1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help have spy or maleware

Discussion in 'Virus & Other Malware Removal' started by scorsting, Oct 16, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    Hear is my hijack this report could some one please tell me if something is off, Thnx:)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:42:08 PM, on 10/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\arservice.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
    O2 - BHO: (no name) - {B4EFA38D-C653-493A-8187-9B44CCF284DC} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\Software\..\Telephony: DomainName = scorsting
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scorsting
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: nnnljhgE - nnnljhgE.dll (file missing)
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
    O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
    O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 7577 bytes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Welcome to TSG!!


    Visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  3. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    Ok here is the Combo fix log:

    ComboFix 08-10-19.04 - family 2008-10-20 12:32:25.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1440 [GMT -7:00]
    Running from: C:\downloads\ComboFix.exe
    Command switches used :: C:\downloads\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .
    /wow section not completed

    ((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
    .

    2008-10-16 23:40 . 2008-10-16 23:40 <DIR> d-------- C:\Documents and Settings\family\Application Data\Webroot
    2008-10-15 23:18 . 2008-10-15 23:19 <DIR> d-------- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B7.TMP
    2008-10-15 22:55 . 2008-10-15 22:55 262,144 --a------ C:\ntuser.dat
    2008-10-15 22:43 . 2008-10-15 22:43 <DIR> d-------- C:\Program Files\IObit
    2008-10-15 21:47 . 2008-10-15 21:47 <DIR> d-------- C:\Documents and Settings\family\Application Data\Malwarebytes
    2008-10-15 21:47 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-15 21:46 . 2008-10-15 21:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-15 21:46 . 2008-10-15 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-15 21:46 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-15 20:41 . 2008-10-15 20:41 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-15 17:33 . 2008-10-15 17:39 <DIR> d-------- C:\Documents and Settings\family\Application Data\EasyJob Resume Builder
    2008-10-15 16:59 . 2008-10-20 12:29 <DIR> d-------- C:\downloads
    2008-10-13 16:45 . 2006-05-23 13:42 <DIR> d-------- C:\Documents and Settings\family\WINDOWS
    2008-10-13 16:45 . 2006-05-23 13:44 <DIR> d-------- C:\Documents and Settings\family\Application Data\Intuit
    2008-10-13 16:45 . 2008-10-20 09:24 <DIR> d-------- C:\Documents and Settings\family
    2008-10-13 16:04 . 2008-10-13 16:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-10-13 16:03 . 2008-10-13 16:03 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2008-10-07 12:38 . 2007-10-25 20:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
    2008-10-06 10:07 . 2008-10-13 17:39 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
    2008-10-06 10:04 . 2008-10-20 12:00 <DIR> d-------- C:\Program Files\Registry Easy
    2008-10-06 09:18 . 2008-10-09 16:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-10-06 09:18 . 2008-10-06 09:18 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-09-27 13:13 . 2008-09-27 13:51 314 --a------ C:\WINDOWS\hegames.ini
    2008-09-27 13:00 . 2008-10-06 10:11 <DIR> d-------- C:\Program Files\sz8001
    2008-09-27 13:00 . 1994-08-23 21:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
    2008-09-27 13:00 . 1994-09-20 21:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
    2008-09-27 13:00 . 1998-03-11 13:13 76,368 --a------ C:\WINDOWS\unvise.exe
    2008-09-27 13:00 . 1998-03-11 13:13 29,184 --a------ C:\WINDOWS\unvise32.dll
    2008-09-27 13:00 . 1994-09-20 21:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
    2008-09-27 13:00 . 1994-09-20 21:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
    2008-09-27 13:00 . 1994-09-20 21:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
    2008-09-27 13:00 . 2008-09-27 13:00 78 --a------ C:\WINDOWS\alphax.ini
    2008-09-22 20:49 . 2008-10-12 10:06 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Move Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-20 19:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-20 15:44 --------- d-----w C:\Program Files\Spyware Doctor
    2008-10-17 01:23 --------- d-----w C:\Program Files\Guild Wars
    2008-10-16 02:16 --------- d-----w C:\Program Files\LimeWire
    2008-10-15 23:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-15 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-10-14 01:11 --------- d-----w C:\Program Files\Steam
    2008-10-13 23:45 --------- d-----w C:\Program Files\Web Publish
    2008-10-13 15:45 --------- d-----w C:\Program Files\Paint.NET
    2008-10-06 17:11 --------- d-----w C:\Program Files\VentSrv
    2008-10-06 17:11 --------- d-----w C:\Program Files\Speeditup Free
    2008-10-06 17:11 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2008-10-06 17:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ventrilo
    2008-10-06 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
    2008-09-19 02:00 --------- d-----w C:\Program Files\GameSpy Arcade
    2008-09-19 01:11 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-09-19 00:58 --------- d-----w C:\Program Files\Firefly Studios
    2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-09-11 23:27 --------- d-----w C:\Program Files\Windows Media Connect 2
    2008-09-07 00:04 --------- d-----w C:\Program Files\Java
    2008-09-04 03:25 61,440 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
    2008-09-04 03:25 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
    2008-09-04 03:25 44,032 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
    2008-09-04 03:25 40,960 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
    2008-09-04 03:25 341,048 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
    2008-09-04 03:25 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
    2008-09-04 03:25 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
    2008-09-04 03:25 217,088 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    2008-09-04 03:25 163,840 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
    2008-08-29 21:17 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
    2008-08-28 10:04 333,056 ------w C:\WINDOWS\system32\drivers\srv.sys
    2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-08-25 08:37 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-08-23 05:56 635,848 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-08-23 05:54 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2008-08-22 23:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Xfire
    2008-08-22 23:52 --------- d-s---w C:\Program Files\Xfire
    2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-08-14 09:58 2,136,064 ------w C:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 09:51 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
    2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-08-14 09:22 2,015,744 ------w C:\WINDOWS\system32\ntkrnlpa.exe
    2008-08-12 22:08 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
    2008-07-20 00:59 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-07-14 01:30 60,744 ----a-w C:\Documents and Settings\HP_Administrator\g2mdlhlpx.exe
    2007-08-07 23:25 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2007-06-24 20:31 51,592 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-14 22:15 532,480 ----a-w C:\Program Files\cwshredder.exe
    2006-08-28 18:35 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
    2008-05-16 22:53 1,337,471 --sha-w C:\WINDOWS\system32\JSutDfhk.ini2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
    "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 1107848]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-07 C:\WINDOWS\RTHDCPL.EXE]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 C:\WINDOWS\arpwrmsg.exe]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-23 27136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoThumbnailCache"= 1 (0x1)
    "NoCommonGroups"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoLogOff"= 0 (0x0)
    "NoClose"= 0 (0x0)
    "NoSetFolders"= 0 (0x0)
    "NoFavoritesMenu"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll
    "LoadAppInit_DLLs"=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\khfDtuSJ
    Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
    R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
    S1 nvtcpp;nvtcpp;C:\WINDOWS\system32\drivers\nvtcpp.sys [ ]
    S3 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

    2008-05-15 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
    - C:\Program Files\ErrorSmart\ErrorSmart.exe []

    2008-05-15 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
    - C:\Program Files\ErrorSmart []

    2008-10-20 C:\WINDOWS\Tasks\MP Scheduled Scan.job
    - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

    2008-10-20 C:\WINDOWS\Tasks\Schedule Task Weekly.job
    - C:\Program Files\Registry Easy\RE.exe [2008-09-23 16:30]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{B4EFA38D-C653-493A-8187-9B44CCF284DC} - (no file)
    ShellExecuteHooks-{8A290466-39BD-419B-93DB-0E9599506654} - (no file)
    Notify-dimsntfy - (no file)
    Notify-nnnljhgE - nnnljhgE.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\03bi3h1q.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-20 12:32:48
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-10-20 12:34:30
    ComboFix-quarantined-files.txt 2008-10-20 19:34:28

    Pre-Run: 192,427,937,792 bytes free
    Post-Run: 192,411,918,336 bytes free

    218 --- E O F --- 2008-10-14 21:20:18
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply with a new hijackthis log.
     
  5. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    New Combo fix log:
    ComboFix 08-10-19.04 - family 2008-10-20 16:38:53.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1242 [GMT -7:00]
    Running from: C:\downloads\ComboFix.exe
    Command switches used :: C:\Documents and Settings\family\Desktop\CFScript.txt
    * Created a new restore point
    .
    /wow section not completed

    ((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
    .

    2008-10-16 23:40 . 2008-10-16 23:40 <DIR> d-------- C:\Documents and Settings\family\Application Data\Webroot
    2008-10-15 23:18 . 2008-10-15 23:19 <DIR> d-------- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B7.TMP
    2008-10-15 22:55 . 2008-10-15 22:55 262,144 --a------ C:\ntuser.dat
    2008-10-15 22:43 . 2008-10-15 22:43 <DIR> d-------- C:\Program Files\IObit
    2008-10-15 21:47 . 2008-10-15 21:47 <DIR> d-------- C:\Documents and Settings\family\Application Data\Malwarebytes
    2008-10-15 21:47 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-15 21:46 . 2008-10-15 21:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-15 21:46 . 2008-10-15 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-15 21:46 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-15 20:41 . 2008-10-15 20:41 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-15 17:33 . 2008-10-15 17:39 <DIR> d-------- C:\Documents and Settings\family\Application Data\EasyJob Resume Builder
    2008-10-15 16:59 . 2008-10-20 12:29 <DIR> d-------- C:\downloads
    2008-10-13 16:45 . 2006-05-23 13:42 <DIR> d-------- C:\Documents and Settings\family\WINDOWS
    2008-10-13 16:45 . 2006-05-23 13:44 <DIR> d-------- C:\Documents and Settings\family\Application Data\Intuit
    2008-10-13 16:45 . 2008-10-20 09:24 <DIR> d-------- C:\Documents and Settings\family
    2008-10-13 16:04 . 2008-10-13 16:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-10-13 16:03 . 2008-10-13 16:03 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2008-10-07 12:38 . 2007-10-25 20:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
    2008-10-06 10:07 . 2008-10-13 17:39 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
    2008-10-06 10:04 . 2008-10-20 12:00 <DIR> d-------- C:\Program Files\Registry Easy
    2008-10-06 09:18 . 2008-10-09 16:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-10-06 09:18 . 2008-10-06 09:18 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-09-27 13:13 . 2008-09-27 13:51 314 --a------ C:\WINDOWS\hegames.ini
    2008-09-27 13:00 . 2008-10-06 10:11 <DIR> d-------- C:\Program Files\sz8001
    2008-09-27 13:00 . 1994-08-23 21:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
    2008-09-27 13:00 . 1994-09-20 21:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
    2008-09-27 13:00 . 1998-03-11 13:13 76,368 --a------ C:\WINDOWS\unvise.exe
    2008-09-27 13:00 . 1998-03-11 13:13 29,184 --a------ C:\WINDOWS\unvise32.dll
    2008-09-27 13:00 . 1994-09-20 21:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
    2008-09-27 13:00 . 1994-09-20 21:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
    2008-09-27 13:00 . 1994-09-20 21:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
    2008-09-27 13:00 . 2008-09-27 13:00 78 --a------ C:\WINDOWS\alphax.ini
    2008-09-22 20:49 . 2008-10-12 10:06 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Move Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-20 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-20 15:44 --------- d-----w C:\Program Files\Spyware Doctor
    2008-10-17 01:23 --------- d-----w C:\Program Files\Guild Wars
    2008-10-16 02:16 --------- d-----w C:\Program Files\LimeWire
    2008-10-15 23:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-15 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-10-14 01:11 --------- d-----w C:\Program Files\Steam
    2008-10-13 23:45 --------- d-----w C:\Program Files\Web Publish
    2008-10-13 15:45 --------- d-----w C:\Program Files\Paint.NET
    2008-10-06 17:11 --------- d-----w C:\Program Files\VentSrv
    2008-10-06 17:11 --------- d-----w C:\Program Files\Speeditup Free
    2008-10-06 17:11 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2008-10-06 17:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ventrilo
    2008-10-06 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
    2008-09-19 02:00 --------- d-----w C:\Program Files\GameSpy Arcade
    2008-09-19 01:11 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-09-19 00:58 --------- d-----w C:\Program Files\Firefly Studios
    2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-09-11 23:27 --------- d-----w C:\Program Files\Windows Media Connect 2
    2008-09-07 00:04 --------- d-----w C:\Program Files\Java
    2008-09-04 03:25 61,440 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
    2008-09-04 03:25 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
    2008-09-04 03:25 44,032 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
    2008-09-04 03:25 40,960 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
    2008-09-04 03:25 341,048 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
    2008-09-04 03:25 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
    2008-09-04 03:25 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
    2008-09-04 03:25 217,088 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    2008-09-04 03:25 163,840 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
    2008-08-29 21:17 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
    2008-08-28 10:04 333,056 ------w C:\WINDOWS\system32\drivers\srv.sys
    2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-08-25 08:37 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-08-23 05:56 635,848 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-08-23 05:54 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2008-08-22 23:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Xfire
    2008-08-22 23:52 --------- d-s---w C:\Program Files\Xfire
    2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-08-14 09:58 2,136,064 ------w C:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 09:51 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
    2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-08-14 09:22 2,015,744 ------w C:\WINDOWS\system32\ntkrnlpa.exe
    2008-08-12 22:08 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
    2008-07-20 00:59 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-07-14 01:30 60,744 ----a-w C:\Documents and Settings\HP_Administrator\g2mdlhlpx.exe
    2007-08-07 23:25 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2007-06-24 20:31 51,592 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-14 22:15 532,480 ----a-w C:\Program Files\cwshredder.exe
    2006-08-28 18:35 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
    2008-05-16 22:53 1,337,471 --sha-w C:\WINDOWS\system32\JSutDfhk.ini2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
    "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 1107848]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-07 C:\WINDOWS\RTHDCPL.EXE]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 C:\WINDOWS\arpwrmsg.exe]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-23 27136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoThumbnailCache"= 1 (0x1)
    "NoCommonGroups"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoLogOff"= 0 (0x0)
    "NoClose"= 0 (0x0)
    "NoSetFolders"= 0 (0x0)
    "NoFavoritesMenu"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
    R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
    S1 nvtcpp;nvtcpp;C:\WINDOWS\system32\drivers\nvtcpp.sys [ ]
    S3 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

    2008-05-15 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
    - C:\Program Files\ErrorSmart\ErrorSmart.exe []

    2008-05-15 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
    - C:\Program Files\ErrorSmart []

    2008-10-20 C:\WINDOWS\Tasks\MP Scheduled Scan.job
    - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

    2008-10-20 C:\WINDOWS\Tasks\Schedule Task Weekly.job
    - C:\Program Files\Registry Easy\RE.exe [2008-09-23 16:30]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-20 16:39:13
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-10-20 16:40:41
    ComboFix-quarantined-files.txt 2008-10-20 23:40:39
    ComboFix2.txt 2008-10-20 19:34:31

    Pre-Run: 192,393,887,744 bytes free
    Post-Run: 192,377,745,408 bytes free

    204 --- E O F --- 2008-10-14 21:20:18

    New HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:44:03 PM, on 10/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\arservice.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ARPWRMSG.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\Software\..\Telephony: DomainName = scorsting
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scorsting
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
    O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
    O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 7008 bytes
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

    Close all applications and browser windows before you click "fix checked".



    Please download OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    If you not longer want to use McAfee and are having a hard time removing it use the McAfee Removal Tool
    • Download the removal tool.
    • Click Save and save the file to any folder on the computer.
    • Navigate to the folder where the file is saved.
    • Make sure all McAfee application windows are closed.
    • Double-click MCPR.exe and the removal tool will start automatically.
      Note: Windows Vista users must right-click and select Run as Administrator.
    • Once the removal tool is finished, you will be prompted to restart your computer.
    • Wait for the computer to restart.


    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1 alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
     
  7. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    C:\WINDOWS\system32\JSutDfhk.ini2 moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10212008_082507


    MBAM log:


    Malwarebytes' Anti-Malware 1.29
    Database version: 1302
    Windows 5.1.2600 Service Pack 2

    10/21/2008 8:45:53 AM
    mbam-log-2008-10-21 (08-45-53).txt

    Scan type: Quick Scan
    Objects scanned: 54196
    Time elapsed: 3 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    HJT log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:49:31 AM, on 10/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\arservice.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\Software\..\Telephony: DomainName = scorsting
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scorsting
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scorsting
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
    O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
    O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 6860 bytes
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Your log looks fine other than the dead McAfee services.

    Are you having any problems now?
     
  9. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    The last two problems ive had is my desktop keeps coming up with the Active recovery desktop white screen so i kept changing the regestry as follows HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components
    change the value of DeskHtmlVersion to 0 instead 272, but it would always change back after a few days. the other was my desktop background list was frozen, but now all seems to be good. I will wait and see if I still get the active deskotp recovery problem but the background list is unfrozen. There were a few other warnigs that would pop up when closing sometimes, but all seem to be gone I will let you know if any changes. Thank You.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I read a couple of articles about Active recovery desktop white screen but did not have a machine to test any of them on. The basic thought was right click on the Active recovery desktop white screen in a blank area and reselet the theme you want. I don't use Active desktop so I never get those errors on my own machine.

    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Now you should Clean up your PC

    You're welcome!


    If I come across a machine with the white screen I'll do some testing and see if I can fix it. ;)
     
  11. scorsting

    scorsting Thread Starter

    Joined:
    Oct 15, 2008
    Messages:
    7
    I think I found the problem with the active desktop recovery. I was using a program called regeasy it's a reg optimizer, which I know some can cause more problems that they fix. But anyways i finally put two and two together and realized that it was happening when I used the program. Needless to say I uninstalled regeasy.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Good find and thanks for sharing that information with us! (y)
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/759596

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice