1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Slow computer, can't delete desktop items

Discussion in 'Windows - Virus and spyware problems' started by limeninja, Jan 25, 2008.

  1. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Here's my hijack this log. Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:14:55 PM, on 25/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\QuickTime\QTTask.exe
    c:\PROGRA~1\mcafee\msk\msksrver.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\p2csvc.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Recycler\svchost.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidbordwell.net/blog/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidbordwell.net/blog/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: Shell=
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166217444166
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - c:\PROGRA~1\mcafee\msk\msksrver.exe
    O23 - Service: p2csvc - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\p2csvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: Windowhelp - Unknown owner - c:\Recycler\svchost.exe

    --
    End of file - 10105 bytes
     
  2. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,
    first we will stop a service, use hjt, then boot into safe mode to delete a file.
    go to start>run and type in--> services.msc,<--in the list of services that comes up look for>>Windowhelp



    right click on it and select properties.

    under the general tab:

    the path to the .exe should be:c:\Recycler\svchost.exe

    make sure that the service status is: Stopped, if not click the Stop button

    and the Startup type is: disabled, if not change it to disable

    click apply, then ok

    next hjt:

    start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: Shell=
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

    O23 - Service: Windowhelp - Unknown owner - c:\Recycler\svchost.exe
    ----------------------------------
    boot computer into safe mode. to reach safe mode you would tap the f8 key during a computer restart, chose the first option: safe mode.
    might want to copy/paste this part into notepad and save it so you can find and read it in safe mode:

    navigate here:
    C:\WINDOWS
    delete the Fonts folder which should have a svchost process in it.

    do this:
    Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    run your mcafee antivirus. reboot normally, rescan and post a new hjt log
     
  3. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi,
    I tried what you said. I ran McAfee at the end. It detected junk-nav quar and adware-isearch.dr but couldn't remove either of them. The C: drive still shows up as a big red X, but not when I'm in safe mode.

    Thanks for your help!



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:08:59 PM, on 30/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    c:\PROGRA~1\mcafee\msk\msksrver.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\WINDOWS\system32\p2csvc.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\RegCure\RegCure.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidbordwell.net/blog/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidbordwell.net/blog/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [668af02d] rundll32.exe "C:\WINDOWS\system32\bfhnykvr.dll",b
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166217444166
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - c:\PROGRA~1\mcafee\msk\msksrver.exe
    O23 - Service: p2csvc - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\p2csvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

    --
    End of file - 10299 bytes
     
  4. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
  5. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    I ran combofix and here is the results.

    ComboFix 08-01-31.3 - HP_Administrator 2008-01-30 23:08:18.1 - NTFSx86
    Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\awtrrpm.dll
    C:\WINDOWS\system32\ssqrq.dll
    C:\WINDOWS\system32\yjktrrme.dll
    C:\Program Files\kernel
    C:\WINDOWS\2.exe
    C:\WINDOWS\hosts
    C:\WINDOWS\system32\aetgiiye.dll
    C:\WINDOWS\system32\aukvbrla.ini
    C:\WINDOWS\system32\awtrrpm.dll
    C:\WINDOWS\system32\bepengal.dll
    C:\WINDOWS\system32\bfhnykvr.dll
    C:\WINDOWS\system32\lsprst7.dll
    C:\WINDOWS\system32\lvmwtncl.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\phwvcrgx.dll
    C:\WINDOWS\system32\pjdbvmxf.ini
    C:\WINDOWS\system32\qrqss.ini
    C:\WINDOWS\system32\qrqss.ini2
    C:\WINDOWS\system32\rvkynhfb.ini
    C:\WINDOWS\system32\sobrutim.dll
    C:\WINDOWS\system32\ssprs.dll
    C:\WINDOWS\system32\ssqrq.dll
    C:\WINDOWS\system32\tehhhxaq.ini
    C:\WINDOWS\system32\yjktrrme.dll
    C:\WINDOWS\system32\yjktrrme.dllbox
    C:\WINDOWS\Fonts\-

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_NPF


    ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
    .

    2008-01-30 21:30 . 2008-01-30 21:30 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-30 20:42 . 2008-01-30 20:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-28 21:32 . 2008-01-28 22:24 294 --ahs---- C:\WINDOWS\system32\nccjpoqj.ini
    2008-01-28 21:29 . 2008-01-28 21:29 294 --ahs---- C:\WINDOWS\system32\cyybwrwb.ini
    2008-01-27 19:49 . 2008-01-30 20:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-27 19:49 . 2008-01-27 19:49 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-27 19:47 . 2008-01-27 19:47 <DIR> d-------- C:\Program Files\iTunes
    2008-01-27 11:46 . 2008-01-27 11:46 147,520 --a------ C:\WINDOWS\system32\jxcklvoj.dll
    2008-01-27 11:46 . 2008-01-27 11:57 354 --ahs---- C:\WINDOWS\system32\jovlkcxj.ini
    2008-01-27 11:40 . 2008-01-27 11:40 294 --ahs---- C:\WINDOWS\system32\qmtmgeaa.ini
    2008-01-25 20:01 . 2008-01-25 20:13 <DIR> d-------- C:\Program Files\RegCure
    2008-01-25 19:26 . 2008-01-30 20:41 <DIR> d-------- C:\Program Files\XoftSpySE
    2008-01-25 19:15 . 2008-01-25 19:15 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-25 01:30 . 2008-01-25 01:30 147,520 --a------ C:\WINDOWS\system32\alrbvkua.dll
    2008-01-25 01:20 . 2008-01-25 01:20 46,300 --a------ C:\WINDOWS\system32\DcadsSocial-uninstall.exe
    2008-01-23 22:44 . 2008-01-23 22:44 <DIR> d-------- C:\EPData
    2008-01-23 22:43 . 2008-01-23 22:44 <DIR> d--h----- C:\Program Files\Zero G Registry
    2008-01-23 22:43 . 2008-01-23 22:43 <DIR> d-------- C:\Program Files\EP
    2008-01-23 22:34 . 2008-01-23 22:34 <DIR> d--h----- C:\Documents and Settings\HP_Administrator\InstallAnywhere
    2008-01-23 21:52 . 2008-01-23 21:52 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
    2008-01-23 21:33 . 2008-01-23 21:33 120,832 --a------ C:\WINDOWS\lcmmfu.cpl
    2008-01-23 21:33 . 2008-01-23 21:33 2,560 --a------ C:\WINDOWS\Runservice.exe
    2008-01-23 21:33 . 2008-01-30 23:25 865 --ahs---- C:\WINDOWS\system32\mmf.sys
    2008-01-23 20:49 . 2008-01-23 21:33 45,056 --a------ C:\WINDOWS\mmfs.dll
    2008-01-20 12:04 . 2008-01-20 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-01-19 20:16 . 2008-01-19 20:16 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
    2008-01-16 18:14 . 2008-01-16 18:15 12,800 --ahs---- C:\WINDOWS\system32\Thumbs.db
    2008-01-13 16:31 . 2008-01-30 23:26 39,879 --a------ C:\WINDOWS\system32\Config.MPF
    2008-01-13 16:30 . 2008-01-20 22:36 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-01-13 16:30 . 2008-01-20 12:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
    2008-01-13 16:30 . 2008-01-30 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-01-13 16:28 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-01-13 16:26 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-01-13 16:26 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-01-13 16:26 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-01-13 16:26 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-01-13 16:24 . 2008-01-13 16:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-01-13 15:41 . 2008-01-26 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-01-11 17:53 . 2008-01-13 14:02 78 --a------ C:\WINDOWS\lsoon.ini
    2008-01-10 22:45 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
    2008-01-10 22:42 . 2008-01-11 23:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Regrun
    2008-01-10 22:42 . 2008-01-10 22:42 <DIR> d-------- C:\backreg
    2008-01-10 22:40 . 2008-01-10 22:40 <DIR> d-------- C:\Program Files\Greatis
    2008-01-10 22:40 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
    2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-01-09 18:57 . 2008-01-09 18:57 1,158 --a------ C:\WINDOWS\mozver.dat
    2008-01-05 15:09 . 2008-01-05 15:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
    2008-01-05 15:01 . 2008-01-05 15:01 <DIR> d-------- C:\Program Files\MagicISO
    2008-01-04 18:45 . 2008-01-04 18:45 <DIR> d-------- C:\Program Files\Panasonic P2
    2008-01-03 19:40 . 2006-04-28 22:42 33 --a------ C:\WINDOWS\digifxf32.dat
    2008-01-03 19:04 . 2008-01-03 19:04 <DIR> d-------- C:\Program Files\ViviClip Video Filters 3
    2008-01-03 18:06 . 2006-04-28 22:40 31 --a------ C:\WINDOWS\digifxc22.dat
    2008-01-02 18:26 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
    2008-01-02 17:47 . 2008-01-02 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-01-02 17:39 . 2008-01-02 17:39 <DIR> d-------- C:\Program Files\Bonjour
    2008-01-02 17:30 . 2008-01-02 17:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-01-01 13:47 . 2008-01-01 13:47 12 --a------ C:\WINDOWS\NetOps14.doc
    2007-12-20 21:54 . 2001-08-08 15:59 34,293 --a------ C:\WINDOWS\system32\drivers\tpp200.sys
    2007-12-20 21:54 . 2001-08-08 15:59 32,421 --a------ C:\WINDOWS\system32\drivers\tpp300.sys
    2007-12-20 21:53 . 2007-12-20 21:53 <DIR> d-------- C:\WINDOWS\Drivers
    2007-12-20 21:53 . 2001-08-08 15:59 212,992 --a------ C:\WINDOWS\tppnttry.exe
    2007-12-20 21:53 . 2001-08-08 15:59 118,784 --a------ C:\WINDOWS\tppaldr.exe
    2007-12-20 21:53 . 2001-08-08 15:59 88,545 --a------ C:\WINDOWS\system32\tppun.exe
    2007-12-20 21:53 . 2001-08-08 15:59 43,029 --a------ C:\WINDOWS\system32\drivers\tpp725.sys
    2007-12-20 21:53 . 2001-08-08 15:58 21,866 --a------ C:\Program Files\Common Files\tppupd2k.dll
    2007-12-20 21:53 . 2001-08-08 15:59 17,077 --a------ C:\WINDOWS\system32\tppui32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-31 03:06 --------- d-----w C:\Program Files\Broderbund
    2008-01-31 03:03 --------- d-----w C:\Program Files\Webshots
    2008-01-31 01:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-31 00:55 --------- d-----w C:\Program Files\McAfee
    2008-01-28 00:47 --------- d-----w C:\Program Files\iPod
    2008-01-28 00:43 --------- d-----w C:\Program Files\QuickTime
    2008-01-27 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-26 17:59 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\McAfee
    2008-01-24 03:26 --------- d-----w C:\Program Files\LimeWire
    2008-01-24 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-24 03:17 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-01-22 21:14 --------- d-----w C:\Program Files\Lexmark 1200 Series
    2008-01-16 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-16 00:29 --------- d-----w C:\Program Files\BitComet
    2008-01-13 21:35 --------- d-----w C:\Program Files\McAfee.com
    2008-01-13 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2008-01-08 05:15 --------- d-----w C:\Program Files\Neuratron PhotoScore Lite Demo
    2007-12-20 00:25 65,984 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2007-12-13 20:33 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
    2005-09-27 01:11 1,358 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2003-05-30 14:22 344,064 ----a-r C:\Program Files\msvcr70.dll
    2002-01-05 08:40 487,424 ----a-w C:\Program Files\msvcp70.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2004-05-27 08:26 136992]
    "RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2004-09-10 10:47 1029928]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 00:10 344064]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
    "RegistryMechanic"="" []
    "Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 02:07 57344]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 22:34 180269]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
    "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tivuyqgg]
    tivuyqgg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    --a------ 2005-05-03 18:43 69632 C:\WINDOWS\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    --a------ 2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    --a------ 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-07-31 22:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    --a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)

