New computer...infected? HJT Log inside.

[QueenB941]

I just got a new computer (new to me, previously used) as a hand-me-down from my aunt and uncle. I booted it up for the first time and it's running like crap and has tons of pop-ups. I even ran defender, spybot, ad-aware, etc. but there are still pop-ups and all scanners told me some files couldn't be removed! I tried to do windows update and I couldn't! I think the infections are preventing me access. Can someone please check this log for me? Thank you for your time and help!!!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:20 PM, on 11/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/redirect.html?redirectID=99103
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [sotlbpxfjgzcyjjz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\lfmhevhhcrinp.dll"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZKxdm021NTUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - AppInit_DLLs: ajaiya.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5363 bytes

[Train]

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to screw_you.exe

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies can be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[QueenB941]

SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/13/2008 at 02:50 AM

Application Version : 4.21.1004

Core Rules Database Version : 3635
Trace Rules Database Version: 1618

Scan type : Complete Scan
Total Scan Time : 01:35:11

Memory items scanned : 165
Memory threats detected : 3
Registry items scanned : 4403
Registry threats detected : 95
File items scanned : 42348
File threats detected : 109

Adware.Vundo/Variant-Zone
C:\WINDOWS\SYSTEM32\AJAIYA.DLL
C:\WINDOWS\SYSTEM32\AJAIYA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1eec9d7a-8ad6-4bd7-b9ad-2d14b050432f}
HKCR\CLSID\{1EEC9D7A-8AD6-4BD7-B9AD-2D14B050432F}
HKCR\CLSID\{1EEC9D7A-8AD6-4BD7-B9AD-2D14B050432F}\InprocServer32
HKCR\CLSID\{1EEC9D7A-8AD6-4BD7-B9AD-2D14B050432F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BCRGCHHO.DLL
C:\WINDOWS\SYSTEM32\EKTHZO.DLL
C:\WINDOWS\SYSTEM32\WRVQKLIE.DLL

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\GEBSRSLE.DLL
C:\WINDOWS\SYSTEM32\GEBSRSLE.DLL
C:\WINDOWS\SYSTEM32\EFCBRHFU.DLL
C:\WINDOWS\SYSTEM32\JKKECDTK.DLL
C:\WINDOWS\SYSTEM32\SSQQGAYP.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\OPNOLLCB.DLL
C:\WINDOWS\SYSTEM32\OPNOLLCB.DLL

Adware.Vundo/Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FFEDFD6-B1F4-3BE0-8F0D-6DA858763E49}
HKCR\CLSID\{3FFEDFD6-B1F4-3BE0-8F0D-6DA858763E49}
HKCR\CLSID\{3FFEDFD6-B1F4-3BE0-8F0D-6DA858763E49}
HKCR\CLSID\{3FFEDFD6-B1F4-3BE0-8F0D-6DA858763E49}\InProcServer32
HKCR\CLSID\{3FFEDFD6-B1F4-3BE0-8F0D-6DA858763E49}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\LFMHEVHHCRINP.DLL

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF2BF363-4243-41C9-ADB6-FC2A94EE4404}
HKCR\CLSID\{EF2BF363-4243-41C9-ADB6-FC2A94EE4404}
HKCR\CLSID\{EF2BF363-4243-41C9-ADB6-FC2A94EE4404}\InprocServer32
HKCR\CLSID\{EF2BF363-4243-41C9-ADB6-FC2A94EE4404}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCA8C38-5954-4730-AEAF-0A658C4F8A91}
HKCR\CLSID\{FFCA8C38-5954-4730-AEAF-0A658C4F8A91}
HKCR\CLSID\{FFCA8C38-5954-4730-AEAF-0A658C4F8A91}\InprocServer32
HKCR\CLSID\{FFCA8C38-5954-4730-AEAF-0A658C4F8A91}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FFCA8C38-5954-4730-AEAF-0A658C4F8A91}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\geBsrSLE

Adware.Tracking Cookie
C:\Documents and Settings\john\Cookies\john@mediaplex[2].txt
C:\Documents and Settings\john\Cookies\john@wmvmedialease[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@exitexchange[2].txt
C:\Documents and Settings\john\Cookies\john@adservr[1].txt
C:\Documents and Settings\john\Cookies\john@specificclick[1].txt
C:\Documents and Settings\john\Cookies\john@doubleclick[2].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@advertising[2].txt
C:\Documents and Settings\john\Cookies\john@chitika[2].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@tribalfusion[2].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@adlegend[2].txt
C:\Documents and Settings\john\Cookies\john@zedo[2].txt
C:\Documents and Settings\john\Cookies\john@yx0banners[1].txt
C:\Documents and Settings\john\Cookies\john@burstnet[2].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@adecn[1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@bannerconnect[1].txt
C:\Documents and Settings\john\Cookies\john@adrevolver[2].txt
C:\Documents and Settings\john\Cookies\john@bootcampmedia[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@media-servers[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@yadro[2].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@atdmt[1].txt
C:\Documents and Settings\john\Cookies\john@insightexpressai[1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@serving-sys[2].txt
C:\Documents and Settings\john\Cookies\john@adjuggler[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@adbrite[1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@apmebf[1].txt
C:\Documents and Settings\john\Cookies\john@questionmarket[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@trafficmp[1].txt
C:\Documents and Settings\john\Cookies\john@yieldmanager[1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@bluestreak[1].txt
C:\Documents and Settings\john\Cookies\[email protected][1].txt
C:\Documents and Settings\john\Cookies\john@media6degrees[1].txt
C:\Documents and Settings\john\Cookies\john@precisionclick[2].txt
C:\Documents and Settings\john\Cookies\john@realmedia[2].txt
C:\Documents and Settings\john\Cookies\john@mmcounter[1].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\[email protected][2].txt
C:\Documents and Settings\john\Cookies\john@specificmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\LocalService\Cookies\system@partner2profit[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@adecn[1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@advertising[2].txt
C:\Documents and Settings\music\Cookies\music@apmebf[2].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\music@azjmp[2].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@entrepreneur[1].txt
C:\Documents and Settings\music\Cookies\music@fastclick[1].txt
C:\Documents and Settings\music\Cookies\music@incentaclick[2].txt
C:\Documents and Settings\music\Cookies\music@linksynergy[1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@media6degrees[1].txt
C:\Documents and Settings\music\Cookies\music@myroitracking[1].txt
C:\Documents and Settings\music\Cookies\music@realmedia[1].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@specificclick[1].txt
C:\Documents and Settings\music\Cookies\[email protected][1].txt
C:\Documents and Settings\music\Cookies\music@tribalfusion[1].txt
C:\Documents and Settings\music\Cookies\music@wmvmedialease[1].txt
C:\Documents and Settings\music\Cookies\[email protected][2].txt
C:\Documents and Settings\music\Cookies\music@zedo[1].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
C:\WINDOWS\SYSTEM32\MCRH.TMP

Rogue.Component/Trace
HKLM\Software\Microsoft\4CCA4C0F
HKLM\Software\Microsoft\4CCA4C0F#4cca4c0f
HKLM\Software\Microsoft\4CCA4C0F#Version
HKLM\Software\Microsoft\4CCA4C0F#red_srv
HKLM\Software\Microsoft\4CCA4C0F#red_srv_bckp
HKLM\Software\Microsoft\4CCA4C0F#4ccae18f
HKLM\Software\Microsoft\4CCA4C0F#4cca886a

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\JOHN\~.EXE
C:\WINDOWS\Prefetch\~.EXE-226308DB.pf

Trojan.MSANSSPC
C:\WINDOWS\SYSTEM32\MSANSSPC.DLL

[QueenB941]

Malwarebytes' Anti-Malware


Malwarebytes' Anti-Malware 1.30
Database version: 1392
Windows 5.1.2600 Service Pack 2

11/13/2008 3:23:20 AM
mbam-log-2008-11-13 (03-23-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92135
Time elapsed: 21 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sotlbpxfjgzcyjjz (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\kBin02 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vn3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP390\A0027144.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP391\A0027156.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP391\A0027158.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP393\A0027207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP393\A0027215.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP394\A0027235.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP394\A0027236.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP397\A0029293.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030488.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030489.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030623.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030624.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030631.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP398\A0030665.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP399\A0030837.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP401\A0030857.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP401\A0030864.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP401\A0030865.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP401\A0030872.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regsvr32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4ff96d1d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4ff96d1d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.



Trend Micro HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:50 AM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/redirect.html?redirectID=99103
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {96A261A1-66CD-417D-B860-BFA90222B14A} - C:\WINDOWS\system32\opnolLcb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZKxdm021NTUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - AppInit_DLLs: ajaiya.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6666 bytes

[crunchie]

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {96A261A1-66CD-417D-B860-BFA90222B14A} - C:\WINDOWS\system32\opnolLcb.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O20 - AppInit_DLLs: ajaiya.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

Search for...

ajaiya.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

===============

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract
  All,
• Open the extracted folder and double click RunThis.bat to
  start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the
  registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool
  will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and
  display Finished, then press any key to end the script and load
  your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the
  contents of the results file Report.txt
  
  Please post the SDFix log within CODE Tags.

================

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[QueenB941]

Code:

SDFix: Version 1.240 
Run by john on Thu 11/13/2008 at 03:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\john\Desktop\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value 

Rebooting


Checking Files : 

Trojan Files Found:

C:\WINDOWS\system32\wobdgvatcmb.exe - Deleted
C:\DOCUME~1\john\LOCALS~1\Temp\removalfile.bat - Deleted



Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 15:20:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\john\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue  5 Mar 2002       106,564 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe"
Tue  5 Mar 2002        32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe"
Mon  4 Mar 2002        40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe"
Tue  5 Mar 2002       180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe"
Wed 22 Oct 2008       949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008     1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon  7 Jul 2008     1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon  7 Jul 2008     4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008     1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008       962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun  5 Mar 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue  5 Mar 2002        77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe"
Fri 11 Jul 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 13 Nov 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT4.tmp"
Wed 12 Dec 2001       102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll"

Finished!

Code:

ComboFix 08-11-12.01 - john 2008-11-13 15:31:00.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.294 [GMT -5:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\john\Application Data\FunWebProducts
c:\windows\system32\bcLlonpo.ini
c:\windows\system32\bcLlonpo.ini2
c:\windows\system32\MSINET.oca
c:\windows\wiaserviv.log

.
(((((((((((((((((((((((((   Files Created from 2008-10-13 to 2008-11-13  )))))))))))))))))))))))))))))))
.

2008-11-13 15:10 . 2008-11-13 15:10	
	d--------	c:\windows\ERUNT
2008-11-13 02:59 . 2008-11-13 02:59	
	d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-13 02:59 . 2008-11-13 02:59	
	d--------	c:\documents and settings\john\Application Data\Malwarebytes
2008-11-13 02:59 . 2008-11-13 02:59	
	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-13 02:59 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 02:59 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-13 01:02 . 2008-11-13 01:02	
	d--------	c:\program files\SUPERAntiSpyware
2008-11-13 01:02 . 2008-11-13 01:02	
	d--------	c:\documents and settings\john\Application Data\SUPERAntiSpyware.com
2008-11-13 01:02 . 2008-11-13 01:02	
	d--------	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-12 19:35 . 2008-11-12 19:35	159	--a------	c:\windows\wininit.ini
2008-11-12 17:16 . 2008-11-12 17:16	
	d--------	c:\program files\Trend Micro
2008-11-12 17:16 . 2008-11-12 19:45	
	d--------	c:\program files\Spybot - Search & Destroy
2008-11-12 17:16 . 2008-11-12 19:46	
	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 17:14 . 2008-11-12 17:14	
	d--------	c:\program files\Lavasoft
2008-11-12 17:14 . 2008-11-12 17:39	
	d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 17:13 . 2008-11-13 01:01	
	d--------	c:\program files\Common Files\Wise Installation Wizard
2008-11-12 17:12 . 2008-11-12 17:12	
	d--------	c:\program files\CCleaner
2008-11-12 16:42 . 2008-11-12 16:42	
	d--------	c:\documents and settings\music\Application Data\AVGTOOLBAR
2008-11-12 16:42 . 2008-11-12 16:42	
	d--------	c:\documents and settings\john\Application Data\AVGTOOLBAR
2008-11-12 16:39 . 2004-02-16 07:50	
	d--------	c:\documents and settings\Administrator\Application Data\CyberLink
2008-11-12 16:39 . 2008-11-12 16:42	
	d---s----	c:\documents and settings\Administrator

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 19:54	---------	d-----w	c:\program files\Google
2008-11-12 22:38	---------	d-----w	c:\program files\LimeWire
2004-05-04 17:32	169,575	----a-w	c:\program files\POTSVILL.sc3
2004-05-04 02:23	170,536	----a-w	c:\program files\New City.sc3
2004-04-14 18:56	284,500	----a-w	c:\program files\OLD  ONE.sc3
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-11-19 139264]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-07 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-06-23 479232]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=

S1 redbookk;redbookk;c:\windows\system32\drivers\redbookk.sys [ ]
S3 kwkxusb;Kyocera Wireless USB CDMA Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [ ]
S3 PciTest;WinMTA PCI Service;c:\windows\SYSTEM32\DRIVERS\pcitest.sys [2003-11-26 6912]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\nh9xkylr.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF -: plugin - c:\program files\QuickTime\Plugins\npqtplugin9.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 15:35:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-13 15:39:28 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-13 20:39:23

Pre-Run: 70,843,920,384 bytes free
Post-Run: 70,832,627,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

118	--- E O F ---	2008-07-24 02:00:14

[QueenB941]

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:20 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/redirect.html?redirectID=99103
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4567 bytes

[crunchie]

I am at work at the moment and will look at your logs later. In the meantime please download and install an anti-virus program such as Avast or Avira and update it and do a full scan.

[QueenB941]

Ok, I downloaded the Anti-Virus program and scanned....found and deleted many trojans so what's next?

[crunchie]

Your log looks ok. How is the pc?

I would also advise installing a 3rd party firewall too.

[QueenB941]

I installed COMODO since it's in your sig. Must be good! Everything is running fine now! Smooth sailing and NO pop-ups. Thank you, thank you, thank YOU guys! This PC has been saved!

But... do I have to buy Avast after the 59 day trial? I'm also wondering if there's an easy way to prevent all of those icons showing up on the taskbar? After your help, half of those have disappeared but there are still a lot of icons there such as quicktime and several others. I have no use for ANY of these icons. From what I understand, they are only slowing the PC down? I'll only be accessing applications and programs through the start menu and Program Files. Avast and COMODO are on the taskbar now too, but I think it's ok for those, lol.

Again, THANK YOU!

[crunchie]

No worries .

Avast is free. All you have to do is register at their site, they will send you an email with a registration number, you enter it into Avast and it's then valid for 12 months.

Go to Start | Run and type in msconfig and hit ok. Go to the startup Tab and disable all the programs you do not want running at startup. Hit Apply then ok and reboot.

When it's rebooted you will get a pop-up saying your startup programs have changed. Tick the box at the lower left then ok out.