1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help please

Discussion in 'Virus & Other Malware Removal' started by momfroma2z, Nov 2, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    Not exactly sure what all I have right now. 2 weeks ago I caught the thing that changes your desktop to the all red with evil hazard sign. Did some searching and some cleaning, but never seemed to get back to normal. Was ok, but not right, ya know?

    last night I started to get lots of "warning malware" pop ups with Trojan SPM/LX as one of the main subjects.

    Ran smitfraud fix selecting clean and got:
    SmitFraudFix v2.246

    Scan done at 7:49:30.10, Fri 11/02/2007
    Run from C:\Documents and Settings\Owner\Desktop\smitfraudfix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{97DD28BB-600D-4751-AD18-9F402753491F}: DhcpNameServer=68.87.72.130 68.87.77.130
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{97DD28BB-600D-4751-AD18-9F402753491F}: DhcpNameServer=68.87.72.130 68.87.77.130
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{97DD28BB-600D-4751-AD18-9F402753491F}: DhcpNameServer=68.87.72.130 68.87.77.130
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    and then hijack this:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:54:32 AM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\Program Files\Vweuhirc\ergastln.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.scrapstreet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.223.221.217:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {36A50B34-B2D6-F451-F34C-9D2B549782BD} - C:\WINDOWS\System32\kxo.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\System32\fccbcdd.dll
    O2 - BHO: (no name) - {919108ad-9ffd-41fb-8e92-f21354a68f10} - C:\WINDOWS\System32\xhenbei.dll (file missing)
    O2 - BHO: {27b9aa2f-2899-75c8-57f4-fb98ea8ed7c9} - {9c7de8ae-89bf-4f75-8c57-9982f2aa9b72} - C:\WINDOWS\System32\xjpngfgs.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
    O2 - BHO: (no name) - {D0B6557D-671E-40DC-BCCC-91EFE5E7D766} - C:\WINDOWS\System32\mlljg.dll (file missing)
    O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] "atwtusb.exe" beta
    O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
    O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i"
    O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [lolelifc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lolelifc.dll"
    O4 - HKLM\..\Run: [ergastln] "C:\Program Files\Vweuhirc\ergastln.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Owner\LOCALS~1\Temp\31219\gm.exe
    O4 - HKLM\..\Run: [qjmlijqd] rundll32.exe "C:\Program Files\lezcjcpk\hwxqturi.dll",Init
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [0cfb20dc] rundll32.exe "C:\WINDOWS\System32\jcrjbani.dll",b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Kvxvgg] C:\WINDOWS\??mbols\??chost.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [belmande] update255.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: fccbcdd - C:\WINDOWS\SYSTEM32\fccbcdd.dll
    O20 - Winlogon Notify: hoykadeg - hoykadeg.dll (file missing)
    O20 - Winlogon Notify: MsMsgSrv - MsMsgSrv.DLL (file missing)
    O20 - Winlogon Notify: yqejhhjf - yqejhhjf.dll (file missing)
    O21 - SSODL: ypwMXxX - {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

    --
    End of file - 12186 bytes

    can you tell me what to do next, please? I appreciate your help.
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Messy infection!

    Download ComboFix to your Desktop.

    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
     
  3. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    here is combofix log:

    ComboFix 07-11-01.1 - Owner 2007-11-02 12:43:26.1 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .
    ADS - svchost.exe: deleted 49664 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users.\documents\settings
    C:\Documents and Settings\All Users.\documents\settings\desktop.ini
    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\Owner\~tmp1174.exe
    C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
    C:\Documents and Settings\Owner\Local Settings\Application Data.\n.ini
    C:\Documents and Settings\Owner\Local Settings\Application Data\n.ini
    C:\Documents and Settings\Owner\My Documents\WNSXS~1
    C:\Documents and Settings\Owner\My Documents\WNSXS~1\W?nSxS\
    C:\Program Files\SecCenter
    C:\temp\0b9
    C:\temp\0b9\tmpTF.log
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\WINDOWS\dat.txt
    C:\WINDOWS\IA
    C:\WINDOWS\mbols~1
    C:\WINDOWS\rs.txt
    C:\WINDOWS\search_res.txt
    C:\WINDOWS\sys.log
    C:\WINDOWS\system32\__c0064C72.dat
    C:\WINDOWS\system32\__c009D690.dat
    C:\WINDOWS\system32\__c00BA03E.dat
    C:\WINDOWS\system32\__c00BB80E.dat
    C:\WINDOWS\system32\8_exception.nls
    C:\WINDOWS\system32\a13
    C:\WINDOWS\System32\ddayv.dll
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\secdrv.sys
    C:\WINDOWS\system32\e2
    C:\WINDOWS\system32\ehkmp.bak1
    C:\WINDOWS\system32\ehkmp.bak2
    C:\WINDOWS\system32\ehkmp.ini2
    C:\WINDOWS\system32\ehkmp.tmp
    C:\WINDOWS\system32\g1
    C:\WINDOWS\system32\gjllm.bak1
    C:\WINDOWS\system32\gjllm.ini
    C:\WINDOWS\system32\hoykadeg.dllbox
    C:\WINDOWS\system32\i8
    C:\WINDOWS\system32\i8\taldrvr11.exe
    C:\WINDOWS\system32\inabjrcj.ini
    C:\WINDOWS\system32\jcrjbani.dll
    C:\WINDOWS\system32\k.dat
    C:\WINDOWS\system32\kxo.dll
    C:\WINDOWS\system32\mp43.exe
    C:\WINDOWS\system32\n.ini
    C:\WINDOWS\system32\n2.ini
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\pgd.dll
    C:\WINDOWS\system32\RunOnce3.t__
    C:\WINDOWS\system32\RunOnce3.tmp
    C:\WINDOWS\system32\ststv.bak1
    C:\WINDOWS\system32\ststv.ini2
    C:\WINDOWS\system32\ststv.tmp
    C:\WINDOWS\system32\vyadd.bak1
    C:\WINDOWS\system32\vyadd.ini
    C:\WINDOWS\system32\x22
    C:\WINDOWS\system32\x22\wr31drs.exe
    C:\WINDOWS\system32\yqejhhjf.dllbox
    C:\WINDOWS\tsitra72.exe
    C:\WINDOWS\winsysupd51.dat
    C:\WINDOWS\wpcjmd.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_ICF
    -------\LEGACY_MICROSOFT_INTERNET_EXPLORER
    -------\LEGACY_SYMAVC32
    -------\core
    -------\Microsoft Internet Explorer


    ((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
    .

