1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help, I Have Smitfraud-c

Discussion in 'Virus & Other Malware Removal' started by sandozi, Apr 9, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    i dont know how this happened, but i have this terrible virus thats messing my computer up. here is my hijackthis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:47:24 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\All Users\Application Data\wjqfktuh\afyrwzcn.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\ozmxkden.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: DVA Media - {4480F41F-F91F-4781-B1EA-30D261DA06AC} - C:\WINDOWS\temlxopqxpw.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = siu.edu
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: qdnkewfa - {68434BAB-5911-489D-9EA4-DCE480BC8673} - C:\WINDOWS\qdnkewfa.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe

     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi and welcome

    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


    Please post the results with the font not so big. That's huge!
     
  3. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the new hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:36:32 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\All Users\Application Data\wjqfktuh\afyrwzcn.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\ozmxkden.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: DVA Media - {4480F41F-F91F-4781-B1EA-30D261DA06AC} - C:\WINDOWS\temlxopqxpw.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = siu.edu
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: qdnkewfa - {68434BAB-5911-489D-9EA4-DCE480BC8673} - C:\WINDOWS\qdnkewfa.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
    O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe




    here is the ComboFix.txt file:

    ComboFix 08-04-09.8 - sandozi 2008-04-09 19:25:18.1 - NTFSx86
    Running from: C:\Documents and Settings\sandozi\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\sandozi\Favorites\Error Cleaner.url
    C:\Documents and Settings\sandozi\Favorites\Privacy Protector.url
    C:\Documents and Settings\sandozi\Favorites\Spyware&Malware Protection.url
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\rs.txt
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32VBIEWER.OCX

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
    .

    2008-04-09 16:29 . 2008-04-09 16:29 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\TmpRecentIcons
    2008-04-09 15:47 . 2008-04-09 15:47 98,304 --a------ C:\WINDOWS\system32\xwnkzari.exe
    2008-04-09 13:16 . 2008-04-09 13:20 <DIR> d-------- C:\Program Files\Incomplete
    2008-04-09 13:03 . 2008-04-09 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wjqfktuh
    2008-04-09 13:03 . 2008-04-09 09:38 241,664 --a------ C:\WINDOWS\qdnkewfa.dll
    2008-04-09 13:03 . 2008-04-09 09:38 212,992 --a------ C:\WINDOWS\temlxopqxpw.dll
    2008-04-09 13:03 . 2008-04-09 09:38 151,552 --a------ C:\WINDOWS\vnbptxlf.dll
    2008-04-09 13:03 . 2008-04-09 13:03 102,400 --a------ C:\WINDOWS\system32\ozmxkden.exe
    2008-04-09 13:03 . 2008-04-09 09:38 81,920 --a------ C:\WINDOWS\apoxqwfv.exe
    2008-04-09 12:48 . 2008-04-09 13:21 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\Uniblue
    2008-04-09 12:24 . 2008-04-09 12:24 324 --a------ C:\ituninst.bat
    2008-03-30 02:50 . 2008-03-30 02:50 <DIR> d-------- C:\Program Files\InterActual
    2008-03-26 20:20 . 2008-03-26 20:20 48 --a------ C:\WINDOWS\system32\setjava.bat
    2008-03-26 03:02 . 2008-03-26 03:12 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\mIRC
    2008-03-24 22:22 . 2008-03-24 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
    2008-03-20 00:42 . 2008-03-20 11:01 2,255 --a------ C:\TelephoneNumbers.class
    2008-03-20 00:41 . 2008-03-20 11:19 4,504 --a------ C:\TelephoneNumbers.java
    2008-03-20 00:41 . 2008-03-20 03:02 3,474 --a------ C:\TelephoneNumbers.java~

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-09 18:16 --------- d-----w C:\Documents and Settings\sandozi\Application Data\LimeWire
    2008-04-09 17:32 --------- d-----w C:\Program Files\DivX
    2008-04-07 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-07 18:25 --------- d-----w C:\Documents and Settings\sandozi\Application Data\Move Networks
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-21 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-21 00:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4480F41F-F91F-4781-B1EA-30D261DA06AC}]
    2008-04-09 09:38 212992 --a------ C:\WINDOWS\temlxopqxpw.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "NVIEW"="nview.dll" [2003-10-17 17:02 852039 C:\WINDOWS\system32\nview.dll]
    "aaluvdbw"="C:\WINDOWS\system32\ozmxkden.exe" [2008-04-09 13:03 102400]
    "bohzmmtt"="C:\WINDOWS\system32\xwnkzari.exe" [2008-04-09 15:47 98304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 C:\WINDOWS\system32\000StTHK.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-17 17:02 4866048]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-07-16 02:41 126976]
    "TFncKy"="TFncKy.exe" []
    "Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 22:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
    "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 04:37 147456]
    "TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 16:44 49152]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMTMon.exe" [2006-04-25 05:20 352256]
    "ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-07-03 19:17 40960]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]

    C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-09-27 03:07:53 157008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "QsCFVmLCtR"= C:\Documents and Settings\All Users\Application Data\wjqfktuh\afyrwzcn.exe

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= file:///C:\WINDOWS\privacy_danger\index.htm
    FriendlyName= Privacy Protection

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "qdnkewfa"= {68434BAB-5911-489D-9EA4-DCE480BC8673} - C:\WINDOWS\qdnkewfa.dll [2008-04-09 09:38 241664]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
    backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^sandozi^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
    --a------ 2007-09-06 13:25 1003520 C:\Program Files\Athan\Athan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    --a------ 2002-07-03 19:17 40960 C:\WINDOWS\System32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    --a------ 2002-05-30 19:23 163840 C:\Program Files\ltmoh\Ltmoh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2003-10-17 17:02 323584 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
    --a------ 2001-08-03 19:08 73728 C:\WINDOWS\system32\TFNF5.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-11-28 05:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
    --a------ 2002-07-31 13:41 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ERSvc"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
    "C:\\Documents and Settings\\sandozi\\Desktop\\drjava-stable-20080106-0744.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

    R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 21:53]
    R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 01:54]

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-09 17:44:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-09 17:48:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-09 17:47:57 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-09 19:30:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    TV Card Remote Control Device Monitor = C:\WINDOWS\713xRMTMon.exe???????????????T?a??E3?m?a?????????????????????????????????????????x?3?????XA3?????????????????x?3??????E3?????????T?a?x?3?m?a????????????????|[email protected]????????????[email protected]?????A????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\qdnkewfa.dll
    .
    Completion time: 2008-04-09 19:34:04
    ComboFix-quarantined-files.txt 2008-04-10 00:33:29
    Pre-Run: 19,534,680,064 bytes free
    Post-Run: 19,720,724,480 bytes free
    .
    2008-04-08 23:07:06 --- E O F ---



    thanks
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new Hijack This log

    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  5. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the new HijackThis log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:14:51 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\toshiba\ivp\ism\pinger.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\xwnkzari.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\rundll32.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = siu.edu
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe


    here is Report.txt:


    SDFix: Version 1.168
    Run by sandozi on Wed 04/09/2008 at 08:56 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File
    Restoring Default HomePage Value
    Restoring Default Desktop Components Value

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\temlxopqxpw.dll - Deleted
    C:\WINDOWS\apoxqwfv.exe - Deleted
    C:\WINDOWS\qdnkewfa.dll - Deleted
    C:\WINDOWS\rs.txt - Deleted
    C:\WINDOWS\vnbptxlf.dll - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-09 21:04:39
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
    "OfflineDetectionPending"=dword:00000001
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Á”]
    "Í\x2039í\x2039T\x20acó`"=dword:00000001
    "Í\x2039í\x2039\x201c\x008feQ"=dword:00000001
    "\20\x90\20nÐc:y"=dword:00000001
    "\26Y\1xÐc:y"=dword:00000001
    "Òczz<h"=dword:00000000
    "IQ\ahß\x8d\x8f\x2013"=dword:00000001

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:pharos Com Task Master "
    "C:\\Documents and Settings\\sandozi\\Desktop\\drjava-stable-20080106-0744.exe"="C:\\Documents and Settings\\sandozi\\Desktop\\drjava-stable-20080106-0744.exe:*:Enabled:drjava-stable-20080106-0744"
    "C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:pharos Com Task Master "

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Thu 27 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
    Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\sandozi\Application Data\U3\temp\Launchpad Removal.exe"

    Finished!


    thanks
     
  6. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the ActiveScan Report:

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2008-04-10 11:11:05
    PROTECTIONS: 1
    MALWARE: 7
    SUSPECTS: 1
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    McAfee VirusScan Enterprise 8.5.0.781 Yes No
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\sandozi\Cookies\[email protected][2].txt
    00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{93217781-D447-4723-AA7E-DBCD9BF40656}\RP224\A0018580.exe
    00139535 Application/Processor HackTools No 0 Yes No C:\QUARANTINE\SDFix\apps\Process.exe
    00139535 Application/Processor HackTools No 0 Yes No C:\RECYCLER\S-1-5-21-1266486392-2681017343-4103935507-1005\Dc1\Process.exe
    00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\sandozi\Desktop\SDFix.exe[SDFix\apps\Process.exe]
    00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\sandozi\Cookies\[email protected][1].txt
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\sandozi\Cookies\[email protected][2].txt
    00517584 Application/SuperFast HackTools No 0 Yes No C:\RECYCLER\S-1-5-21-1266486392-2681017343-4103935507-1005\Dc1\restart.exe
    02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{93217781-D447-4723-AA7E-DBCD9BF40656}\RP225\A0018818.exe
    02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\sandozi\Cookies\[email protected][2].txt
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location 3
    ;===================================================================================================================================================================================
    No C:\System Volume Information\_restore{93217781-D447-4723-AA7E-DBCD9BF40656}\RP225\A0018817.exe 3
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description 3
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Thanks now rerun ComboFix and post the results
     
  8. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here are the results:

    ComboFix 08-04-10.4 - sandozi 2008-04-10 17:33:46.3 - NTFSx86
    Running from: C:\Documents and Settings\sandozi\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
    .

    2008-04-10 05:19 . 2007-06-20 14:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
    2008-04-09 22:49 . 2008-04-09 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-04-09 22:48 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
    2008-04-09 22:48 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-04-09 22:47 . 2008-04-09 22:49 <DIR> d-------- C:\Program Files\McAfee
    2008-04-09 22:47 . 2008-04-09 22:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-04-09 22:42 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-04-09 22:42 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-04-09 22:42 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-04-09 22:42 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-04-09 22:42 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-04-09 22:42 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-04-09 22:42 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-04-09 22:34 . 2008-04-09 22:37 2,332 --a------ C:\WINDOWS\system32\tmp.reg
    2008-04-09 21:20 . 2008-04-09 21:20 <DIR> d-------- C:\Program Files\Panda Security
    2008-04-09 20:52 . 2008-04-09 20:52 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-09 19:43 . 2008-04-09 19:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-09 16:29 . 2008-04-09 16:29 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\TmpRecentIcons
    2008-04-09 15:47 . 2008-04-09 15:47 98,304 --a------ C:\WINDOWS\system32\xwnkzari.exe
    2008-04-09 13:16 . 2008-04-09 13:20 <DIR> d-------- C:\Program Files\Incomplete
    2008-04-09 13:03 . 2008-04-09 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wjqfktuh
    2008-04-09 13:03 . 2008-04-09 13:03 102,400 --a------ C:\WINDOWS\system32\ozmxkden.exe
    2008-04-09 12:48 . 2008-04-09 13:21 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\Uniblue
    2008-04-09 12:24 . 2008-04-09 12:24 324 --a------ C:\ituninst.bat
    2008-03-30 02:50 . 2008-03-30 02:50 <DIR> d-------- C:\Program Files\InterActual
    2008-03-26 20:20 . 2008-03-26 20:20 48 --a------ C:\WINDOWS\system32\setjava.bat
    2008-03-26 03:02 . 2008-03-26 03:12 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\mIRC
    2008-03-24 22:22 . 2008-03-24 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
    2008-03-20 00:42 . 2008-03-20 11:01 2,255 --a------ C:\TelephoneNumbers.class
    2008-03-20 00:41 . 2008-03-20 11:19 4,504 --a------ C:\TelephoneNumbers.java
    2008-03-20 00:41 . 2008-03-20 03:02 3,474 --a------ C:\TelephoneNumbers.java~

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-10 00:43 --------- d-----w C:\Documents and Settings\sandozi\Application Data\Apple Computer
    2008-04-09 18:16 --------- d-----w C:\Documents and Settings\sandozi\Application Data\LimeWire
    2008-04-09 17:32 --------- d-----w C:\Program Files\DivX
    2008-04-07 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-07 18:25 --------- d-----w C:\Documents and Settings\sandozi\Application Data\Move Networks
    2008-02-21 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-21 00:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    .

    ((((((((((((((((((((((((((((( [email protected]_19.32.46.64 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-03-25 23:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
    + 2007-07-18 18:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
    + 2008-04-09 15:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-04-10 01:53:10 4,317,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    + 2008-04-10 01:53:11 221,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-04-09 15:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-04-10 01:52:57 4,317,184 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
    + 2008-04-10 01:52:58 221,184 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
    - 2008-01-16 19:41:21 10,134 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\ARPPRODUCTICON.exe
    + 2008-04-10 06:30:29 10,134 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\ARPPRODUCTICON.exe
    - 2008-01-16 19:41:21 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:29 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe_F1E29B0E94A44304B9934829FC2ED56C.exe
    - 2008-01-16 19:41:22 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe1_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:30 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe1_F1E29B0E94A44304B9934829FC2ED56C.exe
    - 2008-01-16 19:41:22 45,056 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\NewShortcut2_040103006D724D54868691D884A27B5C.exe
    + 2008-04-10 06:30:31 45,056 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\NewShortcut2_040103006D724D54868691D884A27B5C.exe
    - 2008-01-16 19:41:21 8,854 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\Uninstall_CCAAgent_I_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:30 8,854 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\Uninstall_CCAAgent_I_F1E29B0E94A44304B9934829FC2ED56C.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "NVIEW"="nview.dll" [2003-10-17 17:02 852039 C:\WINDOWS\system32\nview.dll]
    "aaluvdbw"="C:\WINDOWS\system32\ozmxkden.exe" [2008-04-09 13:03 102400]
    "bohzmmtt"="C:\WINDOWS\system32\xwnkzari.exe" [2008-04-09 15:47 98304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 C:\WINDOWS\system32\000StTHK.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-17 17:02 4866048]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-07-16 02:41 126976]
    "TFncKy"="TFncKy.exe" []
    "Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 22:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
    "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 04:37 147456]
    "TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 16:44 49152]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMTMon.exe" [2006-04-25 05:20 352256]
    "ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-07-03 19:17 40960]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 20:50 111952]
    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 10:04 136512]

    C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-09-27 03:07:53 157008]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
    backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^sandozi^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
    --a------ 2007-09-06 13:25 1003520 C:\Program Files\Athan\Athan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    --a------ 2002-07-03 19:17 40960 C:\WINDOWS\System32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    --a------ 2002-05-30 19:23 163840 C:\Program Files\ltmoh\Ltmoh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2003-10-17 17:02 323584 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
    --a------ 2001-08-03 19:08 73728 C:\WINDOWS\system32\TFNF5.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-11-28 05:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
    --a------ 2002-07-31 13:41 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ERSvc"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
    "C:\\Documents and Settings\\sandozi\\Desktop\\drjava-stable-20080106-0744.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

    R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 21:53]
    S3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 01:54]

    *Newly Created Service* - MCAFEEFRAMEWORK
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-09 17:44:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-09 17:48:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-09 17:47:57 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-10 17:40:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    TV Card Remote Control Device Monitor = C:\WINDOWS\713xRMTMon.exe???????????????T?a?xD3?m?a?????????????????????????????????x?3?????????????????????????????????x?3??????D3?????????T?a?x?3?m?a????????????????|LD3?????????????????????????????????????????????????????x?3?????T?a?h?o?m?a???????????A????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
    .
    Completion time: 2008-04-10 17:44:18
    ComboFix-quarantined-files.txt 2008-04-10 22:43:45
    ComboFix2.txt 2008-04-10 22:23:05
    ComboFix3.txt 2008-04-10 00:34:05
    Pre-Run: 19,893,321,728 bytes free
    Post-Run: 19,882,229,760 bytes free
    .
    2008-04-08 23:07:06 --- E O F ---
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Open Notepad and copy and paste the text in the quote box below into it:





    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  10. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the hijackthis file:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:17:48 PM, on 4/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\toshiba\ivp\ism\pinger.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe


    here is the combofix log:

    ComboFix 08-04-11.5 - sandozi 2008-04-11 18:01:15.4 - NTFSx86
    Running from: C:\Documents and Settings\sandozi\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\sandozi\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\ozmxkden.exe
    C:\WINDOWS\system32\pfdnnt.exe
    C:\WINDOWS\system32\xwnkzari.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\pfdnnt.exe
    C:\WINDOWS\system32\xwnkzari.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
    .

    2008-04-09 22:49 . 2008-04-09 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-04-09 22:48 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
    2008-04-09 22:48 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
    2008-04-09 22:48 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-04-09 22:47 . 2008-04-09 22:49 <DIR> d-------- C:\Program Files\McAfee
    2008-04-09 22:47 . 2008-04-09 22:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-04-09 22:42 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-04-09 22:42 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-04-09 22:42 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-04-09 22:42 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-04-09 22:42 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-04-09 22:42 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-04-09 22:42 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-04-09 22:34 . 2008-04-09 22:37 2,332 --a------ C:\WINDOWS\system32\tmp.reg
    2008-04-09 21:20 . 2008-04-09 21:20 <DIR> d-------- C:\Program Files\Panda Security
    2008-04-09 20:52 . 2008-04-09 20:52 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-09 19:43 . 2008-04-09 19:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-09 16:29 . 2008-04-09 16:29 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\TmpRecentIcons
    2008-04-09 13:16 . 2008-04-09 13:20 <DIR> d-------- C:\Program Files\Incomplete
    2008-04-09 13:03 . 2008-04-09 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wjqfktuh
    2008-04-09 12:48 . 2008-04-09 13:21 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\Uniblue
    2008-04-09 12:24 . 2008-04-09 12:24 324 --a------ C:\ituninst.bat
    2008-03-30 02:50 . 2008-03-30 02:50 <DIR> d-------- C:\Program Files\InterActual
    2008-03-26 20:20 . 2008-03-26 20:20 48 --a------ C:\WINDOWS\system32\setjava.bat
    2008-03-26 03:02 . 2008-03-26 03:12 <DIR> d-------- C:\Documents and Settings\sandozi\Application Data\mIRC
    2008-03-24 22:22 . 2008-03-24 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
    2008-03-20 00:42 . 2008-03-20 11:01 2,255 --a------ C:\TelephoneNumbers.class
    2008-03-20 00:41 . 2008-03-20 11:19 4,504 --a------ C:\TelephoneNumbers.java
    2008-03-20 00:41 . 2008-03-20 03:02 3,474 --a------ C:\TelephoneNumbers.java~

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-10 00:43 --------- d-----w C:\Documents and Settings\sandozi\Application Data\Apple Computer
    2008-04-09 18:16 --------- d-----w C:\Documents and Settings\sandozi\Application Data\LimeWire
    2008-04-09 17:32 --------- d-----w C:\Program Files\DivX
    2008-04-07 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-07 18:25 --------- d-----w C:\Documents and Settings\sandozi\Application Data\Move Networks
    2008-02-21 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-21 00:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    .

    ((((((((((((((((((((((((((((( [email protected]_19.32.46.64 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-03-25 23:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
    + 2007-07-18 18:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
    + 2008-04-09 15:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-04-10 01:53:10 4,317,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    + 2008-04-10 01:53:11 221,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-04-09 15:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-04-10 01:52:57 4,317,184 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
    + 2008-04-10 01:52:58 221,184 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
    - 2008-01-16 19:41:21 10,134 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\ARPPRODUCTICON.exe
    + 2008-04-10 06:30:29 10,134 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\ARPPRODUCTICON.exe
    - 2008-01-16 19:41:21 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:29 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe_F1E29B0E94A44304B9934829FC2ED56C.exe
    - 2008-01-16 19:41:22 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe1_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:30 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe1_F1E29B0E94A44304B9934829FC2ED56C.exe
    - 2008-01-16 19:41:22 45,056 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\NewShortcut2_040103006D724D54868691D884A27B5C.exe
    + 2008-04-10 06:30:31 45,056 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\NewShortcut2_040103006D724D54868691D884A27B5C.exe
    - 2008-01-16 19:41:21 8,854 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\Uninstall_CCAAgent_I_F1E29B0E94A44304B9934829FC2ED56C.exe
    + 2008-04-10 06:30:30 8,854 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\Uninstall_CCAAgent_I_F1E29B0E94A44304B9934829FC2ED56C.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "NVIEW"="nview.dll" [2003-10-17 17:02 852039 C:\WINDOWS\system32\nview.dll]
    "aaluvdbw"="C:\WINDOWS\system32\ozmxkden.exe" [ ]
    "bohzmmtt"="C:\WINDOWS\system32\xwnkzari.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 C:\WINDOWS\system32\000StTHK.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-17 17:02 4866048]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-07-16 02:41 126976]
    "TFncKy"="TFncKy.exe" []
    "Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 22:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
    "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 04:37 147456]
    "TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 16:44 49152]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMTMon.exe" [2006-04-25 05:20 352256]
    "ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-07-03 19:17 40960]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 20:50 111952]
    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 10:04 136512]

    C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-09-27 03:07:53 157008]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
    backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^sandozi^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\sandozi\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
    --a------ 2007-09-06 13:25 1003520 C:\Program Files\Athan\Athan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    --a------ 2002-07-03 19:17 40960 C:\WINDOWS\System32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    --a------ 2002-05-30 19:23 163840 C:\Program Files\ltmoh\Ltmoh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2003-10-17 17:02 323584 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
    --a------ 2001-08-03 19:08 73728 C:\WINDOWS\system32\TFNF5.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-11-28 05:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
    --a------ 2002-07-31 13:41 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ERSvc"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
    "C:\\Documents and Settings\\sandozi\\Desktop\\drjava-stable-20080106-0744.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

    R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 21:53]
    S3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 01:54]

    *Newly Created Service* - MCAFEEFRAMEWORK
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-09 17:44:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-09 17:48:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-09 17:47:57 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-11 18:07:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    TV Card Remote Control Device Monitor = C:\WINDOWS\713xRMTMon.exe???????????????T?a?xD3?m?a?????????????????????????????????x?3?????????????????????????????????x?3??????D3?????????T?a?x?3?m?a????????????????|LD3?????????????????????????????????????????????????????x?3?????T?a?h?o?m?a???????????A????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
    .
    Completion time: 2008-04-11 18:10:34
    ComboFix-quarantined-files.txt 2008-04-11 23:10:12
    ComboFix2.txt 2008-04-10 22:44:20
    ComboFix3.txt 2008-04-10 22:23:05
    ComboFix4.txt 2008-04-10 00:34:05
    Pre-Run: 19,834,118,144 bytes free
    Post-Run: 19,823,087,616 bytes free
    .
    2008-04-08 23:07:06 --- E O F ---
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Now post a new Hijack This log
     
  12. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the new HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:39:41 PM, on 4/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE
    C:\Documents and Settings\sandozi\Desktop\drjava-stable-20080106-0744.exe
    C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: Domain = siu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BBB3B42-B5EE-4594-8BA8-781CB38ADABD}: NameServer = 131.230.9.10,131.230.24.10
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = siu.edu
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKCU\..\Run: [aaluvdbw] C:\WINDOWS\system32\ozmxkden.exe
    O4 - HKCU\..\Run: [bohzmmtt] C:\WINDOWS\system32\xwnkzari.exe


    Reboot, post a new log.
     
  14. sandozi

    sandozi Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    10
    here is the new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:32:31 PM, on 4/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\toshiba\ivp\ism\pinger.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\713xRMTMon.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\sandozi\Desktop\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189821340335
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189847155773
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astropop/popcaploader_v6.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    How are things now?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/702150

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice