Jump to content

Trojan or malware help/maybe vundo?


Recommended Posts

I ave run my CA anti-virus and spyware. It finds objects but doesn't seem to get rid of them. Mainly Win32/Vundo.AAP or Win/SecDrop.QX. This is proventing me from getting on certain web sites and has seriously slowed me down. I couldn't even get on here until now. Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:51:49 PM, on 5/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\Child Timer\ComputerTime.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Azureus\Azureus.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [d88635e8] rundll32.exe "C:\WINDOWS\system32\fhybquvm.dll",b

O4 - HKLM\..\Run: [bMdbb50674] Rundll32.exe "C:\WINDOWS\system32\fdvommvi.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe

O4 - Global Startup: Child Timer Automatic Startup.lnk = C:\Program Files\Child Timer\ComputerTime.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDBFCB3-4271-4700-8A6B-C85A1E8C2A2D}: NameServer = 68.94.156.1,68.94.157.1

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

O24 - Desktop Component 1: (no name) - http://www.noggin.com/

 

--

End of file - 10005 bytes

Link to post
Share on other sites

Hi and welcome

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)

O4 - HKLM\..\Run: [d88635e8] rundll32.exe "C:\WINDOWS\system32\fhybquvm.dll",b

O4 - HKLM\..\Run: [bMdbb50674] Rundll32.exe "C:\WINDOWS\system32\fdvommvi.dll",s

O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

 

Did you personally place this on your desktop?, If you didn't let HJT fix this.

O24 - Desktop Component 1: (no name) - http://www.noggin.com/

 

 

 

 

 

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files

When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

In your next reply, please post:

(C:rapport.txt)

Malwarebytes' Anti-Malware log

* new HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

 

 

There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to bambam641.exe and post back a new Hijackthis log.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.14

Database version: 804

 

5:11:27 PM 5/30/2008

mbam-log-5-30-2008 (17-11-27).txt

 

Scan type: Quick Scan

Objects scanned: 37647

Time elapsed: 4 minute(s), 9 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 11

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\system32\pmnljGaB.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\fhybquvm.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\mlJDsRiI.dll (Trojan.Vundo) -> Unloaded module successfully.

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{2749293a-ce8b-4dd7-a907-5d56f1786d6f} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2749293a-ce8b-4dd7-a907-5d56f1786d6f} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e23136a1-1ac4-4d1b-926f-5d537cfff359} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e23136a1-1ac4-4d1b-926f-5d537cfff359} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljdsrii (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e23136a1-1ac4-4d1b-926f-5d537cfff359} (Trojan.Vundo) -> Delete on reboot.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnljgab -> Delete on reboot.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\pmnljGaB.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\fhybquvm.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuvvtqPJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cbXRLdcd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifCVOHa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mlJDsRiI.dll (Trojan.Vundo) -> Delete on reboot.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:25:11 PM, on 5/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

C:\Program Files\Child Timer\ComputerTime.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\bambam641.exe.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {AB93E639-300F-49D0-82FF-E06CAE009565} - (no file)

O2 - BHO: {2baa53b3-5fc7-7e68-9054-1b32871e8a0b} - {b0a8e178-23b1-4509-86e7-7cf53b35aab2} - C:\WINDOWS\system32\qgfgmlij.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Child Timer Automatic Startup.lnk = C:\Program Files\Child Timer\ComputerTime.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDBFCB3-4271-4700-8A6B-C85A1E8C2A2D}: NameServer = 68.94.156.1,68.94.157.1

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

--

End of file - 9784 bytes

Link to post
Share on other sites

Welcome back

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)

O2 - BHO: {2baa53b3-5fc7-7e68-9054-1b32871e8a0b} - {b0a8e178-23b1-4509-86e7-7cf53b35aab2} - C:\WINDOWS\system32\qgfgmlij.dll

 

 

 

Next we need to use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Posted Image

 

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log.

 

You DO NOT need to have the Windows CD to install Recovery Console!

Windows 2000 users will need to install the Recovery Console from their installation CD

 

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:08:42 PM, on 5/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\Child Timer\ComputerTime.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\bambam641.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Child Timer Automatic Startup.lnk = C:\Program Files\Child Timer\ComputerTime.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDBFCB3-4271-4700-8A6B-C85A1E8C2A2D}: NameServer = 68.94.156.1,68.94.157.1

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

--

End of file - 9399 bytes

Link to post
Share on other sites

ComboFix 08-05-29.1 - Owner 2008-05-30 19:49:43.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1396 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\Common Files\cloader

C:\Program Files\Common Files\cloader\32vegas\logos\32vegas_Logo.ico

C:\Program Files\Common Files\cloader\32vegas\logos\cloader_idrpr.exe

C:\Program Files\Common Files\cloader\32vegas\logos\Interop.IWshRuntimeLibrary.dll

C:\WINDOWS\BMdbb50674.xml

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\BaGjlnmp.ini

C:\WINDOWS\system32\BaGjlnmp.ini2

C:\WINDOWS\system32\bjbkjdvw.ini

C:\WINDOWS\system32\crqohbgf.dll

C:\WINDOWS\system32\fdvommvi.dll

C:\WINDOWS\system32\fgbhoqrc.ini

C:\WINDOWS\system32\fhybquvm.dll

C:\WINDOWS\system32\gregmcyl.dll

C:\WINDOWS\system32\gsekkcih.dll

C:\WINDOWS\system32\khrayqrn.dll

C:\WINDOWS\system32\mekybypt.dll

C:\WINDOWS\system32\mvuqbyhf.ini

C:\WINDOWS\system32\nrqyarhk.ini

C:\WINDOWS\system32\pmnljGaB.dll

C:\WINDOWS\system32\qgfgmlij.dll

C:\WINDOWS\system32\qWaIknnn.ini

C:\WINDOWS\system32\qWaIknnn.ini2

C:\WINDOWS\system32\wilgfohy.dll

C:\WINDOWS\system32\wwwrbltv.dll

D:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))

.

 

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-30 15:31 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-05-30 04:14 . 2008-05-30 04:14 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-30 04:14 . 2008-05-30 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-29 17:44 . 2008-05-29 17:44 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-28 19:13 . 2008-05-28 19:13 <DIR> d-------- C:\Program Files\PCPitstop

2008-05-27 17:29 . 2008-05-30 17:11 56,320 --------- C:\WINDOWS\system32\mlJDsRiI.dll

2008-05-18 13:31 . 2008-05-18 13:31 244 --ah----- C:\sqmnoopt09.sqm

2008-05-18 13:31 . 2008-05-18 13:31 232 --ah----- C:\sqmdata09.sqm

2008-05-17 17:57 . 2008-05-17 17:57 244 --ah----- C:\sqmnoopt08.sqm

2008-05-17 17:57 . 2008-05-17 17:57 232 --ah----- C:\sqmdata08.sqm

2008-05-17 10:31 . 2008-05-17 10:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony

2008-05-17 09:01 . 2008-05-17 09:01 268 --ah----- C:\sqmdata07.sqm

2008-05-17 09:01 . 2008-05-17 09:01 244 --ah----- C:\sqmnoopt07.sqm

2008-05-16 16:43 . 2008-05-16 16:43 244 --ah----- C:\sqmnoopt06.sqm

2008-05-16 16:43 . 2008-05-16 16:43 232 --ah----- C:\sqmdata06.sqm

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-16 07:46 . 2008-05-16 07:46 244 --ah----- C:\sqmnoopt05.sqm

2008-05-16 07:46 . 2008-05-16 07:46 232 --ah----- C:\sqmdata05.sqm

2008-05-15 22:48 . 2008-05-15 22:48 244 --ah----- C:\sqmnoopt04.sqm

2008-05-15 22:48 . 2008-05-15 22:48 232 --ah----- C:\sqmdata04.sqm

2008-05-15 08:21 . 2008-05-15 08:21 244 --ah----- C:\sqmnoopt03.sqm

2008-05-15 08:21 . 2008-05-15 08:21 232 --ah----- C:\sqmdata03.sqm

2008-05-15 07:54 . 2008-05-15 07:54 244 --ah----- C:\sqmnoopt02.sqm

2008-05-15 07:54 . 2008-05-15 07:54 232 --ah----- C:\sqmdata02.sqm

2008-05-14 22:32 . 2008-05-14 22:32 244 --ah----- C:\sqmnoopt01.sqm

2008-05-14 22:32 . 2008-05-14 22:32 232 --ah----- C:\sqmdata01.sqm

2008-05-14 11:14 . 2008-05-14 11:14 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys

2008-05-14 11:14 . 2008-05-14 11:14 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys

2008-05-14 08:18 . 2008-05-14 08:18 244 --ah----- C:\sqmnoopt00.sqm

2008-05-14 08:18 . 2008-05-14 08:18 232 --ah----- C:\sqmdata00.sqm

2008-05-13 20:29 . 2008-05-13 20:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-05-10 10:30 . 2008-05-17 10:27 <DIR> d-------- C:\Program Files\Sony

2008-05-10 10:29 . 2008-05-10 10:29 <DIR> d-------- C:\Program Files\Sony Setup

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\WINDOWS\Pet Shop Hop

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\Program Files\Pet Shop Hop

2008-04-29 19:57 . 2008-04-29 19:58 <DIR> d-------- C:\Documents and Settings\Owner\Contacts

2008-04-29 19:53 . 2008-04-29 19:53 <DIR> d-------- C:\Program Files\MSN Messenger

2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-27 11:48 . 2008-04-27 11:50 <DIR> d-------- C:\Program Files\Magic Farm

2008-04-26 16:50 . 2008-04-26 16:50 <DIR> d-------- C:\Program Files\Gameforge4D

2008-04-26 16:50 . 2004-05-10 13:14 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL

2008-04-26 16:50 . 2004-05-10 13:14 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll

2008-04-26 16:50 . 2004-05-10 13:15 40 --a------ C:\WINDOWS\system32\Sx5363.ini

2008-04-25 16:37 . 2008-04-25 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Meridian93

2008-04-15 19:11 . 2008-04-15 19:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2008-04-13 16:06 . 2008-04-13 16:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-04-13 10:35 . 2008-04-13 10:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback

2008-04-12 14:47 . 2008-05-29 18:33 <DIR> d-------- C:\Program Files\Xfire

2008-04-12 14:47 . 2008-05-30 16:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire

2008-04-08 15:34 . 2008-04-08 15:34 <DIR> d-------- C:\Program Files\Cooking Academy

2008-04-08 15:34 . 2008-04-08 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo

2008-04-08 11:30 . 2008-04-08 11:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero

2008-04-08 06:03 . 2008-04-08 06:03 <DIR> d-------- C:\WINDOWS\Jane's Hotel. Family Hero

2008-04-08 06:03 . 2008-04-08 06:03 <DIR> d-------- C:\Program Files\Jane's Hotel. Family Hero

2008-04-07 19:24 . 2008-04-07 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games

2008-04-07 18:32 . 2008-04-07 18:32 <DIR> d-------- C:\WINDOWS\Ice Cream Mania

2008-04-03 08:08 . 2008-04-03 08:08 <DIR> d-------- C:\Program Files\Coupons

2008-04-03 08:08 . 2008-04-03 08:08 193,880 --a------ C:\WINDOWS\system32\cpnprt2.cid

2008-04-03 08:08 . 2008-04-03 08:08 193,880 -ra------ C:\WINDOWS\cpnprt2.cid

2008-04-03 05:53 . 2008-05-02 12:22 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-04-02 15:46 . 2008-04-02 15:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberScrub

2008-04-02 15:45 . 2008-04-02 15:48 <DIR> d-------- C:\Program Files\CyberScrub Privacy Suite

2008-04-02 15:45 . 2007-02-07 11:08 84 --a------ C:\WINDOWS\csact.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-31 00:56 --------- d-----w C:\Program Files\Child Timer

2008-05-30 21:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus

2008-05-30 21:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso

2008-05-30 09:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-29 22:50 --------- d-----w C:\Program Files\Common Files\Scanner

2008-05-27 21:35 --------- d-----w C:\Program Files\Shockwave.com

2008-05-27 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-27 00:10 47,279 ---ha-w C:\hpothb07.dat

2008-05-13 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2008-05-07 00:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst

2008-05-07 00:31 --------- d-----w C:\Program Files\Go Go Gourmet

2008-05-07 00:27 --------- d-----w C:\Program Files\Turbo Pizza

2008-05-07 00:26 --------- d-----w C:\Program Files\Yahoo! Games

2008-05-07 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst

2008-05-07 00:24 --------- d-----w C:\Program Files\Burger Rush

2008-04-26 21:40 --------- d-----w C:\Program Files\LimeWire

2008-04-24 23:25 --------- d-----w C:\Program Files\Java

2008-04-01 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-03-16 19:16 642 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat

2008-02-22 23:57 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\inst.exe

2008-02-22 23:57 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys

2006-08-30 21:46 6,072 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin

2006-06-15 16:29 438 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

"Privacy Suite RiskMonitor"="C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe" [2007-11-22 10:53 1777296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 02:21 176128]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:25 177416]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:42 230664]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 14:00 53760 C:\WINDOWS\system32\narrator.exe]

"Magnify"="Magnify.exe" [2004-08-10 14:00 72704 C:\WINDOWS\system32\magnify.exe]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Child Timer Automatic Startup.lnk - C:\Program Files\Child Timer\ComputerTime.exe [2007-09-17 18:40:32 4308992]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-24 10:08:10 784912]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= vdrcodec.dll

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.XFR1"= xfcodec.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hits4Pay.url.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hits4Pay.url.lnk

backup=C:\WINDOWS\pss\Hits4Pay.url.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MySurvey Messenger.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MySurvey Messenger.lnk

backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2008-03-07 08:26 89024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-09-18 09:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]

C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-04-20 12:10 50792 C:\Program Files\Common Files\AOL\1174728736\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

--a------ 2004-05-04 17:17 491520 C:\WINDOWS\system32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

--a------ 2004-03-31 23:34 49152 C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

--a------ 2006-02-17 11:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\Abacast\\Abaclient.exe"=

"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aolsoftware.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aim6.exe"=

"C:\\Program Files\\Azureus\\Azureus.exe"=

"C:\\Program Files\\AIM6\\aim6.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\Program Files\Gameforge4D\AirRivals\Launcher.atm"= C:\Program Files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-10 14:00]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 22:10]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-13 23:08]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

.

Contents of the 'Scheduled Tasks' folder

"2008-05-28 19:51:53 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 7 39 PM.job"

- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

"2006-05-02 21:42:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1138560423.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I

"2008-05-31 00:05:03 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-30 19:56:34

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2008-05-30 20:05:59 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-31 01:05:57

 

Pre-Run: 113,410,850,816 bytes free

Post-Run: 113,337,995,264 bytes free

 

308 --- E O F --- 2008-05-16 09:40:58

Link to post
Share on other sites

Welcome back

 

Did you sign up and register to be a member with Hits4Pay.com?

If you didn't let me know and we can remove the entries found for this.

 

 

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

 

 

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

 

Windows XP SP2

 

Posted Image

 

 

Download the file & save it as it's originally named, next to ComboFix.exe.

 

 

 

Posted Image

 

 

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'NO' to run the full ComboFix scan.

     

    Posted Image

     

     

    Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

    Don't select to run the Recovery Console as we don't need it.

    By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

     

     

     

    Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

     

    Click on this link Here to see a list of programs that should be disabled.

    The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

     

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

    Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

    File::

    C:\WINDOWS\system32\mlJDsRiI.dll

    C:\WINDOWS\system32\cpnprt2.cid

    C:\WINDOWS\cpnprt2.cid

     

    Folder::

    C:\Program Files\Coupons

     

    Registry::

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

    "DisableTaskMgr"=-

    Posted Image

     

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

     

     

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

     

     

     

     

    Go to Start > Control Panel > Internet Options

    In the General tab, Temporary Internet Files, click:Delete Files

    When prompted, check:Delete all offline content

    You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

    Click OK

     

    Then, go to Start >Run and enter: cleanmgr

    Select the drive to clean: C:\

    Check the following boxes and then press OK to remove:

    Temporary Files

    Temporary Internet Files

    RecycleBin

    Agree to the prompt to perform the action...

     

     

    Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

    Follow the instructions for the browser you use.

    Read the instructions about the cookies. Delete what you do not need.

     

    Double click ATF-Cleaner.exe to run the program.

    Check the boxes to the left of:

    Windows Temp

    Current User Temp

    All Users Temp

    Temporary Internet Files

    Java Cache

    The rest are optional - if you want to remove the lot, check "Select All".

    Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

    If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

    When you have finished, click on the Exit button in the Main menu.

     

     

     

     

    This next scan can take up to an hour or longer, please be patient.

    NEXT**

    *Note

    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

    Please don't go surfing while your resident protection is disabled!

    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

    Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

     

    Click Yes, when prompted to install its ActiveX component.

    (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

    Or use Firefox with IE-Tab plugin

    https://addons.mozilla.org/en-US/firefox/addon/1419

    The program launches and downloads the latest definition files.

    • Once the files are downloaded click on Next
    • Click on Scan Settings and configure as follows:
      • Scan using the following Anti-Virus database:Extended
  • Scan Options:Scan Archives

    Scan Mail Bases

Click OK and, under select a target to scan, select My ComputerWhen the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information

Posted Image

 

Posted Image

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

======================================================

 

In your next reply post:

ComboFix.txt

Kaspersky log

New HJT log taken after the above scans have run

 

 

I need comments on how the computer is at the moment.

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to post
Share on other sites

The computer is running much better now. Haven't had any pop-ups lately and the security center icon is gone from the bottom right. Speed is also back.

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:26:32 PM, on 5/31/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Child Timer\ComputerTime.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\bambam641.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Child Timer Automatic Startup.lnk = C:\Program Files\Child Timer\ComputerTime.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDBFCB3-4271-4700-8A6B-C85A1E8C2A2D}: NameServer = 68.94.156.1,68.94.157.1

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

--

End of file - 9396 bytes

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Saturday, May 31, 2008 12:25:14 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 31/05/2008

Kaspersky Anti-Virus database records: 818004

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

K:\

L:\

M:\

 

Scan Statistics:

Total number of scanned objects: 135606

Number of viruses found: 26

Number of infected objects: 62

Number of suspicious objects: 0

Duration of the scan process: 01:56:59

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3632674119_19398656_46764 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{7DBC31F5-2764-4B34-8B82-608F7181774F}.TmpSBE Object is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b103.exe.bac_a03492/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b103.exe.bac_a03492/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b103.exe.bac_a03492/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b103.exe.bac_a03492 NSIS: infected - 3 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b103.exe.bac_a03492 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492/stream/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492/stream/data0002/stream Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492/stream/data0002 Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492 NSIS: infected - 5 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b123.exe.bac_a03492 CryptFF.b: infected - 5 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492/stream/data0002/printhook.dll Infected: not-a-virus:AdWare.Win32.PrintView.a skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492/stream/data0002/pvmodule.exe Infected: not-a-virus:AdWare.Win32.PrintView.a skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492/stream/data0002 Infected: not-a-virus:AdWare.Win32.PrintView.a skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492 NSIS: infected - 5 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\b124.exe.bac_a03492 CryptFF.b: infected - 5 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\cpbrkpie.ocx.bac_a03492 Infected: not-a-virus:AdWare.Win32.Coupons.h skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\Dc12.exe.bac_a03492 Infected: Trojan-Downloader.Win32.VB.abm skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\Dc13.exe.bac_a03492 Infected: Trojan-Downloader.Win32.Adload.as skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ldDD89.tmp.bac_a03492 Infected: Trojan-Downloader.Win32.Adload.dx skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\mst77B2.tmp.bac_a03492 Infected: Trojan.Win32.Agent.vg skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\mst77B5.tmp.bac_a03492 Infected: Trojan.Win32.Agent.vg skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\mst77B8.tmp.bac_a03492 Infected: Trojan.Win32.Agent.vg skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492 WiseSFX: infected - 4 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq317A.tmp.bac_a03492 CryptFF.b: infected - 4 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq33.tmp.bac_a03492 Infected: not-a-virus:AdWare.Win32.CoolSavings.a skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq48AB.tmp.bac_a03492 Infected: Trojan-Downloader.Win32.Zlob.asv skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ppq50.tmp.bac_a03492 Infected: Trojan-Downloader.Win32.Zlob.uw skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\services.dll.bac_a03492 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\Update.exe.bac_a03492 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\VVSNInst.exe.bac_a03492 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\win5B45.tmp.exe.bac_a03492/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\win5B45.tmp.exe.bac_a03492 NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\win5B45.tmp.exe.bac_a03492 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF27C2.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF5607.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFC606.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFD3F2.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFE7A.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe WiseSFX: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe WiseSFXDropper: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\Unused Desktop Shortcuts\Alice Greenfingers\ReflexiveArcade\ReflexiveArcade.dll Infected: Backdoor.Win32.Rbot.pbz skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\CA\SharedComponents\PPRT\logs\2008-05-31.csv Object is locked skipped

C:\Program Files\iWin Games\iWinGamesHookIE.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080530-165938-302.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

C:\Program Files\WinAce\VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\cloader\32vegas\logos\cloader_idrpr.exe.vir Infected: Trojan-Downloader.MSIL.Agent.c skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\crqohbgf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\khrayqrn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\wwwrbltv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP100\A0014989.exe Infected: Trojan-Downloader.MSIL.Agent.c skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP100\A0021145.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP151\A0031266.exe Infected: Trojan-Downloader.MSIL.Agent.c skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP151\A0037821.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP156\A0038381.dll Object is locked skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP156\A0038383.dll Object is locked skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP159\A0038629.dll Infected: not-virus:Hoax.Win32.Renos.fw skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP160\A0038788.exe Infected: Trojan-Downloader.MSIL.Agent.c skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP160\A0038792.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP160\A0038797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP160\A0038802.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP163\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2D396599-ED83-4DE3-8AFC-C3D3984208DC}.crmlog Object is locked skipped

C:\WINDOWS\S52776E81.tmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{C002B16F-7EEB-470D-B727-E904185B6779}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\eplousm.dll Infected: Trojan.Win32.Obfuscated.ev skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP163\change.log Object is locked skipped

 

Scan process completed.

Link to post
Share on other sites

Also I guess my wife signed up for that Hits4Pay, but we do not want it any more on here. Here is the ComboFix Log.

 

ComboFix 08-05-29.1 - Owner 2008-05-31 8:33:18.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1400 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\WINDOWS\cpnprt2.cid

C:\WINDOWS\system32\cpnprt2.cid

C:\WINDOWS\system32\mlJDsRiI.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Owner\Application Data\inst.exe

C:\Documents and Settings\Owner\err.log

C:\Program Files\Coupons

C:\Program Files\Coupons\Coupons.com.url

C:\Program Files\Coupons\uninstall.exe

C:\Program Files\Coupons\Uninstall\IRIMG1.JPG

C:\Program Files\Coupons\Uninstall\IRIMG2.JPG

C:\Program Files\Coupons\Uninstall\IRIMG3.JPG

C:\Program Files\Coupons\Uninstall\IRIMG4.JPG

C:\Program Files\Coupons\Uninstall\IRIMG5.JPG

C:\Program Files\Coupons\Uninstall\IRIMG6.JPG

C:\Program Files\Coupons\Uninstall\IRIMG7.JPG

C:\Program Files\Coupons\Uninstall\IRIMG8.JPG

C:\Program Files\Coupons\Uninstall\uninstall.dat

C:\Program Files\Coupons\Uninstall\uninstall.xml

C:\WINDOWS\cpnprt2.cid

C:\WINDOWS\system32\cpnprt2.cid

C:\WINDOWS\system32\mlJDsRiI.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))

.

 

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-30 15:31 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-05-30 04:14 . 2008-05-30 04:14 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-30 04:14 . 2008-05-30 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-29 17:44 . 2008-05-29 17:44 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-28 19:13 . 2008-05-28 19:13 <DIR> d-------- C:\Program Files\PCPitstop

2008-05-18 13:31 . 2008-05-18 13:31 244 --ah----- C:\sqmnoopt09.sqm

2008-05-18 13:31 . 2008-05-18 13:31 232 --ah----- C:\sqmdata09.sqm

2008-05-17 17:57 . 2008-05-17 17:57 244 --ah----- C:\sqmnoopt08.sqm

2008-05-17 17:57 . 2008-05-17 17:57 232 --ah----- C:\sqmdata08.sqm

2008-05-17 10:31 . 2008-05-17 10:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony

2008-05-17 09:01 . 2008-05-17 09:01 268 --ah----- C:\sqmdata07.sqm

2008-05-17 09:01 . 2008-05-17 09:01 244 --ah----- C:\sqmnoopt07.sqm

2008-05-16 16:43 . 2008-05-16 16:43 244 --ah----- C:\sqmnoopt06.sqm

2008-05-16 16:43 . 2008-05-16 16:43 232 --ah----- C:\sqmdata06.sqm

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-16 07:46 . 2008-05-16 07:46 244 --ah----- C:\sqmnoopt05.sqm

2008-05-16 07:46 . 2008-05-16 07:46 232 --ah----- C:\sqmdata05.sqm

2008-05-15 22:48 . 2008-05-15 22:48 244 --ah----- C:\sqmnoopt04.sqm

2008-05-15 22:48 . 2008-05-15 22:48 232 --ah----- C:\sqmdata04.sqm

2008-05-15 08:21 . 2008-05-15 08:21 244 --ah----- C:\sqmnoopt03.sqm

2008-05-15 08:21 . 2008-05-15 08:21 232 --ah----- C:\sqmdata03.sqm

2008-05-15 07:54 . 2008-05-15 07:54 244 --ah----- C:\sqmnoopt02.sqm

2008-05-15 07:54 . 2008-05-15 07:54 232 --ah----- C:\sqmdata02.sqm

2008-05-14 22:32 . 2008-05-14 22:32 244 --ah----- C:\sqmnoopt01.sqm

2008-05-14 22:32 . 2008-05-14 22:32 232 --ah----- C:\sqmdata01.sqm

2008-05-14 11:14 . 2008-05-14 11:14 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys

2008-05-14 11:14 . 2008-05-14 11:14 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys

2008-05-14 08:18 . 2008-05-14 08:18 244 --ah----- C:\sqmnoopt00.sqm

2008-05-14 08:18 . 2008-05-14 08:18 232 --ah----- C:\sqmdata00.sqm

2008-05-13 20:29 . 2008-05-13 20:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-05-10 10:30 . 2008-05-17 10:27 <DIR> d-------- C:\Program Files\Sony

2008-05-10 10:29 . 2008-05-10 10:29 <DIR> d-------- C:\Program Files\Sony Setup

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\WINDOWS\Pet Shop Hop

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\Program Files\Pet Shop Hop

2008-04-29 19:57 . 2008-04-29 19:58 <DIR> d-------- C:\Documents and Settings\Owner\Contacts

2008-04-29 19:53 . 2008-04-29 19:53 <DIR> d-------- C:\Program Files\MSN Messenger

2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-27 11:48 . 2008-04-27 11:50 <DIR> d-------- C:\Program Files\Magic Farm

2008-04-26 16:50 . 2008-04-26 16:50 <DIR> d-------- C:\Program Files\Gameforge4D

2008-04-26 16:50 . 2004-05-10 13:14 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL

2008-04-26 16:50 . 2004-05-10 13:14 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll

2008-04-26 16:50 . 2004-05-10 13:15 40 --a------ C:\WINDOWS\system32\Sx5363.ini

2008-04-25 16:37 . 2008-04-25 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Meridian93

2008-04-15 19:11 . 2008-04-15 19:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2008-04-13 16:06 . 2008-04-13 16:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-04-13 10:35 . 2008-04-13 10:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback

2008-04-12 14:47 . 2008-05-29 18:33 <DIR> d-------- C:\Program Files\Xfire

2008-04-12 14:47 . 2008-05-31 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire

2008-04-08 15:34 . 2008-04-08 15:34 <DIR> d-------- C:\Program Files\Cooking Academy

2008-04-08 15:34 . 2008-04-08 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo

2008-04-08 11:30 . 2008-04-08 11:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero

2008-04-08 06:03 . 2008-04-08 06:03 <DIR> d-------- C:\WINDOWS\Jane's Hotel. Family Hero

2008-04-08 06:03 . 2008-04-08 06:03 <DIR> d-------- C:\Program Files\Jane's Hotel. Family Hero

2008-04-07 19:24 . 2008-04-07 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games

2008-04-07 18:32 . 2008-04-07 18:32 <DIR> d-------- C:\WINDOWS\Ice Cream Mania

2008-04-03 05:53 . 2008-05-02 12:22 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-04-02 15:46 . 2008-04-02 15:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberScrub

2008-04-02 15:45 . 2008-04-02 15:48 <DIR> d-------- C:\Program Files\CyberScrub Privacy Suite

2008-04-02 15:45 . 2007-02-07 11:08 84 --a------ C:\WINDOWS\csact.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-31 13:31 --------- d-----w C:\Program Files\Child Timer

2008-05-30 21:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus

2008-05-30 21:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso

2008-05-30 09:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-29 22:50 --------- d-----w C:\Program Files\Common Files\Scanner

2008-05-27 21:35 --------- d-----w C:\Program Files\Shockwave.com

2008-05-27 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-27 00:10 47,279 ---ha-w C:\hpothb07.dat

2008-05-13 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2008-05-07 00:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst

2008-05-07 00:31 --------- d-----w C:\Program Files\Go Go Gourmet

2008-05-07 00:27 --------- d-----w C:\Program Files\Turbo Pizza

2008-05-07 00:26 --------- d-----w C:\Program Files\Yahoo! Games

2008-05-07 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst

2008-05-07 00:24 --------- d-----w C:\Program Files\Burger Rush

2008-04-26 21:40 --------- d-----w C:\Program Files\LimeWire

2008-04-24 23:25 --------- d-----w C:\Program Files\Java

2008-04-01 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 21:14 49,152 ---ha-w C:\WINDOWS\system32\ArmAccess.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-16 19:16 642 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll

2008-02-22 23:57 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-14 04:08 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe

2006-08-30 21:46 6,072 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin

2006-06-15 16:29 438 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((( [email protected]_20.05.47.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll

- 2008-05-31 00:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-31 13:28:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll

- 2008-05-31 00:58:53 64,256 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-05-31 00:58:58 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-05-31 00:58:54 408,924 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-05-31 00:58:58 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

"Privacy Suite RiskMonitor"="C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe" [2007-11-22 10:53 1777296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 02:21 176128]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:25 177416]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:42 230664]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 14:00 53760 C:\WINDOWS\system32\narrator.exe]

"Magnify"="Magnify.exe" [2004-08-10 14:00 72704 C:\WINDOWS\system32\magnify.exe]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Child Timer Automatic Startup.lnk - C:\Program Files\Child Timer\ComputerTime.exe [2007-09-17 18:40:32 4308992]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-24 10:08:10 784912]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= vdrcodec.dll

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.XFR1"= xfcodec.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hits4Pay.url.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hits4Pay.url.lnk

backup=C:\WINDOWS\pss\Hits4Pay.url.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MySurvey Messenger.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MySurvey Messenger.lnk

backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2008-03-07 08:26 89024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-09-18 09:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]

C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-04-20 12:10 50792 C:\Program Files\Common Files\AOL\1174728736\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

--a------ 2004-05-04 17:17 491520 C:\WINDOWS\system32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

--a------ 2004-03-31 23:34 49152 C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

--a------ 2006-02-17 11:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\Abacast\\Abaclient.exe"=

"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aolsoftware.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aim6.exe"=

"C:\\Program Files\\Azureus\\Azureus.exe"=

"C:\\Program Files\\AIM6\\aim6.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\Program Files\Gameforge4D\AirRivals\Launcher.atm"= C:\Program Files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-10 14:00]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 22:10]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-13 23:08]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-05-28 19:51:53 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 7 39 PM.job"

- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

"2006-05-02 21:42:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1138560423.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I

"2008-05-31 12:05:04 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-31 08:36:15

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-31 8:38:08

ComboFix-quarantined-files.txt 2008-05-31 13:38:03

ComboFix2.txt 2008-05-31 01:06:00

 

Pre-Run: 113,232,703,488 bytes free

Post-Run: 113,224,409,088 bytes free

 

302 --- E O F --- 2008-05-31 08:00:57

Link to post
Share on other sites

The computer is running much better now. Haven't had any pop-ups lately and the security center icon is gone from the bottom right.

Speed is also back.

Yes looks much better and actually we're about to come close to the end now.

 

 

C:\Documents and Settings\Owner\.housecall6.6\Quarantine <--delete the contents inside this folder

 

 

 

Let's get Java updated since the old versions can be an entry point for malware.

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6
  • Scroll to Java Runtime Environment (JRE) 6 Update 6 and click on the download button

    Posted Image

     

    Click on the Accept License Agreement button

    Next select

    Download Now! Windows Offline Installation, Multi-language

     

    Now close all windows, including your browser.

    Double click on the Java installation that you downloaded and follow the prompts.

     

    NEXT-remove all older versions of Java

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

 

 

NEXT**

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

 

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe\"

(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

 

 

Now reboot the machine to set the registry

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe

C:\Documents and Settings\Owner\My Documents\Unused Desktop Shortcuts\Alice Greenfingers\ReflexiveArcade\ReflexiveArcade.dll

C:\Program Files\iWin Games\iWinGamesHookIE.dll

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080530-165938-302.dll

C:\Program Files\WinAce\VVSNInst.exe

C:\WINDOWS\system32\eplousm.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hits4Pay.url.lnk

 

Folder::

C:\Program Files\iWin Games

C:\Program Files\WinAce

 

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hits4Pay.url.lnk]

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

In your next reply post:

ComboFix.txt

New HJT log

Link to post
Share on other sites

OK. I went to the CA web site to find out how to disable. Here are the log files.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:43:12 PM, on 5/31/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

C:\Program Files\Child Timer\ComputerTime.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\bambam641.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Child Timer Automatic Startup.lnk = C:\Program Files\Child Timer\ComputerTime.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDBFCB3-4271-4700-8A6B-C85A1E8C2A2D}: NameServer = 68.94.156.1,68.94.157.1

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

--

End of file - 8460 bytes

 

ComboFix 08-05-29.1 - Owner 2008-05-31 20:22:50.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1445 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hits4Pay.url.lnk

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe

C:\Documents and Settings\Owner\My Documents\Unused Desktop Shortcuts\Alice Greenfingers\ReflexiveArcade\ReflexiveArcade.dll

C:\Program Files\iWin Games\iWinGamesHookIE.dll

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080530-165938-302.dll

C:\Program Files\WinAce\VVSNInst.exe

C:\WINDOWS\system32\eplousm.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Owner\My Documents\My Downloads\BSINSTALL.exe

C:\Documents and Settings\Owner\My Documents\Unused Desktop Shortcuts\Alice Greenfingers\ReflexiveArcade\ReflexiveArcade.dll

C:\Program Files\iWin Games

C:\Program Files\iWin Games\firefox\chrome\iwinarcade.jar

C:\Program Files\iWin Games\firefox\install.rdf

C:\Program Files\iWin Games\firefox\iWinArcadeLauncher.exe

C:\Program Files\iWin Games\ftdownload.dat

C:\Program Files\iWin Games\host.cfg

C:\Program Files\iWin Games\iWinGames.exe

C:\Program Files\iWin Games\iWinGamesHookIE.dll

C:\Program Files\iWin Games\pages\iwin_logo.gif

C:\Program Files\iWin Games\sounds\animation.wav

C:\Program Files\iWin Games\sounds\animationBack.wav

C:\Program Files\iWin Games\sounds\button_click.wav

C:\Program Files\iWin Games\sounds\download_completed.wav

C:\Program Files\iWin Games\sounds\start.wav

C:\Program Files\iWin Games\Uninstall.exe

C:\Program Files\iWin Games\WebInstaller.exe

C:\Program Files\iWin Games\WebUpdater.bmp

C:\Program Files\iWin Games\WebUpdater.exe

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080530-165938-302.dll

C:\Program Files\WinAce

C:\Program Files\WinAce\sponsor.html

C:\Program Files\WinAce\VVSNInst.exe

C:\WINDOWS\system32\eplousm.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))

.

 

2008-05-31 18:31 . 2008-05-31 18:37 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-30 15:31 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-30 15:31 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-05-30 04:14 . 2008-05-30 04:14 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-30 04:14 . 2008-05-30 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-29 17:44 . 2008-05-29 17:44 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-28 19:13 . 2008-05-28 19:13 <DIR> d-------- C:\Program Files\PCPitstop

2008-05-18 13:31 . 2008-05-18 13:31 244 --ah----- C:\sqmnoopt09.sqm

2008-05-18 13:31 . 2008-05-18 13:31 232 --ah----- C:\sqmdata09.sqm

2008-05-17 17:57 . 2008-05-17 17:57 244 --ah----- C:\sqmnoopt08.sqm

2008-05-17 17:57 . 2008-05-17 17:57 232 --ah----- C:\sqmdata08.sqm

2008-05-17 10:31 . 2008-05-17 10:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony

2008-05-17 09:01 . 2008-05-17 09:01 268 --ah----- C:\sqmdata07.sqm

2008-05-17 09:01 . 2008-05-17 09:01 244 --ah----- C:\sqmnoopt07.sqm

2008-05-16 16:43 . 2008-05-16 16:43 244 --ah----- C:\sqmnoopt06.sqm

2008-05-16 16:43 . 2008-05-16 16:43 232 --ah----- C:\sqmdata06.sqm

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-16 07:46 . 2008-05-16 07:46 244 --ah----- C:\sqmnoopt05.sqm

2008-05-16 07:46 . 2008-05-16 07:46 232 --ah----- C:\sqmdata05.sqm

2008-05-15 22:48 . 2008-05-15 22:48 244 --ah----- C:\sqmnoopt04.sqm

2008-05-15 22:48 . 2008-05-15 22:48 232 --ah----- C:\sqmdata04.sqm

2008-05-15 08:21 . 2008-05-15 08:21 244 --ah----- C:\sqmnoopt03.sqm

2008-05-15 08:21 . 2008-05-15 08:21 232 --ah----- C:\sqmdata03.sqm

2008-05-15 07:54 . 2008-05-15 07:54 244 --ah----- C:\sqmnoopt02.sqm

2008-05-15 07:54 . 2008-05-15 07:54 232 --ah----- C:\sqmdata02.sqm

2008-05-14 22:32 . 2008-05-14 22:32 244 --ah----- C:\sqmnoopt01.sqm

2008-05-14 22:32 . 2008-05-14 22:32 232 --ah----- C:\sqmdata01.sqm

2008-05-14 11:14 . 2008-05-14 11:14 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys

2008-05-14 11:14 . 2008-05-14 11:14 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys

2008-05-14 08:18 . 2008-05-14 08:18 244 --ah----- C:\sqmnoopt00.sqm

2008-05-14 08:18 . 2008-05-14 08:18 232 --ah----- C:\sqmdata00.sqm

2008-05-13 20:29 . 2008-05-13 20:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-05-10 10:30 . 2008-05-17 10:27 <DIR> d-------- C:\Program Files\Sony

2008-05-10 10:29 . 2008-05-10 10:29 <DIR> d-------- C:\Program Files\Sony Setup

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\WINDOWS\Pet Shop Hop

2008-05-06 19:32 . 2008-05-06 19:32 <DIR> d-------- C:\Program Files\Pet Shop Hop

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-01 01:18 --------- d-----w C:\Program Files\Child Timer

2008-05-31 23:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus

2008-05-31 23:53 --------- d-----w C:\Program Files\Java

2008-05-31 23:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire

2008-05-30 21:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso

2008-05-30 09:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-29 23:33 --------- d-----w C:\Program Files\Xfire

2008-05-29 22:50 --------- d-----w C:\Program Files\Common Files\Scanner

2008-05-27 21:35 --------- d-----w C:\Program Files\Shockwave.com

2008-05-27 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-27 00:10 47,279 ---ha-w C:\hpothb07.dat

2008-05-13 19:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2008-05-07 00:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst

2008-05-07 00:31 --------- d-----w C:\Program Files\Go Go Gourmet

2008-05-07 00:27 --------- d-----w C:\Program Files\Turbo Pizza

2008-05-07 00:26 --------- d-----w C:\Program Files\Yahoo! Games

2008-05-07 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst

2008-05-07 00:24 --------- d-----w C:\Program Files\Burger Rush

2008-04-30 00:53 --------- d-----w C:\Program Files\MSN Messenger

2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-27 16:50 --------- d-----w C:\Program Files\Magic Farm

2008-04-26 21:50 --------- d-----w C:\Program Files\Gameforge4D

2008-04-26 21:40 --------- d-----w C:\Program Files\LimeWire

2008-04-25 21:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Meridian93

2008-04-16 00:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire

2008-04-13 21:06 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-04-13 15:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback

2008-04-08 20:34 --------- d-----w C:\Program Files\Cooking Academy

2008-04-08 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo

2008-04-08 16:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero

2008-04-08 11:03 --------- d-----w C:\Program Files\Jane's Hotel. Family Hero

2008-04-08 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Astar Games

2008-04-02 20:48 --------- d-----w C:\Program Files\CyberScrub Privacy Suite

2008-04-02 20:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberScrub

2008-04-01 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-03-16 19:16 642 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat

2008-02-22 23:57 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys

2006-08-30 21:46 6,072 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin

2006-06-15 16:29 438 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((( [email protected]_20.05.47.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll

- 2008-05-31 00:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-06-01 01:27:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll

- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe

+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe

- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe

+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe

- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe

+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe

- 2004-08-10 19:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll

+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll

- 2008-05-31 00:58:53 64,256 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-05-31 00:58:58 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-05-31 00:58:54 408,924 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-05-31 00:58:58 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

"Privacy Suite RiskMonitor"="C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe" [2007-11-22 10:53 1777296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 02:21 176128]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:25 177416]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:42 230664]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 14:00 53760 C:\WINDOWS\system32\narrator.exe]

"Magnify"="Magnify.exe" [2004-08-10 14:00 72704 C:\WINDOWS\system32\magnify.exe]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Child Timer Automatic Startup.lnk - C:\Program Files\Child Timer\ComputerTime.exe [2007-09-17 18:40:32 4308992]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-24 10:08:10 784912]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= vdrcodec.dll

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.XFR1"= xfcodec.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MySurvey Messenger.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MySurvey Messenger.lnk

backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2008-03-07 08:26 89024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-09-18 09:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]

C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-04-20 12:10 50792 C:\Program Files\Common Files\AOL\1174728736\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

--a------ 2004-05-04 17:17 491520 C:\WINDOWS\system32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

--a------ 2004-03-31 23:34 49152 C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

--a------ 2006-02-17 11:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\Abacast\\Abaclient.exe"=

"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aolsoftware.exe"=

"C:\\Program Files\\Common Files\\AOL\\1174728736\\ee\\aim6.exe"=

"C:\\Program Files\\Azureus\\Azureus.exe"=

"C:\\Program Files\\AIM6\\aim6.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=

"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\Program Files\Gameforge4D\AirRivals\Launcher.atm"= C:\Program Files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-10 14:00]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 22:10]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-13 23:08]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

.

Contents of the 'Scheduled Tasks' folder

"2008-05-28 19:51:53 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 7 39 PM.job"

- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

"2006-05-02 21:42:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1138560423.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I

"2008-06-01 00:05:03 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-31 20:28:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2008-05-31 20:38:22 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-01 01:38:20

ComboFix2.txt 2008-05-31 13:38:09

ComboFix3.txt 2008-05-31 01:06:00

 

Pre-Run: 113,095,368,704 bytes free

Post-Run: 113,081,516,032 bytes free

 

323 --- E O F --- 2008-05-31 08:00:57

Link to post
Share on other sites

Welcome back

 

All looks good now.

 

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"=-

 

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

Now reboot your machine.

 

 

 

Don't miss or skip this next step, it will remove bad files from quarantine and set a clean restore point.

 

[*] Click START then RUN

[*] Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

 

Example below

 

Posted Image

 

 

 

If there are no more issues your good to go, good job!

 

Below are recommendations to protect your computer.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Slow Computer? Check here first; it may not be malware

http://www.castlecops.com/postitle175256-0-0-.html

Free Antivirus-AntiSpyware-Firewall Software

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-c...-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware

Link to post
Share on other sites

Thank you so much for your help in removing this. One question I have though is do I need to use another firewall other than the Windows firewall? I have used others before and did not like them. Which one do you recommend? Thanks again!!! :clap:

Link to post
Share on other sites

You are very welcome!

One question I have though is do I need to use another firewall other than the Windows firewall?

Windows XP firewall only checks incoming data

(Windows firewall is not truly a firewall. It is a NAT (Network Address Translation) program more than anything. That means it may block unknown incoming traffic, but doesn’t do anything about outgoing traffic. Malware already inside your system will be able to communicate out and download all sorts of other nasties into your system.)

I have used others before and did not like them. Which one do you recommend?

This will be hard to sort out, my opinion is related to the computer spec's and what it can handle after a Firewall is downloaded and installed.

Some use a ton of resources while it can appear others go a tiddle bit lighter.

 

What I like to say here, experiment somewhat till you find one that seems the most compatible with your system.

 

 

I have heard a few comments that the latest version of ZoneAlarm has slowed down a few machines and makes startups somewhat slower.

 

If you decide to download and install another Firewall....please disable Windows Firewall.

Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.

 

 

 

The following FREE versions are:

Zone Alarm free:

http://www.zonealarm.com/store/content/cat...=US&lang=en

PDF documention for Zone Alarm available here:

http://www.zonealarm.com/store/content/sup...a/znalmMain.jsp

If you are going to try Zone Alarm I suggest to just install the basic firewall so the bundled trial Antivirus does not get installed, Also I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

 

Comodo free:

http://www.personalfirewall.comodo.com/

Tutorial for install:

http://www.nordicnature.net/tutorials/index.html

 

Sunbelt kerio:

http://www.sunbelt-software.com/Home-Home-...ewall/Download/

PDF documentation for Sunbelt Kerio available here:

http://www.sunbelt-software.com/Home-Home-.../Documentation/

 

Jetico free:

http://www.jetico.com/index.htm#/jpfirewall.htm

 

 

Test your Firewall and make sure it is working properly.

 

Note: You must only use 1 (one) Firewall at a time because if you have 2 or more Firewalls running at the same time, they will conflict with each other and make your security less reliable.

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

 

For a tutorial on Firewalls and a listing of available ones see the link Here

Edited by Juliet
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...