    2007-11-02 12:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 07:02 33,792 --a------ C:\WINDOWS\ieuninst.exe
    2007-11-02 03:00 340,032 --a------ C:\WINDOWS\system32\uelkksvy.dll
    2007-11-01 13:41 340,032 --a------ C:\WINDOWS\system32\adqudaad.dll
    2007-11-01 13:09 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
    2007-11-01 13:08 <DIR> d-------- C:\WINDOWS\system32\Mz02r
    2007-11-01 13:08 <DIR> d-------- C:\temp\mZOr
    2007-11-01 13:08 507,181 --a------ C:\temp\ocli.exe
    2007-11-01 13:08 35,840 --a------ C:\WINDOWS\mrofinu572.exe
    2007-11-01 13:08 34,816 --a------ C:\WINDOWS\system32\fccbcdd.dll
    2007-10-20 12:33 <DIR> d-------- C:\Program Files\Trellian
    2007-10-20 12:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Trellian
    2007-10-20 12:33 471,040 --a------ C:\WINDOWS\system32\Achroma2.dll
    2007-10-20 12:21 <DIR> d-------- C:\Program Files\CoffeeCup Software
    2007-10-19 14:58 <DIR> d-------- C:\Program Files\mozilla.org
    2007-10-19 14:58 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
    2007-10-19 14:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
    2007-10-08 16:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-10-08 16:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2007-10-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-10-08 16:20 <DIR> d-------- C:\Program Files\lezcjcpk
    2007-10-08 16:14 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
    2007-10-08 14:21 164 --a------ C:\install.dat
    2007-10-08 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-08 12:31 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-10-08 12:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-10-08 12:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-10-08 12:31 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-10-08 12:31 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-10-08 12:31 4,746 --a------ C:\WINDOWS\system32\tmp.reg
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2007-10-08 08:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-08 08:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-08 05:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-08 05:19 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-08 04:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2007-10-08 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-08 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-10-07 21:36 7,680 --a------ C:\syswggw.exe
    2007-10-07 19:24 <DIR> d-------- C:\Program Files\Microsoft Help
    2007-10-07 19:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2007-10-06 18:49 <DIR> d-------- C:\WINDOWS\system32\idrqapug
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\Vweuhirc
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\Nkindjst
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\izoxenep
    2007-10-06 08:56 7,810 --a------ C:\syslyxy.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-26 02:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
    2007-10-24 01:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-20 19:05 --------- d-----w C:\Program Files\Java
    2007-10-08 19:47 --------- d-----w C:\Program Files\Goocosmi
    2007-10-08 16:20 --------- d-----w C:\Program Files\Lavasoft
    2007-10-08 03:24 --------- d-----w C:\Program Files\MySpace
    2007-10-07 02:48 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
    2007-09-17 13:13 --------- d-----w C:\Program Files\WinMerge
    2006-06-16 04:18 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2006-02-10 21:04 24,774 ----a-w C:\WINDOWS\Prefetch\HPQDIREC.EXE
    2004-11-22 01:29:48 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
    2007-05-27 01:32:12 1,543,908 --sh--w C:\WINDOWS\system32\onnmp.bak1
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
    2007-11-01 13:08 34816 --a------ C:\WINDOWS\system32\fccbcdd.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{919108ad-9ffd-41fb-8e92-f21354a68f10}]
    C:\WINDOWS\System32\xhenbei.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c7de8ae-89bf-4f75-8c57-9982f2aa9b72}]
    C:\WINDOWS\System32\xjpngfgs.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 12:43]
    "VTTimer"="VTTimer.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 19:34 C:\WINDOWS\AGRSMMSG.exe]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 C:\WINDOWS\ALCXMNTR.EXE]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
    "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
    "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
    "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-02 14:35]
    "atwtusb"="atwtusb.exe" [2005-02-03 08:37 C:\WINDOWS\system32\atwtusb.exe]
    "ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-04-06 13:17]
    "HPWQTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-01 14:54]
    "BtcMaestro"="C:\Program Files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-20 21:53]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 13:08 C:\WINDOWS\system32\ico.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-08 17:06]
    "ergastln"="C:\Program Files\Vweuhirc\ergastln.exe" [2007-10-06 18:49]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-08-15 17:54]
    "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 17:08]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 13:48]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40]
    "Kvxvgg"="C:\WINDOWS\??mbols\??chost.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
    "belmande"="update255.exe" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 23:12:18]
    hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38]
    hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 23:06:58]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 05:45:28]
    Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18]
    Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-28 18:08:15]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
    "{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\fccbcdd.dll [2007-11-01 13:08 34816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "ypwMXxX"= {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbcdd]
    fccbcdd.dll 2007-11-01 13:08 34816 C:\WINDOWS\system32\fccbcdd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hoykadeg]
    hoykadeg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MsMsgSrv]
    MsMsgSrv.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yqejhhjf]
    yqejhhjf.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\System32\ddayv.dll

    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\System32\DRIVERS\pelmouse.sys
    R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\System32\DRIVERS\pelusblf.sys
    S1 aiptektp;HyperPen;C:\WINDOWS\System32\DRIVERS\aiptektp.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2005-03-06 23:50:28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1099869407.job"
    "2006-02-08 20:24:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-02 12:58:37
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-02 12:59:51 - machine was rebooted
    .
    --- E O F ---
     
  4. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    and the hijack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:02:45 PM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Vweuhirc\ergastln.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.scrapstreet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.223.221.217:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbcdd.dll
    O2 - BHO: (no name) - {919108ad-9ffd-41fb-8e92-f21354a68f10} - C:\WINDOWS\System32\xhenbei.dll (file missing)
    O2 - BHO: {27b9aa2f-2899-75c8-57f4-fb98ea8ed7c9} - {9c7de8ae-89bf-4f75-8c57-9982f2aa9b72} - C:\WINDOWS\System32\xjpngfgs.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] "atwtusb.exe" beta
    O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
    O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i"
    O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ergastln] "C:\Program Files\Vweuhirc\ergastln.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Kvxvgg] C:\WINDOWS\??mbols\??chost.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [belmande] update255.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: fccbcdd - C:\WINDOWS\SYSTEM32\fccbcdd.dll
    O20 - Winlogon Notify: hoykadeg - hoykadeg.dll (file missing)
    O20 - Winlogon Notify: MsMsgSrv - MsMsgSrv.DLL (file missing)
    O20 - Winlogon Notify: yqejhhjf - yqejhhjf.dll (file missing)
    O21 - SSODL: ypwMXxX - {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

    --
    End of file - 11152 bytes


    thank you so much for your help!
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    No problem...

    Download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed.
    You won't see anything happen.

    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  6. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    here it is in 2 parts since it has too many characters:


    Incident Status Location

    Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
    Adware:adware/portalscan Not disinfected c:\windows\bundles\adv0ltc0m.exe
    Adware:adware/emediacodec Not disinfected C:\Documents and Settings\Owner\Desktop\run.exe
    Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
    Adware:adware/tvmedia Not disinfected c:\windows\bundles
    Spyware:spyware/searchcentrix Not disinfected Windows Registry
    Virus:Generic Malware Not disinfected C:\246.tmp[BndDrive6.dll]
    Virus:Trj/Downloader.MDW Not disinfected C:\246.tmp[ISMModule6.exe]
    Virus:Trj/Downloader.MDW Disinfected C:\250.tmp
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.realmedia.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.advertising.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.adrevolver.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3aitu19y.default\cookies.txt[.com.com/]
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\djl5e55m.slt\cookies.txt[.trafficmp.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\djl5e55m.slt\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\djl5e55m.slt\cookies.txt[.advertising.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\djl5e55m.slt\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\djl5e55m.slt\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitfraudfix\Process.exe
    Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Owner\Desktop\smitfraudfix\Reboot.exe
    Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Owner\Desktop\smitfraudfix\restart.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
    Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
    Hacktool:Exploit/LoadImage Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RA8B7PKX\file[1].jpg
    Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RA8B7PKX\popup[2].php
    Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RA8B7PKX\popup[3].php
    Hacktool:Exploit/Mhtredir.gen Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UL8SDW0S\CA45YBWT.HTM
    Hacktool:Exploit/Mhtredir.gen Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UL8SDW0S\CAO5OCJH.HTM
    Hacktool:Exploit/Mhtredir.gen Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\CA0R6LQH.HTM
    Hacktool:Exploit/Mhtredir.gen Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\CAWK0LDW.HTM
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\is66953[1].exe
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\is66953[2].exe
    Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\xpreload[1].ocx
    Virus:Trj/Downloader.MDW Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\xpre[1].chm[/xpreload.ocx]
     