    R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-01-23 21:33]
    R2 p2csvc;p2csvc;C:\WINDOWS\system32\p2csvc.exe [2007-03-08 14:05]
    S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
    S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 23:10]
    S3 p2usb;Panasonic P2 Series USB Device;C:\WINDOWS\system32\DRIVERS\p2usb.sys [2007-05-15 17:20]
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 13:05]
    S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2001-08-08 15:59]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-27 22:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-29 08:50:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
    - C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
    "2008-01-13 21:26:03 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-01-13 21:26:01 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-01-31 04:26:52 C:\WINDOWS\Tasks\RegCure Program Check.job"
    - C:\Program Files\RegCure\RegCure.exe
    "2008-01-26 01:02:07 C:\WINDOWS\Tasks\RegCure.job"
    - C:\Program Files\RegCure\RegCure.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-30 23:26:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\runservice.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    c:\PROGRA~1\mcafee\msk\msksrver.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\p2csvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
    .
    **************************************************************************
    .
    Completion time: 2008-01-30 23:31:44 - machine was rebooted [HP_Administrator]
    ComboFix-quarantined-files.txt 2008-01-31 04:31:40
    .
    2008-01-25 08:03:48 --- E O F ---
     
  6. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok good. i will get back to you. in the mean time download and run vundofix also:

    download and run vundofix.exe:

    http://www.atribune.org/ccount/click.php?id=4

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
     
  7. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Vundofix found nothing.
     
  8. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok. before we use combofix look in add/remove programs panel and uninstall these if present, reboot computer after the uninstall

    Browser Optimizer Dcads
    Browser Optimizer Superiorads

    also post a uninstall list like this:

    start hjt, click on 'open misc tools section"
    then "open uninstall manager"
    then 'save list" button, save the list somewhere then post the list in next reply
     
  9. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    I uninstalled browser optimizer Dcads and superiorads. Here is my uninstall list.

    Sansa Media Converter
    #1 DVD Ripper 5.3
    2d3 SteadyMove for Adobe Premiere Pro
    ABBYY FineReader 5.0 Sprint
    Ad-Aware SE Personal
    Adobe After Effects CS3
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Bridge 1.0
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Common File Installer
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Encore DVD 1.5
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player ActiveX
    Adobe Fonts All
    Adobe Help Center 1.0
    Adobe Help Viewer CS3
    Adobe Illustrator CS2
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe MPEG Encoder
    Adobe PDF Library Files
    Adobe Photoshop CS2
    Adobe Premiere Pro 1.5
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 7.0.9
    Adobe Setup
    Adobe Setup
    Adobe Stock Photos 1.0
    Adobe SVG Viewer 3.0
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Video Profiles
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    Ahead NeroVision Express
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Control Panel
    ATI Display Driver
    BitComet 0.87
    CCleaner (remove only)
    CDisplay 1.8
    Compatibility Pack for the 2007 Office system
    Creative DVD Audio Plugin for Audigy Series
    DVR 2 WMV
    EP Scheduling
    Final Draft 7
    GdiplusUpgrade
    High Definition Audio Driver Package - KB835221
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB928388)
    Hotfix for Windows XP (KB929120)
    Hotfix for Windows XP (KB935448)
    HP Deskjet Preloaded Printer Drivers
    HP Image Zone 4.5.3
    HP Image Zone for Media Center PC
    HP Image Zone Plus 4.5.3
    HP Photosmart Cameras 4.0
    HP PSC & OfficeJet 4.0
    HP Software Update
    HP Tunes
    HPIZplus450
    InterVideo DiscLabel
    InterVideo WinDVD 6
    InterVideo WinDVD Creator
    iPod for Windows 2005-01-11
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Kaspersky Online Scanner
    Korean Language Support
    Lexmark 1200 Series
    Macromedia Shockwave Player
    Magic Bullet Suite 2.0
    Magic Bullet Suite 2.1
    Magic ISO Maker v5.4 (build 0239)
    McAfee SecurityCenter
    Microsoft .NET Framework 1.0 Hotfix (KB887998)
    Microsoft .NET Framework 1.0 Hotfix (KB930494)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft Plus! Digital Media Edition Installer
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual J# .NET Redistributable Package 1.1
    Mozilla Firefox (2.0.0.11)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    Native Instruments Sibelius Player
    Nero 6 Ultra Edition
    Neuratron PhotoScore Lite
    Neuratron PhotoScore Lite Demo
    Panasonic P2 Drivers
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    RegCure 1.5.0.0
    Registry Mechanic 7.0
    Rogers Self Healing (remove only)
    Rogers Update Manager (remove only)
    Security Update for CAPICOM (KB931906)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Sibelius 3
    Sibelius Scorch
    SMC Barricade Print Server Monitor
    Socialnetworking Helper Dcads
    Sonic Encoders
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    TMPGEnc Plus 2.5
    TPP Storage Driver Installation
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Updates from HP
    USB Storage Adapter (TPP)
    USB Storage Adapter V2 (TPP)
    USB Storage Adapter V3 (TPP)
    Viewpoint Manager (Remove Only)
    ViviClip Video Filters 3
    WalkerFX 2.2 Professional Edition
    Win32
    Windows Installer 3.1 (KB893803)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix [See KB889858 for more information]
    Windows Media Player 11
    Windows Media Player 11
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885354
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB886716
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB887797
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888240
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    Windows XP Media Center Edition 2005 KB888316
    Windows XP Media Center Edition 2005 KB925766
    WinRAR archiver
    Yahoo! Photos Easy Upload Tool

     
  10. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    ok good. look back in add/remove programs panel and uninstall this one also:

    Socialnetworking Helper Dcads

    reboot computer. since its been afew days and the uninstalls may change what combofix finds lets delete your copy of combofix and get a new copy to run.

    to uninstall current copy:
    start>run and type in combofix /u click ok
    Note: there is a space after the x and before the /
    ------------------------------
    get a new copy of combofix and post the new log:
    Download combofix from one of these links and save it to Desktop:

    http://subs.geekstogo.com/ComboFix.exe
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  11. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    I removed that program. There is my new combofix log.

    ComboFix 08-02.01.6 - HP_Administrator 2008-02-01 23:12:52.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.332 [GMT -5:00]
    Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    D:\Autorun.inf

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windowsupdate.com
    .
    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
    .

    2008-02-01 17:18 . 2008-02-01 17:18 <DIR> d-------- C:\WINDOWS\LastGood
    2008-01-30 21:30 . 2008-01-30 21:30 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-30 20:42 . 2008-01-30 20:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-28 21:32 . 2008-01-28 22:24 294 --ahs---- C:\WINDOWS\system32\nccjpoqj.ini
    2008-01-28 21:29 . 2008-01-28 21:29 294 --ahs---- C:\WINDOWS\system32\cyybwrwb.ini
    2008-01-27 19:49 . 2008-01-31 19:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-27 19:49 . 2008-01-27 19:49 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-27 19:47 . 2008-01-27 19:47 <DIR> d-------- C:\Program Files\iTunes
    2008-01-27 11:46 . 2008-01-27 11:46 147,520 --a------ C:\WINDOWS\system32\jxcklvoj.dll
    2008-01-27 11:46 . 2008-01-27 11:57 354 --ahs---- C:\WINDOWS\system32\jovlkcxj.ini
    2008-01-27 11:40 . 2008-01-27 11:40 294 --ahs---- C:\WINDOWS\system32\qmtmgeaa.ini
    2008-01-25 20:01 . 2008-01-25 20:13 <DIR> d-------- C:\Program Files\RegCure
    2008-01-25 19:26 . 2008-01-30 20:41 <DIR> d-------- C:\Program Files\XoftSpySE
    2008-01-25 19:15 . 2008-01-25 19:15 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-25 01:30 . 2008-01-25 01:30 147,520 --a------ C:\WINDOWS\system32\alrbvkua.dll
    2008-01-23 22:44 . 2008-01-23 22:44 <DIR> d-------- C:\EPData
    2008-01-23 22:43 . 2008-01-23 22:44 <DIR> d--h----- C:\Program Files\Zero G Registry
    2008-01-23 22:43 . 2008-01-23 22:43 <DIR> d-------- C:\Program Files\EP
    2008-01-23 22:34 . 2008-01-23 22:34 <DIR> d--h----- C:\Documents and Settings\HP_Administrator\InstallAnywhere
    2008-01-23 21:33 . 2008-01-23 21:33 120,832 --a------ C:\WINDOWS\lcmmfu.cpl
    2008-01-23 21:33 . 2008-01-23 21:33 2,560 --a------ C:\WINDOWS\Runservice.exe
    2008-01-23 21:33 . 2008-02-01 17:11 865 --ahs---- C:\WINDOWS\system32\mmf.sys
    2008-01-23 20:49 . 2008-01-23 21:33 45,056 --a------ C:\WINDOWS\mmfs.dll
    2008-01-20 12:04 . 2008-01-20 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-01-19 20:16 . 2008-01-19 20:16 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
    2008-01-16 18:14 . 2008-01-16 18:15 12,800 --ahs---- C:\WINDOWS\system32\Thumbs.db
    2008-01-13 16:31 . 2008-02-01 17:13 40,109 --a------ C:\WINDOWS\system32\Config.MPF
    2008-01-13 16:30 . 2008-01-20 22:36 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-01-13 16:30 . 2008-01-20 12:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
    2008-01-13 16:30 . 2008-02-01 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-01-13 16:28 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-01-13 16:26 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-01-13 16:26 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-01-13 16:26 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-01-13 16:26 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-01-13 16:24 . 2008-01-13 16:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-01-13 15:41 . 2008-01-26 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-01-11 17:53 . 2008-01-13 14:02 78 --a------ C:\WINDOWS\lsoon.ini
    2008-01-10 22:45 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
    2008-01-10 22:42 . 2008-01-11 23:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Regrun
    2008-01-10 22:42 . 2008-01-10 22:42 <DIR> d-------- C:\backreg
    2008-01-10 22:40 . 2008-01-10 22:40 <DIR> d-------- C:\Program Files\Greatis
    2008-01-10 22:40 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
    2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-01-09 18:57 . 2008-01-09 18:57 1,158 --a------ C:\WINDOWS\mozver.dat
    2008-01-05 15:09 . 2008-01-05 15:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
    2008-01-05 15:01 . 2008-01-05 15:01 <DIR> d-------- C:\Program Files\MagicISO
    2008-01-04 18:45 . 2008-01-04 18:45 <DIR> d-------- C:\Program Files\Panasonic P2
    2008-01-03 19:40 . 2006-04-28 22:42 33 --a------ C:\WINDOWS\digifxf32.dat
    2008-01-03 19:04 . 2008-01-03 19:04 <DIR> d-------- C:\Program Files\ViviClip Video Filters 3
    2008-01-03 18:06 . 2006-04-28 22:40 31 --a------ C:\WINDOWS\digifxc22.dat
    2008-01-02 18:26 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
    2008-01-02 17:47 . 2008-01-02 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-01-02 17:39 . 2008-01-02 17:39 <DIR> d-------- C:\Program Files\Bonjour
    2008-01-02 17:30 . 2008-01-02 17:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-01 22:18 --------- d-----w C:\Program Files\McAfee
    2008-01-31 03:06 --------- d-----w C:\Program Files\Broderbund
    2008-01-31 03:03 --------- d-----w C:\Program Files\Webshots
    2008-01-31 01:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-28 00:47 --------- d-----w C:\Program Files\iPod
    2008-01-28 00:43 --------- d-----w C:\Program Files\QuickTime
    2008-01-27 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-26 18:00 118,306 ----a-w C:\WINDOWS\Fonts\x.zip
    2008-01-26 17:59 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\McAfee
    2008-01-24 03:26 --------- d-----w C:\Program Files\LimeWire
    2008-01-24 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-24 03:17 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-01-22 21:14 --------- d-----w C:\Program Files\Lexmark 1200 Series
    2008-01-16 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-16 00:29 --------- d-----w C:\Program Files\BitComet
    2008-01-13 21:35 --------- d-----w C:\Program Files\McAfee.com
    2008-01-13 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2008-01-08 05:15 --------- d-----w C:\Program Files\Neuratron PhotoScore Lite Demo
    2007-12-20 00:25 65,984 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2007-12-13 20:33 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-10-01 17:15 290,830 ----a-w C:\WINDOWS\Fonts\Setup.exe
    2005-09-27 01:11 1,358 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2003-05-30 14:22 344,064 ----a-r C:\Program Files\msvcr70.dll
    2002-01-05 08:40 487,424 ----a-w C:\Program Files\msvcp70.dll
    2001-08-08 20:58 21,866 ----a-w C:\Program Files\Common Files\tppupd2k.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2004-05-27 08:26 136992]
    "RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2004-09-10 10:47 1029928]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 00:10 344064]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
    "RegistryMechanic"="" []
    "Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 02:07 57344]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 22:34 180269]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
    "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tivuyqgg]
    tivuyqgg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    --a------ 2005-05-03 18:43 69632 C:\WINDOWS\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    --a------ 2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    --a------ 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-07-31 22:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    --a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)

    R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-01-23 21:33]
    R2 p2csvc;p2csvc;C:\WINDOWS\system32\p2csvc.exe [2007-03-08 14:05]
    S2 0282061201904288mcinstcleanup;McAfee Application Installer Cleanup (0282061201904288);C:\WINDOWS\TEMP\028206~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
    S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
    S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 23:10]
    S3 p2usb;Panasonic P2 Series USB Device;C:\WINDOWS\system32\DRIVERS\p2usb.sys [2007-05-15 17:20]
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 13:05]
    S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2001-08-08 15:59]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-27 22:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-02-02 00:50:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
    - C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
    "2008-01-13 21:26:03 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-01-13 21:26:01 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-02-01 22:13:16 C:\WINDOWS\Tasks\RegCure Program Check.job"
    - C:\Program Files\RegCure\RegCure.exe
    "2008-01-26 01:02:07 C:\WINDOWS\Tasks\RegCure.job"
    - C:\Program Files\RegCure\RegCure.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-01 23:18:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-01 23:19:00
    ComboFix-quarantined-files.txt 2008-02-02 04:18:57
    ComboFix2.txt 2008-01-31 04:31:44
    .
    2008-01-25 08:03:48 --- E O F ---
     
  12. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok thanks for the info.

    Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

    Save this as CFScript to your desktop.

    Code:
    File::
    C:\WINDOWS\system32\jxcklvoj.dll 
    C:\WINDOWS\system32\jovlkcxj.ini 
    C:\WINDOWS\system32\nccjpoqj.ini 
    C:\WINDOWS\system32\cyybwrwb.ini 
    C:\WINDOWS\system32\qmtmgeaa.ini 
    C:\WINDOWS\system32\alrbvkua.dll 
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tivuyqgg] 
    
    
    now locate the script you just saved to your desktop and the combofix icon on your desktop. using your mouse, drag the script file right on top of the combofix icon and release. combofix will run, post the new log it generates in next reply.
     
  13. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Here is the new log.

    ComboFix 08-02.01.6 - HP_Administrator 2008-02-02 14:40:05.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.468 [GMT -5:00]
    Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\alrbvkua.dll
    C:\WINDOWS\system32\cyybwrwb.ini
    C:\WINDOWS\system32\jovlkcxj.ini
    C:\WINDOWS\system32\jxcklvoj.dll
    C:\WINDOWS\system32\nccjpoqj.ini
    C:\WINDOWS\system32\qmtmgeaa.ini
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\alrbvkua.dll
    C:\WINDOWS\system32\cyybwrwb.ini
    C:\WINDOWS\system32\jovlkcxj.ini
    C:\WINDOWS\system32\jxcklvoj.dll
    C:\WINDOWS\system32\nccjpoqj.ini
    C:\WINDOWS\system32\qmtmgeaa.ini

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windowsupdate.com
    .
    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
    .

    2008-01-30 21:30 . 2008-01-30 21:30 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-30 20:42 . 2008-01-30 20:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
    2008-01-30 20:42 . 2008-01-30 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-27 19:49 . 2008-01-31 19:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-27 19:49 . 2008-01-27 19:49 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-27 19:47 . 2008-01-27 19:47 <DIR> d-------- C:\Program Files\iTunes
    2008-01-25 20:01 . 2008-01-25 20:13 <DIR> d-------- C:\Program Files\RegCure
    2008-01-25 19:26 . 2008-01-30 20:41 <DIR> d-------- C:\Program Files\XoftSpySE
    2008-01-25 19:15 . 2008-01-25 19:15 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-23 22:44 . 2008-01-23 22:44 <DIR> d-------- C:\EPData
    2008-01-23 22:43 . 2008-01-23 22:44 <DIR> d--h----- C:\Program Files\Zero G Registry
    2008-01-23 22:43 . 2008-01-23 22:43 <DIR> d-------- C:\Program Files\EP
    2008-01-23 22:34 . 2008-01-23 22:34 <DIR> d--h----- C:\Documents and Settings\HP_Administrator\InstallAnywhere
    2008-01-23 21:33 . 2008-01-23 21:33 120,832 --a------ C:\WINDOWS\lcmmfu.cpl
    2008-01-23 21:33 . 2008-01-23 21:33 2,560 --a------ C:\WINDOWS\Runservice.exe
    2008-01-23 21:33 . 2008-02-02 14:31 865 --ahs---- C:\WINDOWS\system32\mmf.sys
    2008-01-23 20:49 . 2008-01-23 21:33 45,056 --a------ C:\WINDOWS\mmfs.dll
    2008-01-20 12:04 . 2008-01-20 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-01-19 20:16 . 2008-01-19 20:16 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
    2008-01-16 18:14 . 2008-01-16 18:15 12,800 --ahs---- C:\WINDOWS\system32\Thumbs.db
    2008-01-13 16:31 . 2008-02-02 14:32 40,109 --a------ C:\WINDOWS\system32\Config.MPF
    2008-01-13 16:30 . 2008-01-20 22:36 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-01-13 16:30 . 2008-01-20 12:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
    2008-01-13 16:30 . 2008-02-01 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-01-13 16:28 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-01-13 16:26 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-01-13 16:26 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-01-13 16:26 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-01-13 16:26 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-01-13 16:26 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-01-13 16:24 . 2008-01-13 16:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-01-13 15:41 . 2008-01-26 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-01-11 17:53 . 2008-01-13 14:02 78 --a------ C:\WINDOWS\lsoon.ini
    2008-01-10 22:45 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
    2008-01-10 22:42 . 2008-01-11 23:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Regrun
    2008-01-10 22:42 . 2008-01-10 22:42 <DIR> d-------- C:\backreg
    2008-01-10 22:40 . 2008-01-10 22:40 <DIR> d-------- C:\Program Files\Greatis
    2008-01-10 22:40 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
    2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-01-09 18:57 . 2008-01-09 18:57 1,158 --a------ C:\WINDOWS\mozver.dat
    2008-01-05 15:09 . 2008-01-05 15:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
    2008-01-05 15:01 . 2008-01-05 15:01 <DIR> d-------- C:\Program Files\MagicISO
    2008-01-04 18:45 . 2008-01-04 18:45 <DIR> d-------- C:\Program Files\Panasonic P2
    2008-01-03 19:40 . 2006-04-28 22:42 33 --a------ C:\WINDOWS\digifxf32.dat
    2008-01-03 19:04 . 2008-01-03 19:04 <DIR> d-------- C:\Program Files\ViviClip Video Filters 3
    2008-01-03 18:06 . 2006-04-28 22:40 31 --a------ C:\WINDOWS\digifxc22.dat
    2008-01-02 18:26 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
    2008-01-02 17:47 . 2008-01-02 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-01-02 17:39 . 2008-01-02 17:39 <DIR> d-------- C:\Program Files\Bonjour
    2008-01-02 17:30 . 2008-01-02 17:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-02 19:31 --------- d-----w C:\Program Files\McAfee
    2008-02-02 05:21 --------- d-----w C:\Program Files\InterVideo
    2008-02-02 05:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-02 05:20 --------- d-----w C:\Program Files\Creative
    2008-01-31 03:06 --------- d-----w C:\Program Files\Broderbund
    2008-01-31 03:03 --------- d-----w C:\Program Files\Webshots
    2008-01-31 01:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-28 00:47 --------- d-----w C:\Program Files\iPod
    2008-01-28 00:43 --------- d-----w C:\Program Files\QuickTime
    2008-01-27 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-26 18:00 118,306 ----a-w C:\WINDOWS\Fonts\x.zip
    2008-01-26 17:59 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\McAfee
    2008-01-24 03:26 --------- d-----w C:\Program Files\LimeWire
    2008-01-24 03:17 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-01-22 21:14 --------- d-----w C:\Program Files\Lexmark 1200 Series
    2008-01-16 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-16 00:29 --------- d-----w C:\Program Files\BitComet
    2008-01-13 21:35 --------- d-----w C:\Program Files\McAfee.com
    2008-01-13 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2008-01-08 05:15 --------- d-----w C:\Program Files\Neuratron PhotoScore Lite Demo
    2007-12-20 00:25 65,984 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2007-12-13 20:33 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-10-01 17:15 290,830 ----a-w C:\WINDOWS\Fonts\Setup.exe
    2005-09-27 01:11 1,358 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2003-05-30 14:22 344,064 ----a-r C:\Program Files\msvcr70.dll
    2002-01-05 08:40 487,424 ----a-w C:\Program Files\msvcp70.dll
    2001-08-08 20:58 21,866 ----a-w C:\Program Files\Common Files\tppupd2k.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2004-05-27 08:26 136992]
    "RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2004-09-10 10:47 1029928]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 00:10 344064]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
    "RegistryMechanic"="" []
    "Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 02:07 57344]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 22:34 180269]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
    "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tivuyqgg]
    tivuyqgg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    --a------ 2005-05-03 18:43 69632 C:\WINDOWS\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    --a------ 2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    --a------ 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-07-31 22:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    --a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)

    R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-01-23 21:33]
    R2 p2csvc;p2csvc;C:\WINDOWS\system32\p2csvc.exe [2007-03-08 14:05]
    S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
    S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 23:10]
    S3 p2usb;Panasonic P2 Series USB Device;C:\WINDOWS\system32\DRIVERS\p2usb.sys [2007-05-15 17:20]
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 13:05]
    S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2001-08-08 15:59]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-27 22:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-02-02 04:50:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
    - C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
    "2008-01-13 21:26:03 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-01-13 21:26:01 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-02-02 19:32:33 C:\WINDOWS\Tasks\RegCure Program Check.job"
    - C:\Program Files\RegCure\RegCure.exe
    "2008-01-26 01:02:07 C:\WINDOWS\Tasks\RegCure.job"
    - C:\Program Files\RegCure\RegCure.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-02 14:45:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-02 14:46:01
    ComboFix-quarantined-files.txt 2008-02-02 19:45:58
    ComboFix2.txt 2008-02-02 04:19:01
    ComboFix3.txt 2008-01-31 04:31:44
    .
    2008-01-25 08:03:48 --- E O F ---
     
  14. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok good. you should know that file sharing networks are a large part of distributing malware. i have some p2p info on my web site. hows it looking on your end now??
     
  15. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Its looking pretty good thanks. Startups a lot quicker. When I run virus scan, it still comes up with Junk Nav Quar that it can't remove, and the C: drive still shows up as an 'X', but everything seems to be running okay.
     
  16. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok good. you can remove combofix like this:

    go to start>run and type in combofix /u
    there is a space after the "x" and before the /

    do a online scan here:
    ESET online scanner:

    http://www.eset.com/onlinescan/

    uses Internet Explorer only
    check "YES" to accept terms
    click start button
    allow the ActiveX component to install
    click the start button. the Scanner will update.
    check both "Remove found threats" and "Scan unwanted applications"
    click scan
    when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
    please copy/paste that log in next reply.

    echoreply
     
  17. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    I ran the ESET online scanner. I think it found something it couldn't delete either.

    # version=4
    # OnlineScanner.ocx=1.0.0.56
    # OnlineScannerDLLA.dll=1, 0, 0, 51
    # OnlineScannerDLLW.dll=1, 0, 0, 51
    # OnlineScannerUninstaller.exe=1, 0, 0, 49
    # vers_standard_module=2847 (20080204)
    # vers_arch_module=1.063 (20080117)
    # vers_adv_heur_module=1.060 (20070601)
    # EOSSerial=bba62771a7f38549980f9432604a7527
    # end=finished
    # remove_checked=true
    # unwanted_checked=true
    # utc_time=2008-02-05 05:37:19
    # local_time=2008-02-05 12:37:19 (-0500, Eastern Standard Time)
    # country="Canada"
    # osver=5.1.2600 NT Service Pack 2
    # scanned=645614
    # found=3
    # scan_time=9617
    C:\WINDOWS\Fonts\Setup.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
    C:\WINDOWS\Fonts\x.zip probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
    C:\WINDOWS\Fonts\x.zip ┬╗ZIP ┬╗Setup.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
     
  18. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    looks like it deleted a part of it?

    navigate here:
    C:\WINDOWS\Fonts\

    look in the Fonts dir for a zip file, dont delete it yet, just see if you can find a zip file in there.

    to show all files:
    FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
     
  19. limeninja

    limeninja Member

    Joined:
    Jan 25, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Can't find any zip file in the fonts folder, but virus scan keeps coming up with this Junk Nav Quar virus and the C: drive is still an 'x'.
     
  20. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    your mcafee AV? does it provide a path to the file? that online scan looks ok. its possible it could be a false positive.

    you can try this for the icon:
    first back up your registry, if you dont know how dont do this yet until i post back, iam not in windows now so cant check. i can post back with directions on backing it up.

    open notepad and copy paste in whats below;

    Code:
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons]
    
    
    save this to your desktop

    Filename: fixit.reg
    Save as type: All Files (*.*)

    Double click the fixit.reg on your desktop, select yes when asked if you want to merge it in the registry. reboot computer, check drive icon.
     

Share This Page