eHome\ehSched.exe
    h:\program files\Java\jre6\bin\jqs.exe
    h:\windows\ehome\mcrdsvc.exe
    h:\windows\system32\dllhost.exe
    h:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-31  12:16:02 - machine was rebooted
    ComboFix-quarantined-files.txt  2010-10-31 16:15

    Pre-Run: 122,691,084,288 bytes free
    Post-Run: 122,728,542,208 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - F02DE412B699BD9070D14F929462A4EE

    Offline 1972vet

    • Microsoft® MVP
    • Malware Removal Staff
    • Diamond Member
    • Posts: 8290
    • Patience is bitter indeed, but its fruit is sweet.
    Re: [Resolved] Yahoo Mail Contact List Spammed
    « Reply #14 on: October 31, 2010, 06:15:21 pm »
    According to the log, Avast is still running...as is WinPatrol. This would account for your difficulty in running combofix. As explained in the combofix instruction, to disable these:

    Quote
    AVAST
    Right- click on the avast! icon in system tray...Select avast! shields control and there will be options to disable avast for 10 minutes, 1 hour, until the computer is restarted or permanently.

    WINPATROL
    Right-click the running icon of Winpatrol in the sytem tray and choose exit.


    Please open a blank Notepad by clicking start-->run
    Then, in the run box type Notepad.exe and click "OK".
    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall



    KILLALL::

    DDS::
    DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} -

    Folder::
    h:\program files\AskBarDis

    Driver::
    ASKService

    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

    Registry::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @=-
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @=-
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @=-
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @=-
    Disabled Veteran
    U.S.C.G. 1972 - 1978
    Membership: U.N.I.T.E., A.S.A.P.

    2009-12

    Performance and Maintenance for Windows XP, Windows Vista and Windows Seven