  7. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    Virus:Generic Malware Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\xpre[1].exe
    Virus:Trj/Downloader.MDW Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\xpre[2].chm[/xpreload.ocx]
    Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTENC5I3\YazzleBundle-1281[1].exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\SmitfraudFix\Process.exe
    Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Owner\SmitfraudFix\Reboot.exe
    Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Owner\SmitfraudFix\restart.exe
    Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
    Adware:Adware/Gimmy Not disinfected C:\Program Files\GimmySmileys\sv.exe
    Spyware:Spyware/Apropos Not disinfected C:\Program Files\Goocosmi\ace.dll
    Adware:Adware/MediaTickets Not disinfected C:\Program Files\Goocosmi\Cache\00001d26_43e4d0c6_00098968
    Adware:Adware/Tracking Not disinfected C:\Program Files\Goocosmi\Cache\000020c3_4394b5a4_00057bcf
    Adware:Adware/MediaTickets Not disinfected C:\Program Files\Goocosmi\Cache\0000491c_43e96307_0002dc6c
    Virus:Generic Trojan Disinfected C:\Program Files\izoxenep\qlkjsbwr.dll
    Virus:Generic Trojan Disinfected C:\Program Files\lezcjcpk\hwxqturi.dll
    Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer\wfxcwr.exe
    Virus:Rootkit/Nuwar.HS Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir
    Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\i8\taldrvr11.exe.vir
    Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kxo.dll.vir
    Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mp43.exe.vir
    Adware:Adware/WebSearch Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\pgd.dll.vir
    Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\__c0064C72.dat.vir
    Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\__c009D690.dat.vir
    Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\__c00BA03E.dat.vir
    Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\__c00BB80E.dat.vir
    Virus:Trj/Downloader.QNW Disinfected C:\qoobox\Quarantine\C\WINDOWS\tsitra72.exe.vir
    Virus:Generic Trojan Disinfected C:\syslyxy.exe
    Virus:Trj/Downloader.MDW Disinfected C:\syswggw.exe
    Adware:Adware/TTC Not disinfected C:\temp\maTUS.exe[dlltk67.exe]
    Adware:Adware/Yazzle Not disinfected C:\temp\maTUS.exe[dlwr.exe]
    Adware:Adware/DeluxeComunications Not disinfected C:\temp\maTUS.exe[nic32.exe]
    Adware:Adware/DeluxeComunications Not disinfected C:\temp\maTUS.exe[d5ll.exe]
    Spyware:Spyware/7r7t Not disinfected C:\temp\ocli.exe
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\adqudaad.dll
    Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20071008-083945.backup
    Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20071008-083946.backup
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\uelkksvy.dll
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download ATF Cleaner by Atribune and save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
      • If you use Firefox:
        • Click Firefox at the top and choose: Select All
        • Click the Empty Selected button.
        • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • If you use Opera:
        • Click Opera at the top and choose: Select All
        • Click the Empty Selected button.



          [*]NOTE:
          If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.

    Please rerun ComboFix and post the results.
     
  9. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    ComboFix 07-11-01.1 - Owner 2007-11-03 8:29:57.2 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\hgjlm.bak1
    C:\WINDOWS\system32\hgjlm.ini2
    C:\WINDOWS\system32\hgjlm.tmp
    C:\WINDOWS\system32\mpqss.bak1
    C:\WINDOWS\system32\mpqss.ini
    C:\WINDOWS\system32\ssqpm.dll
    C:\WINDOWS\system32\tyfblvhc.exe
    C:\WINDOWS\system32\uxznfbps.dllbox

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-03 05:48 81,472 --a------ C:\WINDOWS\system32\dfvfybxu.dll
    2007-11-03 05:45 87,616 --a------ C:\WINDOWS\system32\rbffgkcp.dll
    2007-11-03 05:41 340,032 --a------ C:\WINDOWS\system32\uxznfbps.dll
    2007-11-03 05:40 340,032 --a------ C:\WINDOWS\system32\mevjvpjk.dll
    2007-11-02 17:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-11-02 12:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 07:02 33,792 --a------ C:\WINDOWS\ieuninst.exe
    2007-11-02 03:00 340,032 --a------ C:\WINDOWS\system32\uelkksvy.dll
    2007-11-01 13:41 340,032 --a------ C:\WINDOWS\system32\adqudaad.dll
    2007-11-01 13:09 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
    2007-11-01 13:08 <DIR> d-------- C:\WINDOWS\system32\Mz02r
    2007-11-01 13:08 <DIR> d-------- C:\temp\mZOr
    2007-11-01 13:08 507,181 --a------ C:\temp\ocli.exe
    2007-11-01 13:08 35,840 --a------ C:\WINDOWS\mrofinu572.exe
    2007-11-01 13:08 34,816 --a------ C:\WINDOWS\system32\fccbcdd.dll
    2007-10-20 12:33 <DIR> d-------- C:\Program Files\Trellian
    2007-10-20 12:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Trellian
    2007-10-20 12:33 471,040 --a------ C:\WINDOWS\system32\Achroma2.dll
    2007-10-20 12:21 <DIR> d-------- C:\Program Files\CoffeeCup Software
    2007-10-19 14:58 <DIR> d-------- C:\Program Files\mozilla.org
    2007-10-19 14:58 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
    2007-10-19 14:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
    2007-10-08 16:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-10-08 16:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2007-10-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-10-08 16:20 <DIR> d-------- C:\Program Files\lezcjcpk
    2007-10-08 16:14 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
    2007-10-08 14:21 164 --a------ C:\install.dat
    2007-10-08 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-08 12:31 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-10-08 12:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-10-08 12:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-10-08 12:31 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-10-08 12:31 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-10-08 12:31 4,746 --a------ C:\WINDOWS\system32\tmp.reg
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-10-08 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2007-10-08 08:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-08 08:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-08 05:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-08 05:19 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-08 04:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2007-10-08 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-08 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-10-07 19:24 <DIR> d-------- C:\Program Files\Microsoft Help
    2007-10-07 19:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2007-10-06 18:49 <DIR> d-------- C:\WINDOWS\system32\idrqapug
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\Vweuhirc
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\Nkindjst
    2007-10-06 18:49 <DIR> d-------- C:\Program Files\izoxenep

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-03 07:39 --------- d-----w C:\Program Files\WinMerge
    2007-11-03 07:37 --------- d-----w C:\Program Files\QuickTime
    2007-11-03 07:27 --------- d-----w C:\Program Files\HP Multimedia Keyboard
    2007-11-03 07:26 --------- d-----w C:\Program Files\Google
    2007-10-26 02:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
    2007-10-24 01:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-20 19:05 --------- d-----w C:\Program Files\Java
    2007-10-08 19:47 --------- d-----w C:\Program Files\Goocosmi
    2007-10-08 16:20 --------- d-----w C:\Program Files\Lavasoft
    2007-10-08 03:24 --------- d-----w C:\Program Files\MySpace
    2007-10-07 02:48 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
    2006-06-16 04:18 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2004-11-22 01:29:48 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
    2007-05-27 01:32:12 1,543,908 --sh--w C:\WINDOWS\system32\onnmp.bak1
    .

    ((((((((((((((((((((((((((((( [email protected]_12.58.55.56 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2006-08-24 16:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
    + 2007-03-29 17:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
    + 2006-10-06 00:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
    + 2005-06-03 22:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
    + 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
    + 2005-05-20 21:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
    + 2006-02-17 02:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
    + 2005-10-26 02:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
    + 2004-05-04 23:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
    + 2006-07-14 21:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
    + 2006-04-10 18:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
    + 2006-02-14 21:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
    + 2006-02-17 02:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
    + 2006-10-06 00:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
    + 2006-06-30 22:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
    + 2004-02-04 22:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
    + 2006-08-01 21:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
    + 2006-08-23 21:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
    + 2006-08-17 19:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
    + 2006-09-04 19:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
    + 2006-08-18 16:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
    + 2007-03-26 22:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
    + 2006-08-09 18:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
    + 2006-07-19 18:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
    + 2006-01-21 00:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
    + 2006-05-17 17:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
    + 2006-08-16 18:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
    + 2006-06-30 22:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
    + 2006-08-17 22:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
    + 2006-08-08 21:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
    + 2006-08-18 16:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
    + 2006-08-18 16:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
    + 2007-04-19 01:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
    + 2007-01-22 22:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
    + 1997-09-18 14:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
    + 2006-03-01 01:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
    + 2006-08-02 20:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
    - 2007-11-02 20:43:18 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    + 2007-11-03 16:29:35 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    + 2003-03-26 02:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a5a06a4-88f3-4edd-812f-5820c81bfc22}]
    2007-11-03 05:48 81472 --a------ C:\WINDOWS\System32\dfvfybxu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
    2007-11-01 13:08 34816 --a------ C:\WINDOWS\system32\fccbcdd.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{919108ad-9ffd-41fb-8e92-f21354a68f10}]
    C:\WINDOWS\System32\xhenbei.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    2007-11-03 05:41 340032 --a------ C:\WINDOWS\system32\uxznfbps.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\uxznfbps.dll [2007-11-03 05:41 340032]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\uxznfbps.dll [2007-11-03 05:41 340032]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 12:43]
    "VTTimer"="VTTimer.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 19:34 C:\WINDOWS\AGRSMMSG.exe]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 C:\WINDOWS\ALCXMNTR.EXE]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
    "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
    "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
    "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-02 14:35]
    "atwtusb"="atwtusb.exe" [2005-02-03 08:37 C:\WINDOWS\system32\atwtusb.exe]
    "ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2006-04-06 13:17]
    "HPWQTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-01 14:54]
    "BtcMaestro"="C:\Program Files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-20 21:53]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 13:08 C:\WINDOWS\system32\ico.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-08 17:06]
    "ergastln"="C:\Program Files\Vweuhirc\ergastln.exe" [2007-10-06 18:49]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
    "0cfb20dc"="C:\WINDOWS\System32\rbffgkcp.dll" [2007-11-03 05:45]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-08-15 17:54]
    "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 17:08]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 13:48]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40]
    "Kvxvgg"="C:\WINDOWS\??mbols\??chost.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
    "belmande"="update255.exe" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 23:12:18]
    hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38]
    hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 23:06:58]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 05:45:28]
    Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18]
    Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-28 18:08:15]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
    "{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\fccbcdd.dll [2007-11-01 13:08 34816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "ypwMXxX"= {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbcdd]
    fccbcdd.dll 2007-11-01 13:08 34816 C:\WINDOWS\system32\fccbcdd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hoykadeg]
    hoykadeg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MsMsgSrv]
    MsMsgSrv.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uxznfbps]
    uxznfbps.dll 2007-11-03 05:41 340032 C:\WINDOWS\system32\uxznfbps.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yqejhhjf]
    yqejhhjf.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\System32\ssqpm.dll

    .
    Contents of the 'Scheduled Tasks' folder
    "2005-03-06 23:50:28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1099869407.job"
    "2006-02-08 20:24:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 08:48:15
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\uxznfbps.dllbox 17004 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2007-11-03 8:51:40 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-02 12:59
    .
    --- E O F ---
     
  10. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    pop ups were swarming again so I ran super anti spysweeper and got this hijack log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:16:36 AM, on 11/3/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\Program Files\Vweuhirc\ergastln.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.scrapstreet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.223.221.217:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] "atwtusb.exe" beta
    O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
    O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i"
    O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ergastln] "C:\Program Files\Vweuhirc\ergastln.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [0cfb20dc] rundll32.exe "C:\WINDOWS\System32\rbffgkcp.dll",b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Kvxvgg] C:\WINDOWS\??mbols\??chost.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [belmande] update255.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O21 - SSODL: ypwMXxX - {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

    --
    End of file - 9535 bytes
     
  11. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    wow, you can end up five pages back here in a hurry.

    woke up to the pop ups again. Checking in to see if there was a next plan of attack. Going to go run super anti spysweeper again since it at least keeps them at bay even if it doesnt cure it. Thanks in advance for your next suggestion.
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

    O4 - HKLM\..\Run: [ergastln] "C:\Program Files\Vweuhirc\ergastln.exe"

    O4 - HKLM\..\Run: [0cfb20dc] rundll32.exe "C:\WINDOWS\System32\rbffgkcp.dll",b

    O4 - HKCU\..\Run: [Kvxvgg] C:\WINDOWS\??mbols\??chost.exe

    O4 - HKCU\..\Run: [belmande] update255.exe

    O21 - SSODL: ypwMXxX - {0CFB2074-A651-8ADE-B439-87285013930C} - C:\WINDOWS\System32\ppxjl.dll (file missing)


    Reboot and post another Hijack This log please.
     
  13. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    thanks again.

    avenger: Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\npdoujex

    *******************

    Script file located at: \??\C:\Program Files\gkmkodam.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    File C:\WINDOWS\system32\update255.exe not found!
    Deletion of file C:\WINDOWS\system32\update255.exe failed!

    Could not process line:
    C:\WINDOWS\system32\update255.exe
    Status: 0xc0000034



    File C:\WINDOWS\System32\rbffgkcp.dll not found!
    Deletion of file C:\WINDOWS\System32\rbffgkcp.dll failed!

    Could not process line:
    C:\WINDOWS\System32\rbffgkcp.dll
    Status: 0xc0000034

    File C:\WINDOWS\system32\onnmp.bak1 deleted successfully.
    File C:\temp\ocli.exe deleted successfully.
    File C:\WINDOWS\mrofinu572.exe deleted successfully.
    File C:\WINDOWS\system32\fccbcdd.dll deleted successfully.


    File C:\WINDOWS\system32\dfvfybxu.dll not found!
    Deletion of file C:\WINDOWS\system32\dfvfybxu.dll failed!

    Could not process line:
    C:\WINDOWS\system32\dfvfybxu.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\rbffgkcp.dll not found!
    Deletion of file C:\WINDOWS\system32\rbffgkcp.dll failed!

    Could not process line:
    C:\WINDOWS\system32\rbffgkcp.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\uxznfbps.dll not found!
    Deletion of file C:\WINDOWS\system32\uxznfbps.dll failed!

    Could not process line:
    C:\WINDOWS\system32\uxznfbps.dll
    Status: 0xc0000034

    File C:\WINDOWS\system32\mevjvpjk.dll deleted successfully.
    File C:\WINDOWS\system32\uelkksvy.dll deleted successfully.
    File C:\WINDOWS\system32\adqudaad.dll deleted successfully.
    File C:\WINDOWS\mrofinu1000106.exe deleted successfully.
    Folder C:\Program Files\Vweuhirc deleted successfully.


    Could not open folder C:\WINDOWS\??mbols for deletion
    Deletion of folder C:\WINDOWS\??mbols failed!

    Could not process line:
    C:\WINDOWS\??mbols
    Status: 0xc0000033

    Folder C:\Program Files\lezcjcpk deleted successfully.
    Folder C:\WINDOWS\system32\idrqapug deleted successfully.


    Folder C:\Program Files\Vweuhirc not found!
    Deletion of folder C:\Program Files\Vweuhirc failed!

    Could not process line:
    C:\Program Files\Vweuhirc
    Status: 0xc0000034

    Folder C:\Program Files\Nkindjst deleted successfully.
    Folder C:\Program Files\izoxenep deleted successfully.
    Folder C:\WINDOWS\system32\Mz02r deleted successfully.
    Folder C:\temp\mZOr deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  14. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    and the hijack log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:25:48 PM, on 11/4/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.scrapstreet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.223.221.217:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] "atwtusb.exe" beta
    O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
    O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i"
    O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

    --
    End of file - 8969 bytes
     
  15. momfroma2z

    momfroma2z Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    15
    wow is this a mess--the pop ups restart about every 6 hours.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/646860

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice