Computer seems to have something of a problem [Archive]

View Full Version : Computer seems to have something of a problem

stephenb1956

07-29-2007, 04:58 PM

This computer is really running slow and when starting programs it is taking an what seem like a really long time as compared to what it used to do. The machine is a little old and I allow for that but now it seems bad. I have ran a HJT and combo and these are the logs.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:59:28 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\quickenw\QAGENT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavalys\EVEREST Home Edition\everest.bin
C:\Documents and Settings\Dad\My Documents\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mom')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1007\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User 'Mom')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mom')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1007\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Mom')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Rebekah & James')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Stephen & Kendra')
O4 - HKUS\S-1-5-21-359561344-1266486392-598665437-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Amanda & Jody')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {38BF921C-9F67-4F94-8113-ABAE2AEB32CB} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - [url]http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175326973983[/url]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [url]http://www.systemrequirementslab.com/sysreqlab2.cab[/url]
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - [url]http://www.acclaim.com/cabs/acclaim_v4.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175458617781[/url]
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - [url]http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab[/url]

stephenb1956

07-29-2007, 04:58 PM

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11399 bytes

stephenb1956

07-29-2007, 04:59 PM

"Dad" - 2007-07-29 14:36:45 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\REBEKA~1\APPLIC~1\FunWebProducts
C:\DOCUME~1\REBEKA~1\APPLIC~1\FunWebProducts\Data\ Rebekah & James\avatar.dat
C:\DOCUME~1\REBEKA~1\APPLIC~1\FunWebProducts\Data\ Rebekah & James\register.dat
C:\DOCUME~1\REBEKA~1\APPLIC~1\FunWebProducts\Data\ Rebekah & James\zbucks.dat

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

2007-07-29 14:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 11:57 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\PlayFirst
2007-07-28 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-07-23 17:56 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-23 17:55 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-07-29 18:59:01 -------- d-----w C:\Program Files\Norton SystemWorks
2007-07-29 18:01:15 -------- d-----w C:\Program Files\XoftSpySE
2007-07-29 18:00:30 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-29 17:56:57 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-15 21:26:22 -------- d-----w C:\Program Files\9Dragons
2007-06-24 22:31:13 -------- d-----w C:\Program Files\MySpace
2007-06-16 20:04:15 -------- d-----w C:\Program Files\RegCure
2007-06-10 06:02:01 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\MySpace
2007-05-30 12:10:42 10,872 ----a-w C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-06 22:08:35 27,976 ----a-w C:\DOCUME~1\Dad\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 11:30]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 13:50]
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 15:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 15:00]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-03-31 01:25]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 22:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"QAGENT"="C:\Program Files\quickenw\QAGENT.EXE" [2001-08-01 15:30]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 15:00:00]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2006-07-19 11:45:12]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Guard]

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDe vice.sys
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBa ck2K.sys
R0 Vmodem;XP Vmodem;C:\WINDOWS\system32\DRIVERS\vmodem.sys
R0 Vpctcom;XP Vpctcom;C:\WINDOWS\system32\DRIVERS\vpctcom.sys
R0 Vvoice;XP Vvoice;C:\WINDOWS\system32\DRIVERS\vvoice.sys
R1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.S YS
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.s ys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\B CMNTIO.sys
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFS Hook.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAP MEM.sys
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRat e.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Pro gram Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt
R3 NPDriver;Norton UnErase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SY S
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R3 wandrv;WAN Network Driver;C:\WINDOWS\system32\DRIVERS\wandrv.sys
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.S YS
S1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMF D.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01 nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02 NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05 NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINT xx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNT xx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01 nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02 NT.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04 nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xx NT.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\system32\Drivers\ sddriver.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.S YS

*Newly Created Service* - COMHOST
*Newly Created Service* - EVERESTDRIVER

Contents of the 'Scheduled Tasks' folder
2007-07-28 01:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Dad.job
2007-07-02 17:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-07-29 14:48:54 C:\WINDOWS\tasks\RegCure Program Check.job
2007-07-26 08:00:00 C:\WINDOWS\tasks\RegCure.job
2007-07-29 05:00:00 C:\WINDOWS\tasks\Symantec Drmc.job
2007-07-29 19:40:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{0D9ACB10-E734-426C-90E4-EE8A147F4A63}.job
2007-07-29 14:48:51 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-28 08:00:00 C:\WINDOWS\tasks\XoftSpySE.job

************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-07-29 14:40:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2007-07-29 14:42:46
C:\ComboFix-quarantined-files.txt ... 2007-07-29 14:42

--- E O F ---

If someone could take a look and see if there is anything of concern I would appreciate it.

stephenb1956

08-03-2007, 11:14 PM

Bump

Was hoping that someone might be able to take a quick look at the logs and let me know if something might be a problem

classicsoftware

08-04-2007, 12:29 AM

How is the system running since you ran Combofix?

I see you have AVG Anti-Spyware. Do you have a log from that program?

stephenb1956

08-04-2007, 12:05 PM

Hey Classicsoftware,
In reality it is not running any better. This morning I start out doing my normal routine which is running all the spyware programs that I do since I seem to be the maintainer. When I ran Xoftspy it showed up with four, I believe, rootkits named "WinAntivirus Pro 2006 & 2007" anyways here is the log,

- <XoftSpy>
<Meta info="XoftSpySE-SP1 Tech-Support Log" time="04-08-2007-08-19-33" />
<ScanSettings scanActive="true" scanRegistry="true" scanSysFolders="true" scanDrives="true" scanHosts="true" scanAdvScan="true" />
- <Debug>
<DebugMsg event="REGKEY_FOUND" data="*\shellex\contextmenuhandlers\shellextension" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2006" />
<DebugMsg event="REGKEY_FOUND" data="directory\shellex\contextmenuhandlers\shellextensi on" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2006" />
<DebugMsg event="REGKEY_FOUND" data="drive\shellex\contextmenuhandlers\shellextension" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2006" />
<DebugMsg event="REGKEY_FOUND" data="software\classes\*\shellex\contextmenuhandlers\she llextension" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2007" />
<DebugMsg event="REGKEY_FOUND" data="software\classes\directory\shellex\contextmenuhand lers\shellextension" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2007" />
<DebugMsg event="REGKEY_FOUND" data="software\classes\drive\shellex\contextmenuhandlers \shellextension" system-message="Only part of a ReadProcessMemory or WriteProcessMemory request was completed." malwareName="WinAntiVirus Pro 2007" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="*\shellex\contextmenuhandlers\shellextension" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="directory\shellex\contextmenuhandlers\shellextensi on" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="drive\shellex\contextmenuhandlers\shellextension" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="software\classes\*\shellex\contextmenuhandlers\she llextension" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="software\classes\directory\shellex\contextmenuhand lers\shellextension" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_QUARANTINE_SUCCESS" data="software\classes\drive\shellex\contextmenuhandlers \shellextension" system-message="An attempt was made to move the file pointer before the beginning of the file." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\software\classes\drive\shellex\c ontextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\software\classes\drive\shellex\c ontextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\software\classes\drive\shellex\ contextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\software\classes\drive\shellex\contextm enuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\software\classes\directory\shell ex\contextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\software\classes\directory\shell ex\contextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\software\classes\directory\shel lex\contextmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\software\classes\directory\shellex\cont extmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\software\classes\*\shellex\conte xtmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\software\classes\*\shellex\conte xtmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\software\classes\*\shellex\cont extmenuhandlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\software\classes\*\shellex\contextmenuh andlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\drive\shellex\contextmenuhandler s\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\drive\shellex\contextmenuhandler s\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\drive\shellex\contextmenuhandle rs\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\drive\shellex\contextmenuhandlers\shell extension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\directory\shellex\contextmenuhan dlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\directory\shellex\contextmenuhan dlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\directory\shellex\contextmenuha ndlers\shellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\directory\shellex\contextmenuhandlers\s hellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CLASSES_ROOT\*\shellex\contextmenuhandlers\sh ellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_CURRENT_USER\*\shellex\contextmenuhandlers\sh ellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_LOCAL_MACHINE\*\shellex\contextmenuhandlers\s hellextension" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGKEY_DELETE_SUCCESS" data="HKEY_USERS\*\shellex\contextmenuhandlers\shellexte nsion" system-message="The operation completed successfully." malwareName="" />
</Debug>
</XoftSpy>

Reran "XoftSpy" and it came back clean.
Reran combfix again if you like can give you another log.

classicsoftware

08-04-2007, 08:07 PM

First off XoftSpy is not real popular around here. Don't keep running scans over and over....

Where is the AVG antispyware log.

Give me the new Comboxfix log

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

Please open a HJT scan and put checks by:

Close all open windows except HJT and press Fix checked... (you only need to be concerned about open windows, don't worry about programs running in background like your antivirus and firewall)...

Reboot and post a fresh HJT log along with the VundoFix log... Report back on how things are going...

stephenb1956

08-05-2007, 12:48 PM

ClassicSoftware,

As I am told by the masses the computer is working better now. I understand about not running scans over and over but I only repeat a scan if I come across something nasty just to ensure that it has been cleared.
Whats wrong with XoftSpy??
OK the AVG antispyware log was only cookies but it was 5000+ for very minimal internet time.
ComboFix Log
"Dad" - 2007-08-05 10:22:39 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))

2007-08-05 01:00 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\MSN6
2007-08-05 01:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-04 22:14 <DIR> d-------- C:\VundoFix Backups
2007-07-30 10:43 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-29 14:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 11:57 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\PlayFirst
2007-07-28 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-07-23 17:56 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-23 17:55 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-08-05 15:21:45 -------- d-----w C:\Program Files\SpywareBlaster
2007-08-05 13:54:27 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-08-04 13:23:32 -------- d-----w C:\Program Files\XoftSpySE
2007-08-02 00:22:15 -------- d-----w C:\Program Files\MySpace
2007-08-01 22:23:04 11,148 ----a-w C:\WINDOWS\mozver.dat
2007-07-30 15:42:00 -------- d-----w C:\Program Files\9Dragons
2007-07-29 18:59:01 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-16 20:04:15 -------- d-----w C:\Program Files\RegCure
2007-06-10 06:02:01 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\MySpace
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-06 22:08:35 27,976 ----a-w C:\DOCUME~1\Dad\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 11:30]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 13:50]
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 15:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 15:00]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-03-31 01:25]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 22:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"QAGENT"="C:\Program Files\quickenw\QAGENT.EXE" [2001-08-01 15:30]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 15:00:00]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2006-07-19 11:45:12]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Guard]

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDe vice.sys
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBa ck2K.sys
R0 Vmodem;XP Vmodem;C:\WINDOWS\system32\DRIVERS\vmodem.sys
R0 Vpctcom;XP Vpctcom;C:\WINDOWS\system32\DRIVERS\vpctcom.sys
R0 Vvoice;XP Vvoice;C:\WINDOWS\system32\DRIVERS\vvoice.sys
R1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.S YS
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.s ys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\B CMNTIO.sys
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFS Hook.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAP MEM.sys
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRat e.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Pro gram Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 NPDriver;Norton UnErase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SY S
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.S YS
S1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMF D.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01 nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02 NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05 NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINT xx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNT xx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01 nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02 NT.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04 nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xx NT.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\system32\Drivers\ sddriver.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.S YS
S3 wandrv;WAN Network Driver;C:\WINDOWS\system32\DRIVERS\wandrv.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-04 01:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Dad.job
2007-07-30 17:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-08-05 14:11:48 C:\WINDOWS\tasks\RegCure Program Check.job
2007-08-02 08:00:00 C:\WINDOWS\tasks\RegCure.job
2007-08-05 05:00:00 C:\WINDOWS\tasks\Symantec Drmc.job
2007-08-05 15:25:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{0D9ACB10-E734-426C-90E4-EE8A147F4A63}.job
2007-08-05 14:11:48 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-08-04 08:00:00 C:\WINDOWS\tasks\XoftSpySE.job

************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-08-05 10:25:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2007-08-05 10:27:41
C:\ComboFix-quarantined-files.txt ... 2007-08-05 10:27
C:\ComboFix2.txt ... 2007-08-04 09:46
C:\ComboFix3.txt ... 2007-07-29 14:42

--- E O F ---

stephenb1956

08-05-2007, 12:56 PM

Ran VundoFix and it generated no log, nothing was found.
Reran HJT and this is the log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:34:55 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\quickenw\QAGENT.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dad\My Documents\Downloads\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {38BF921C-9F67-4F94-8113-ABAE2AEB32CB} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - [url]http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175326973983[/url]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [url]http://www.systemrequirementslab.com/sysreqlab2.cab[/url]
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - [url]http://www.acclaim.com/cabs/acclaim_v4.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175458617781[/url]
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - [url]http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab[/url]

stephenb1956

08-05-2007, 12:57 PM

classicsoftware

08-05-2007, 12:58 PM

RE: Xoftspy read. This. (http://anti-spyware-review.toptenreviews.com/xoftspy-review.html)

classicsoftware

08-05-2007, 01:06 PM

Using Internet Explorer, Click here (http://support.f-secure.com/enu/home/ols3.shtml) to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

stephenb1956

08-05-2007, 03:22 PM

F-Secure Online Scan Log
Scanning Report
Sunday, August 05, 2007 11:38:37 - 13:15:27

Computer name: MOM
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\ H:\
Result: 1 malware found
Tracking Cookie (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 37295
* System: 4661
* Not scanned: 4

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\GOBACKIO.BIN
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-08-03
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Libra: 2.4.2, 2007-07-30
* F-Secure Orion: 1.2.37, 2007-08-03
* F-Secure Pegasus: 1.19.0, 2007-07-01

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

classicsoftware

08-05-2007, 10:34 PM

Is the system still running properly?

stephenb1956

08-05-2007, 11:07 PM

ClassicSoftware,

Yes it is running better but the AVG scans are still coming up with 2000+ cookies after a short use of the internet. I have ran AVG 3 times today and the first two times it was 5000+ and then after I ran F-Secure scan it dropped to the present 2000+ number.
Here is a short piece of the log.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:45:34 PM 8/5/2007

+ Scan result:

:mozilla.36:C:\RECYCLER\NPROTECT\00351930.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.37:C:\RECYCLER\NPROTECT\00351922.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.39:C:\RECYCLER\NPROTECT\00351919.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.48:C:\RECYCLER\NPROTECT\00351936.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.53:C:\RECYCLER\NPROTECT\00351938.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.58:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.58:C:\RECYCLER\NPROTECT\00351943.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.58:C:\RECYCLER\NPROTECT\00351954.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.60:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.60:C:\RECYCLER\NPROTECT\00351959.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.68:C:\Documents and Settings\Rebekah & James\Application Data\Mozilla\Firefox\Profiles\mx46za14.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.68:C:\RECYCLER\NPROTECT\00351963.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00351879.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00351954.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00351879.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00351954.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00351954.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.18:C:\RECYCLER\NPROTECT\00351879.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.19:C:\RECYCLER\NPROTECT\00351954.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.23:C:\RECYCLER\NPROTECT\00351865.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\RECYCLER\NPROTECT\00351843.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\RECYCLER\NPROTECT\00351865.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\RECYCLER\NPROTECT\00351895.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.25:C:\RECYCLER\NPROTECT\00351843.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.25:C:\RECYCLER\NPROTECT\00351865.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.25:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.26:C:\RECYCLER\NPROTECT\00351865.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.26:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.27:C:\RECYCLER\NPROTECT\00351865.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.28:C:\RECYCLER\NPROTECT\00351895.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.28:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.29:C:\RECYCLER\NPROTECT\00351895.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.29:C:\RECYCLER\NPROTECT\00351941.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.30:C:\RECYCLER\NPROTECT\00351843.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.30:C:\RECYCLER\NPROTECT\00351895.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.31:C:\Documents and Settings\Rebekah & James\Application Data\Mozilla\Firefox\Profiles\mx46za14.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.31:C:\RECYCLER\NPROTECT\00351843.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.31:C:\RECYCLER\NPROTECT\00351873.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.32:C:\RECYCLER\NPROTECT\00351843.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.32:C:\RECYCLER\NPROTECT\00351873.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.32:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.33:C:\Documents and Settings\Rebekah & James\Application Data\Mozilla\Firefox\Profiles\mx46za14.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.33:C:\RECYCLER\NPROTECT\00351873.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.33:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.34:C:\Documents and Settings\Rebekah & James\Application Data\Mozilla\Firefox\Profiles\mx46za14.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.34:C:\RECYCLER\NPROTECT\00351895.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.34:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.35:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.36:C:\RECYCLER\NPROTECT\00351876.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.36:C:\RECYCLER\NPROTECT\00351919.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.36:C:\RECYCLER\NPROTECT\00351922.MOZ -> TrackingCookie.Adrevolver : No action taken.
:mozilla.36:C:\RECYCLER\NPROTECT\00351957.MOZ -> TrackingCookie.Adrevolver : No action taken.

Is this typical of mozilla??

Haven't said it yet but I want to thank you for your help!!

classicsoftware

08-06-2007, 10:03 AM

Empty the recycle bin. Tracking Cookies are normal. You can set Firefox to erase them at the end of each session. That means you would have to log-in manually to certain web sites.

classicsoftware

08-06-2007, 10:07 AM

How to Protect Yourself While On-Line

Make sure you have an up to date Antivirus. Scan Regularly. There are many free versions:

AVAST (http://www.avast.com/eng/download-avast-home.html)
AVG (http://free.grisoft.com/freeweb.php/doc/2/)
Antivir (http://www.free-av.com/antivirus/allinonen.html)

Make sure you have a software firewall and if you are on broadband, get behind a NAT router. There are also free versions:

Kerio (http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Sygate (http://www.filehippo.com/download_sygate_personal_firewall/)
Zone Alarm (http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp%3bjsessionid=BzJnZDxzyCUCcyZMB2t0Q co5IgutuYlrOMI5snmy1ZptQ2vOr1l1!776180791!-1062696904!7551!7552!-2099742426!-1062696903!7551!7552)

Keep Windows up to date.
Keep all of your software up to date. You can check on your software with the Secunia Software Inspector (http://secunia.com/software_inspector/). Sign up for e-mail notification and they will tell you when to check your system again.
Use Firefox (http://www.mozilla.org/products/) with the NoScript (http://noscript.net/) extension as your web browser.
Download, install and keep an updated version of SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html).
Do NOT click on links in any I.M. program.
Use Thunderbird (http://www.mozilla.com/en-US/thunderbird/) in place of Outlook or Outlook Express.
DO NOT open attachments from ANYONE. Download them, and scan them with your AV before opening and only if your expect to receive them.
If you use IE download a copy of IE-Spyad (http://www.spywarewarrior.com/uiuc/resource.htm).