I'm currently running Windows XP, internet explorer v7, and firefox v3.0.4 with the latest updates as of December 17. I have recently started having internet explorer and firefox crash upon immediate start-up. What is so odd is I have scanned for everything thinking I had a browser hijack or trojan but I have found nothing using the following tools: Adware 2008 (free version) SpyBot SpySweeper Mcafee Then final running HijackThis & Combofix logs as shown below. Any advice or help would be greatly appreciated. HijackThis Log StartupList report, 12/19/2008, 1:10:35 AM StartupList version: 1.52.2 Started from : D:\VirusScanners\HijackThis.EXE Detected: Windows XP SP3 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.6000.16762) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\Bluetooth Software\BTTray.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINDOWS\system32\hpoipm07.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe D:\VirusScanners\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Acrobat Speed Launcher.lnk = ? Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Bluetooth.lnk = ? HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe" SoundMAXPnP = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" IAAnotif = "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" Share-to-Web Namespace Daemon = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" MimBoot = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe" NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE LogitechVideoRepair = "C:\Program Files\Logitech\Video\ISStart.exe" LogitechVideoTray = "C:\Program Files\Logitech\Video\LogiTray.exe" Name of App = "C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" r Adobe Version Cue CS2 = "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" mcagent_exe = "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" LDM = "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE "%1" -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: Ask Search Assistant BHO - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} McAntiPhishingBHO - c:\PROGRA~1\mcafee\msk\mcapbho.dll - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} (no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890} (no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6} (no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910} (no name) - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9} JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} Ask Toolbar BHO - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} -------------------------------------------------- Enumerating Task Scheduler jobs: McAfee.com Scan for Viruses - My Computer (CORDELL-210-Raymon Cordell).job McDefragTask.job McQcTask.job MP Scheduled Scan.job -------------------------------------------------- Enumerating Download Program Files: [Checkers Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab [Office Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL CODEBASE = http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab [ZoneUpwords Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\Upwords.ocx CODEBASE = http://messenger.zone.msn.com/binary/Upwords.cab31267.cab [MessengerStatsClient Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll CODEBASE = http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab [MUWebControl Class] InProcServer32 = C:\WINDOWS\system32\muweb.dll CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198520327390 [AcDcToday Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX CODEBASE = file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx [MessengerStatsClient Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab [VaPgCtrl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\VAPGDecoder.dll CODEBASE = http://www.4xem.com/downloads/cab/WPT/h263ctrl.cab [NOXLATE-BANR] InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx CODEBASE = file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx [ZoneIntro Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab [CBreakshotControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\Banksht2.dll CODEBASE = http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab [InstaFred] InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx CODEBASE = file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx [Office Update Installation Engine] InProcServer32 = C:\WINDOWS\opuc.dll CODEBASE = http://office.microsoft.com/officeupdate/content/opuc4.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [WheelofFortune Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab [AcPreview Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX CODEBASE = file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll -------------------------------------------------- End of report, 12,135 bytes Report generated in 0.219 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Combofix Log -----Inline Attachment Follows----- ComboFix 08-12-18.01 - Owner 2008-12-19 0:35:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.520 [GMT -5:00] Running from: d:\virusscanners\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt c:\windows\system32\bszip.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FAD ((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 ))))))))))))))))))))))))))))))) . 2008-12-18 22:24 . 2008-12-18 22:24 <DIR> d-------- c:\program files\AskSBar 2008-12-18 22:24 . 2008-12-18 22:24 <DIR> d-------- c:\documents and settings\Owner\Application Data\Webroot 2008-12-18 22:24 . 2008-01-04 20:56 1,526,640 --a------ c:\windows\WRSetup.dll 2008-12-18 22:24 . 2008-01-04 20:34 20,336 --a------ c:\windows\system32\drivers\SSFS0BB9.sys 2008-12-18 21:28 . 2008-12-18 21:28 <DIR> d-------- C:\VundoFix Backups 2008-12-17 17:08 . 2008-12-17 17:08 0 --a------ c:\windows\nsreg.dat 2008-12-11 14:27 . 2008-12-11 14:27 54,156 --ah----- c:\windows\QTFont.qfn 2008-12-11 14:27 . 2008-12-11 14:27 1,409 --a------ c:\windows\QTFont.for 2008-11-30 00:51 . 2008-11-30 00:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\OfficeUpdate12 2008-11-30 00:49 . 2008-11-30 00:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2008-11-30 00:41 . 2008-11-30 00:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3 2008-11-30 00:37 . 2008-11-30 00:37 410,976 --a------ c:\windows\system32\deploytk.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-17 21:36 --------- d-----w c:\program files\McAfee 2008-12-06 19:24 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-30 05:37 --------- d-----w c:\program files\Java 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2007-07-22 16:31 24,192 ----a-w c:\documents and settings\Owner\usbsermptxp.sys 2007-07-22 16:31 22,768 ----a-w c:\documents and settings\Owner\usbsermpt.sys 2007-07-18 19:31 92,064 ----a-w c:\documents and settings\Owner\mqdmmdm.sys 2007-07-18 19:31 9,232 ----a-w c:\documents and settings\Owner\mqdmmdfl.sys 2007-07-18 19:31 79,328 ----a-w c:\documents and settings\Owner\mqdmserd.sys 2007-07-18 19:31 66,656 ----a-w c:\documents and settings\Owner\mqdmbus.sys 2007-07-18 19:31 6,208 ----a-w c:\documents and settings\Owner\mqdmcmnt.sys 2007-07-18 19:31 5,936 ----a-w c:\documents and settings\Owner\mqdmwhnt.sys 2007-07-18 19:31 4,048 ----a-w c:\documents and settings\Owner\mqdmcr.sys 2006-12-26 02:07 774,144 ----a-w c:\program files\RngInterstitial.dll 2005-10-08 14:42 427,904 ----a-w c:\documents and settings\Owner\Owner CONST. OCT '05 PRICING FROM MAGBEE.dat 2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll 2008-08-30 02:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-12-18 66912] [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}] 2008-12-18 22:24 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-21 67128] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 339968] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "MimBoot"="c:\program files\Musicmatch\Musicmatch Jukebox\mimboot.exe" [2004-12-06 11264] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-08 98304] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2007-04-05 684118] "Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064] "Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-12-24 25214] Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 553021] HPAiODevice(hp officejet d series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-03-05 491582] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-21 67128] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 806912] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\msncall.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-07-28 29808] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-29 203280] R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592] S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160] . Contents of the 'Scheduled Tasks' folder 2008-12-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (Owner-210-Owner).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [] 2007-02-14 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2008-04-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2008-12-19 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://hometab.bellsouth.net/ uInternet Settings,ProxyOverride = localhost IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: *.musicmatch.com Trusted Zone: *.musicmatch.com Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ug0b1pw0.default\ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-19 00:47:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Owner~1\LOCALS~1\Temp\fb13.tmp 16384 bytes c:\docume~1\Owner~1\LOCALS~1\Temp\~DFFD69.tmp 512 bytes scan completed successfully hidden files: 2 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\WRLogonNTF.dll - - - - - - - > 'explorer.exe'(2328) c:\program files\McAfee\SiteAdvisor\saHook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\McAfee\MSK\msksrver.exe c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe c:\program files\Logitech\Video\FxSvr2.exe c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe c:\progra~1\McAfee\MSC\mcuimgr.exe c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe c:\program files\Webroot\Spy Sweeper\ssu.exe c:\windows\system32\hpoipm07.exe c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe . ************************************************************************** . Completion time: 2008-12-19 0:52:58 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-12-19 05:52:47 Pre-Run: 51,966,898,176 bytes free Post-Run: 53,526,671,360 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 218 --- E O F --- 2008-12-18 22:40:44
Hi yfzr, Do a Full scan with HJT and post the Log. Just a Startup Log doesn’t show what I need to see and my Crystal Ball is a bit cloudy. The Combofix Log shows 2 Rootkits that will need to be removed. First run MalwareBytes’ AntiMalware to remove the Trojans and post some Logs and then we can take care of the Rootkits with ComboFix.. Run MBAM in Safe Mode: Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and before the Windows icon appears press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode with Networking". Download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. <-- Don't forget this. • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt • Please post the MBAM Log and a fresh HJT log in your next reply. 2OG
