Solved

How do I find what is causing my pop-ups?

Posted on 2008-06-13
14
1,198 Views
Last Modified: 2013-12-06
I am fixing a friend of mine's, mother's computer. I have already cleaned it pretty well and have got rid of a bunch of vruses, but she still has a lot of pop-ups that I can't get rid of, even using pop-up blockers. Also, Norton tells me that the machine is still infected with viruses...but does not give me any other information other than telling me that it's infected(no virus names or descriptions). I've already ran Smitfraud and hijackthis. Here is the current hijack this log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:54, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWarn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 4870 bytes


Any help is greatly appreciated. Thankt!!!
0
Comment
Question by:mjgreenley
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 1

Author Comment

by:mjgreenley
ID: 21780746
ps: the machine is a Dell Demension running Windows XP Home; Service Pack 2; Pentium 4, 2.79ghz; 2gig Ram. Thanks!
0
 
LVL 23

Assisted Solution

by:Admin3k
Admin3k earned 125 total points
ID: 21783305
Close all instances of windows Explorer & Internet explorer


run another Hijack this scan
clean up those entries

O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll

C:\Program Files\iWin Games\iWinGamesInstaller.exe

O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll      
      
        O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll                  
        O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_d rm.ocx


O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab

O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe

you may need to delete this service manually

start>run>CMD

type the below

sc stop iWinGamesInstaller
SC delete iWinGamesInstaller

press Y when prompted


reboot, update your Antivirus definition , and run a full scan.

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 21783839
C:\Program Files\GamesBar <-- you also need to remove this folder as Hijackthis only removes the registry entry but not the directory.

Besides Gamesbar, there could be other nasties there like vundo. Your log shows a sign of vundo infection.

If problem presist, you can use other tools to remove it, combofix also removes Gamesbar and other nasties.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
LVL 17

Assisted Solution

by:Wakeup
Wakeup earned 125 total points
ID: 21784128
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL
Get rid of that one too.  

Also realize that just one program does not always get rid or keep everything off.  Norton and Mcafee are the two hardest hit and are one of the most CPU/MEmory intense Scanners.  You may try switching up to some different software tools.  Realize that both of these are the biggest on the market.  You can go to Best Buy, fry's, compusa or whatever computer store....buy a sony, dell, gateway, hp, whatever brand, and 90% of those machines will come with one if not both of those....I work in a retail store, and 90% of my motherboards come with an installer for Norton.  Sign up for some of the biggest Internet providers on the market(comcast, AOL, People PC), and you get Mcafee or norton respectively.  
These people designing the Viruses and spyware are writing them with the mindframe that most people will have one if not both of these on their machines....
You may see Norton for example scan and FIND and even REMOVE said infections, disconnect your internet before you do, scan 5 minutes later or restart, and those infections it says the removed are still there.  There are many infections out there that also render norton and mcafee useless and causes them to get corrupt or damaged.  In which case you can't repair your norton or mcafee, You cant remove them, you cant reinstall them.  Without manually going in and removing them from the registry and deleting the folders, or download their Respective uninstaller tools....(funny how mcafee and norton created a tool to remove their own programs! :)  

Anyway some programs to try:
AVG, Avast, super antispyware, spybot search and destroy, lava soft adaware, combofix as suggested etc.  

One more thing to remember, is that most Antivirus software packages dont fix alot of Spyware problems.  and Vice versa Antispyware doesnt hit the viruses well.
0
 
LVL 17

Assisted Solution

by:Wakeup
Wakeup earned 125 total points
ID: 21784144
0
 
LVL 1

Author Comment

by:mjgreenley
ID: 21786199
Thanks for the help so far everyone!
Here is the ComboFix log; and I will post the new Hijackthis log below as well. Thanks:


ComboFix 08-06-12.2 - Barbara Watson 2008-06-14  1:50:06.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1569 [GMT -3:00]
Running from: C:\Documents and Settings\Barbara Watson\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\GamesBar\oberontb.dll
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00D3B6C.exe
C:\WINDOWS\system32\__c00DB09A.exe
C:\WINDOWS\system32\akhuhjrf.dll
C:\WINDOWS\system32\awoerkuo.dll
C:\WINDOWS\system32\bjmuvvok.ini
C:\WINDOWS\system32\cboyvfni.dll
C:\WINDOWS\system32\csyepimh.ini
C:\WINDOWS\system32\dbkeugau.dll
C:\WINDOWS\system32\fijeubis.ini
C:\WINDOWS\system32\frjhuhka.ini
C:\WINDOWS\system32\gqwgpers.ini
C:\WINDOWS\system32\klbbsqyi.dll
C:\WINDOWS\system32\lnponnnn.ini
C:\WINDOWS\system32\lnponnnn.ini2
C:\WINDOWS\system32\mxggibem.dll
C:\WINDOWS\system32\nnnnopnl.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\pllaujoi.dll
C:\WINDOWS\system32\qahwkljs.dll
C:\WINDOWS\system32\qiebdvej.ini
C:\WINDOWS\system32\qqpdvvgo.ini
C:\WINDOWS\system32\ssmoskdl.ini
C:\WINDOWS\system32\tbhyrdct.dll
C:\WINDOWS\system32\uaguekbd.ini
C:\WINDOWS\system32\uyqhpgsf.ini
C:\WINDOWS\system32\wcnpepeo.dll

.
(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
.

2008-06-13 00:16 . 2005-06-08 14:17      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-13 00:16 . 2005-06-08 14:07      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-06-13 00:16 . 2005-06-08 14:06      <DIR>      d--h-----      C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-13 00:16 . 2008-06-13 00:16      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-06-13 00:04 . 2008-06-13 00:19      922      --a------      C:\WINDOWS\system32\tmp.reg
2008-06-12 23:01 . 2008-06-12 23:01      <DIR>      d--------      C:\Program Files\Trend Micro
2008-06-10 19:48 . 2008-06-10 19:48      <DIR>      d--------      C:\Documents and Settings\Barbara Watson\Application Data\Uniblue
2008-06-10 19:47 . 2008-06-10 19:47      <DIR>      d--------      C:\Program Files\Uniblue
2008-06-04 23:04 . 2008-06-04 23:04      <DIR>      d--------      C:\Program Files\SymNetDrv
2008-06-04 22:53 . 2008-06-04 22:56      <DIR>      d--------      C:\Program Files\Norton Internet Security
2008-06-04 22:52 . 2003-08-15 18:22      83,208      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-04 22:52 . 2003-08-15 18:22      82,136      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 22:51 . 2008-06-04 22:55      <DIR>      d--------      C:\Program Files\Symantec
2008-06-04 22:30 . 2000-03-23 12:50      446,464      -ra------      C:\WINDOWS\system32\hhactivex.dll
2008-06-04 22:30 . 1999-05-07 13:24      414,944      --a------      C:\WINDOWS\system32\COMCT332.OCX
2008-06-04 22:30 . 1998-11-10 10:46      328,480      --a------      C:\WINDOWS\system32\ssa3d30.ocx
2008-06-04 22:30 . 2002-01-08 17:00      176,128      --a------      C:\WINDOWS\system32\RcdScan.dll
2008-06-04 22:30 . 1998-09-24 12:03      171,967      --a------      C:\WINDOWS\system32\Odbcjet.hlp
2008-06-04 22:30 . 1998-06-17 23:00      89,360      --a------      C:\WINDOWS\system32\VB5DB.DLL
2008-06-04 22:30 . 2001-08-22 08:42      13,632      --a------      C:\WINDOWS\system32\drivers\omci.sys
2008-06-04 22:30 . 1998-09-24 12:03      7,348      --a------      C:\WINDOWS\system32\Odbcjet.cnt
2008-06-04 02:26 . 2004-08-03 22:58      14,848      --a------      C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-04 02:26 . 2004-08-03 22:58      14,848      --a------      C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-04 02:25 . 2004-08-03 23:08      31,616      --a------      C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-04 02:25 . 2004-08-03 23:08      31,616      --a------      C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-04 02:25 . 2004-08-04 00:56      21,504      --a------      C:\WINDOWS\system32\hidserv.dll
2008-06-04 02:25 . 2004-08-04 00:56      21,504      --a------      C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-31 22:00 . 2008-05-31 22:04      <DIR>      d--------      C:\Documents and Settings\Barbara Watson\Application Data\EGAMESTOOLBAR
2008-05-31 21:30 . 2008-06-04 22:29      <DIR>      d--------      C:\Program Files\LiveAntispy
2008-05-29 16:21 . 2008-05-29 16:21      0      --a--c---      C:\4A.tmp
2008-05-29 16:20 . 2008-05-29 16:20      0      --a--c---      C:\49.tmp
2008-05-29 16:20 . 2008-05-29 16:20      0      --a--c---      C:\48.tmp
2008-05-29 16:20 . 2008-05-29 16:20      0      --a--c---      C:\47.tmp
2008-05-29 08:34 . 2008-05-29 20:28      34,037      --ahs----      C:\WINDOWS\system32\sxgoixed.ini
2008-05-28 08:29 . 2008-05-29 08:29      33,805      --ahs----      C:\WINDOWS\system32\cnyhmhbc.ini
2008-05-24 19:18 . 2008-05-24 19:18      <DIR>      d--------      C:\Documents and Settings\Barbara Watson\Application Data\Sudden Games
2008-05-18 11:20 . 2008-05-18 11:20      <DIR>      d--------      C:\Documents and Settings\Barbara Watson\Application Data\EleFun Games
2008-05-17 19:27 . 2008-05-17 19:27      1,409      --a------      C:\WINDOWS\system32\tmpE6BFA.FOT
2008-05-17 19:27 . 2008-05-17 19:27      1,409      --a------      C:\WINDOWS\system32\tmp9A9FA.FOT
2008-05-17 19:27 . 2008-05-17 19:27      1,409      --a------      C:\WINDOWS\system32\tmp48AFA.FOT
2008-05-17 19:27 . 2008-05-17 19:27      1,409      --a------      C:\WINDOWS\system32\tmp1EAFA.FOT
2008-05-16 22:48 . 2008-05-16 22:48      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 22:45 . 2008-05-16 22:45      <DIR>      d--------      C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-05-15 11:38 . 2008-05-31 22:03      <DIR>      d--------      C:\Program Files\egamestoolbar

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 04:50      ---------      d-----w      C:\Program Files\GamesBar
2008-06-14 04:47      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\GamesBar
2008-06-13 01:44      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2008-06-05 01:56      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-05 01:30      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-01 21:03      ---------      d---a-w      C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 11:22      ---------      d-----w      C:\Program Files\iWin.com
2008-05-31 21:19      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-31 21:18      ---------      d-----w      C:\Program Files\Google
2008-05-23 14:41      ---------      d-----w      C:\Program Files\Chill
2008-05-18 01:47      ---------      d-----w      C:\Program Files\Games
2008-05-18 01:44      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\SpinTop
2008-05-18 01:44      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\SpinTop
2008-05-18 01:42      ---------      d-----w      C:\Program Files\GameHouse
2008-05-18 01:42      ---------      d-----w      C:\Program Files\AOL Games
2008-05-17 11:42      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\PlayFirst
2008-05-17 11:42      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-14 21:29      ---------      d-----w      C:\Program Files\goodsol
2008-05-11 22:16      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\GameHouse
2008-05-10 17:47      ---------      d-----w      C:\Program Files\Mystery Solitaire
2008-05-10 11:46      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Gaijin Ent
2008-05-06 13:02      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Oberon Media
2008-05-06 13:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Oberon Media
2008-05-03 23:42      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\StoneLoopsIW
2008-05-03 13:21      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Big Fish Games
2008-05-03 12:55      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Legends of pirates
2008-05-03 12:20      ---------      d-----w      C:\Program Files\Pirateville
2008-05-03 00:57      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Valusoft
2008-05-03 00:57      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Valusoft
2008-05-02 14:09      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\GamesCafe
2008-04-28 01:12      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-04-27 00:33      ---------      d-----w      C:\Program Files\Little Shop of Treasures 2
2008-04-26 01:40      ---------      d-----w      C:\Program Files\Natalie Brooks Secrets Of Treasure House
2008-04-25 23:56      ---------      d-----w      C:\Program Files\The Hidden Object Show
2008-04-25 23:47      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Talkback
2008-04-22 19:52      ---------      d-----w      C:\Program Files\Jigsaw Adorable Animals 2
2008-04-22 19:47      ---------      d-----w      C:\Program Files\Jigsaw Beach Holiday
2008-04-22 11:13      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Friday's games
2008-04-20 02:16      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Yatec Games
2008-04-19 00:37      ---------      d-----w      C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-19 00:17      ---------      d-----w      C:\Program Files\Big City Adventure
2008-04-18 14:31      ---------      d-----w      C:\Program Files\Travelogue 360 - Paris
2008-04-14 19:20      ---------      d-----w      C:\Documents and Settings\Barbara Watson\Application Data\Magic Academy
2008-04-14 18:29      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-04-14 16:12      ---------      d-----w      C:\Program Files\Mahjong Escape - Ancient China
2008-04-14 16:12      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-27 08:12      151,583      ----a-w      C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2007-08-16 11:00      26,578,096      ----a-w      C:\Program Files\avg75free_484a1100.exe
2007-05-25 00:02      532,480      ----a-w      C:\Program Files\cwshredder.exe
2007-05-25 00:01      1,308,216      ----a-w      C:\Program Files\HiJackThis_v2.exe
2005-12-23 20:20      774,144      ----a-w      C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E}]
2008-05-31 22:03      1947136      --a------      C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
2008-03-05 09:48      78848      --a------      C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E}"= "C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL" [2008-05-31 22:03 1947136]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-85b2-bc27fe9aae2e}]
[HKEY_CLASSES_ROOT\egamestoolbar.EGAMESTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E}"= C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL [2008-05-31 22:03 1947136]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-85b2-bc27fe9aae2e}]
[HKEY_CLASSES_ROOT\egamestoolbar.EGAMESTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
"Uniblue SpeedUpMyPC"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-10-22 09:42 70840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRHabC]
urqRHabC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00DB5A]
C:\WINDOWS\system32\__c00DB5A.dat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Barbara Watson^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=C:\WINDOWS\pss\iWin Desktop Alerts.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Barbara Watson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Barbara Watson^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c9a94d5]
C:\WINDOWS\system32\akhuhjrf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F190298F1.exe]
C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\_A00F190298F1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 09:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
--a------ 2003-05-22 01:37 229437 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-27 03:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier]
--a------ 2008-01-25 14:03 176128 C:\Documents and Settings\Barbara Watson\Local Settings\Application Data\VTShared\GCNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 19:51 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-09-01 08:42 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install
[1].exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]
C:\PROGRA~1\Magentic\bin\Magentic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 09:58 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 09:58 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 12:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-06-08 14:12 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream]
C:\Program Files\SlipStream Web Accelerator\slipcore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 21:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TimeSink Ad Client]
C:\Program Files\TimeSink\AdGateway\TsAdBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]
C:\Program Files\Zango\bin\10.1.181.0\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntivirusPro]
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-10 13:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2004-02-11 17:27]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 02:03:45 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-06-12 12:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2008-06-14 05:02:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-06-10 22:48:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-10 22:48:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 01:57:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-14  2:10:18 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-14 05:10:14

Pre-Run: 18,567,376,896 bytes free
Post-Run: 19,574,243,328 bytes free

313      --- E O F ---      2008-06-14 05:10:11



HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:41, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWarn.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\7215cdd2a5992ff3eb59bc846f07eb4e\update\update.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O20 - Winlogon Notify: urqRHabC - urqRHabC.dll (file missing)
O20 - Winlogon Notify: __c00DB5A - C:\WINDOWS\system32\__c00DB5A.dat (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5069 bytes
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21786593
Oh ya...you have some infections for sure.

Egames, iwin, winantivirus, etc etc....you may try scanning with other programs as well.
As stated in my comments....one program does not take care of everything.  

Try some of the programs I suggested...if you need help finding them let me know...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
ID: 21787221
I assume you install Egames and Iwin Games right? they're still optional.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\4A.tmp
C:\49.tmp
C:\48.tmp
C:\47.tmp
C:\WINDOWS\system32\sxgoixed.ini
C:\WINDOWS\system32\cnyhmhbc.ini
C:\WINDOWS\system32\akhuhjrf.dll
C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\_A00F190298F1.exe
C:\Windows\xpupdate.exe

Folder::
C:\Program Files\Zango
C:\Documents and Settings\All Users\Application Data\GamesBar
C:\PROGRA~1\IWINGA~1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRHabC]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00DB5A]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c9a94d5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F190298F1.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntivirusPro]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Also check the properties of these files below, looks like might be a temp file fonts in one of your games. If it's unknown then remove them.
C:\WINDOWS\system32\tmpE6BFA.FOT
C:\WINDOWS\system32\tmp9A9FA.FOT
C:\WINDOWS\system32\tmp48AFA.FOT
C:\WINDOWS\system32\tmp1EAFA.FOT
0
 
LVL 1

Author Comment

by:mjgreenley
ID: 21787399
Yeah this is actually my friend's mother's computer. She's not to savvy when it comes to knowing what's legite vs. what's not. I will definitely try running some of those other programs Wakeup; as well as the combofix txt file from you rpggamergirl and let you know what happens. Thanks again for all of this help, I really appreciate it! I get back to ya's
0
 
LVL 1

Author Comment

by:mjgreenley
ID: 21825122
Thanks for all of your help everyone! I've been sick, so sorry for the delay in communication. Your collaborative inputs cleared up all of my issues. I really appreciate it! And the owner is very happy!
0
 
LVL 1

Author Closing Comment

by:mjgreenley
ID: 31466993
Thanks again for all of your help! I tried to be as fair as possible with the points. Since rpggamergirl's solutions cleared up the majority of the problems, I gave her more points. Thanks!
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21826190
Hey not a problem here!  RPGGamergirl is amazing at this stuff no doubt!
I know she has different methods as I do, but it's all good!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21827624
mjgreenley,
Hope you're feeling 100% recovered now.
Glad to know that her pc issues has been resolved.
You can then uninstall combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Thanks!

------------
WakeUp,
Thanks for the kind words.
It's good to have different approaches available for the Askers, in the end it's the teamwork/collaborative inputs that's what really counts.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21828984
Amen!  I hold nothing against anyone!  no reason to...this is the internet!  I know your methods differ from my methods and I know your methods work!  so aint no complaints here! :)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now