1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Stop: OxOOOOOO7e Error problem...

Discussion in 'Virus & Other Malware Removal' started by Scottls, Dec 19, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Scottls

    Scottls Thread Starter

    Joined:
    Dec 19, 2007
    Messages:
    4
    This one has me stumped. I got a HP Pavilion 516x computer (a little over 3 years old I think) from my 'god-daughter' that looks like it had never been updated, defragged or scanned for viruses. Of course she didn't think anything about it until it finally got to the point of not working at all. It has a 2.4GHz processor with 512MB of ram and running Windows XP home.

    It had either the Sassser worm or something because it was restarting over and over again but I figured out how to stop it by just disconnecting the Ethernet cable. Then I was able to boot it up and clean it out a bit. I used a jump drive to load it with Ad-aware and scanned it a few times with that and the anti-spy ware and antivirus that was installed with Yahoo DSL.

    Them after a lot of tinkering around, I loaded SP2, and a lot of other updates plus Windows Defender and McAfee Antivirus, but I still have a problem with it wanting to reboot quite often. I disabled the reboot feature so it would just stop at the blue screen of death with the Error Code. It gave me a 0X0000007E code and I looked it up to be something about a driver problem but even after I updated a few of the drivers it still does the same, with the same error code.

    The drivers I updated where the Intel(R) 82845G/GL/GE/PE/GV Graphics Controller, Realtek AC'97 Audio, Realtek RTL8139/810x Family Fast Ethernet NIC, and I updated the BIOS.

    Now the computer seems to load and run just fine. I can keep it attached to my home network where it can share files and communicate with my other computers with no problem. But as soon as I enable my DSL modem and try to access the internet, it will still turn off with the same error code coming up. It does allow me to go online for a short while, and a few times it did it for quite a while without clicking off, allowing me to get a few more updates and know that everything can function correctly, but I still can not boot it up if the Ethernet cable is connected or expect to connect to the internet every time without it shutting off again.

    The time it seems to shut off is either right away when I first get connected to the internet, or if I try to go to any Microsoft website. I thought maybe this was because there is something trying to check for new updates that is triggered by going to Microsoft.

    Any Ideas?

    P.S. I also forgot to mention that I tried to go online with both the automatic time
    synchronizing and auto-updates disabled but it still cut off with the same error
    code.

    I would have reinstalled XP but she could not find the back up disks. :(
     
  2. ozrom1e

    ozrom1e

    Joined:
    May 15, 2006
    Messages:
    11,849
    Welcome to TSG....

    To download HJTsetup.exe from TrendSecure To Download HijackThis go to the following at the File Repository
    Click on the link below to Download HijackThis Self Installer:

    http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

    Save the file to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\HijackThis.
    Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialog box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
    A security expert with a gold shield to the right of their name should take a look at your log - please be patient.
     
  3. Scottls

    Scottls Thread Starter

    Joined:
    Dec 19, 2007
    Messages:
    4
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:15:49 AM, on 12/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\SiteAdvisor\6172\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\USB Storage RW\udsi.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    c:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    c:\PROGRA~1\mcafee\msc\mcshell.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc/gjogtlpahZ2E_C3l1yYg.chm::/on.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0034.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197503068078
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sol718.txt
    O21 - SSODL: tkiPLA - {FCCEC30A-5664-69A0-20FE-1234C7FD6457} - C:\WINDOWS\System32\rdfwu.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

    --
    End of file - 10771 bytes
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Check and "fix" these three items in the scanlog >>

    O20 - AppInit_DLLs: C:\WINDOWS\System32\sol718.txt
    O21 - SSODL: tkiPLA - {FCCEC30A-5664-69A0-20FE-1234C7FD6457} - C:\WINDOWS\System32\rdfwu.dll (file missing)

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe

    The one above is particularly important and may be your culprit >> http://www.bleepingcomputer.com/startups/proper.exe-20479.html

    Reboot and determine if they have stayed removed; special instructions may be needed for the first --

    After that, follow these instructions to upload your recent "minidump" files >>

    I can run a debugging utility on the dump files if you do this:

    1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
    2 > navigate to %systemroot%\minidump and copy the last few minidump files to that folder.%systemroot% is normally c:\windows. They are numbered by date. You can paste that address in address bar to get there.
    3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
    4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

    This might point us to a 3rd party driver causing the error, if one exists for it.



    >> you may also wish to review the "7E" errors here to see if any bells are rung:

    http://aumha.org/a/stop.php#0x7e
     
  5. Scottls

    Scottls Thread Starter

    Joined:
    Dec 19, 2007
    Messages:
    4
    And it seem to just delete those entries. I also copied the only minidump file that was in the folder you directed me to.
     

    Attached Files:

  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're going to need further help. The fault occured in an unknown and almost certainly malicious driver >>

    Post another HijackThis scanlog
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,607
    Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet after downloading the program and before scanning.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.

    Download ComboFix and save it to your desktop.

    **Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.
    • WARNING: IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts.
    • Please do not re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

    Double-click on combofix.exe and follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**
     
  8. Scottls

    Scottls Thread Starter

    Joined:
    Dec 19, 2007
    Messages:
    4
    I think we've got it!!! I have to thank you all a 100 times each but what actually fixed the problem was when I ran the ComboFix program. I didn't do anything but what was listed, and I didn't watch it close enough but I did notice it deleted 4 to 6 things and then restarted the computer. I copied the log file afterwards and will post it along with a fresh HijackThis log as well. Out of curiosity I re-enabled the antivirus and firewall. and tried to go online and it worked. I then tested it further by rebooting the machine without disconnecting the ethernet cable and it booted up just fine! Everything seems to be working fine. I even did a couple more updates and listened to some streaming music without any problems. I think I can give it back to her now and tell her that if she can not be more responsible and take care of it with regular maintenance then I will not re responsible for this again. I will also tell her to find those disks and HANG ON TO THEM! Thanks again for all your help everyone!!!!! :D (y)

    here are the logs....

    ComboFix 07-12-21.4 - Owner 2007-12-21 11:39:44.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\hosts
    C:\WINDOWS\system32\bronto.dll
    C:\WINDOWS\system32\drivers\symavc32.sys
    C:\WINDOWS\system32\drivers\YNCW45.sys
    C:\WINDOWS\system32\NTSVC.ocx
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\winsub.xml

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_YNCW45


    ((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
    .

    2007-12-20 14:05 . 2007-12-20 14:06 <DIR> d-------- C:\Autoruns
    2007-12-20 11:34 . 2007-12-20 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
    2007-12-20 11:32 . 2007-12-20 11:32 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
    2007-12-20 00:04 . 2007-12-20 00:04 <DIR> d-------- C:\Program Files\Trend Micro
    2007-12-19 23:21 . 2003-07-13 01:49 89,184 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
    2007-12-19 23:21 . 2003-07-13 01:49 57,344 --------- C:\WINDOWS\system32\ImageDrive.cpl
    2007-12-19 23:21 . 2003-07-13 01:49 38,912 --a------ C:\WINDOWS\system32\picn20.dll
    2007-12-19 23:20 . 2007-12-19 23:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2007-12-19 23:20 . 2007-12-19 23:21 <DIR> d-------- C:\Program Files\Ahead
    2007-12-19 23:20 . 2003-07-13 01:49 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
    2007-12-19 23:20 . 2003-07-13 01:49 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
    2007-12-19 23:20 . 2003-07-13 01:49 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
    2007-12-19 23:20 . 2003-07-13 01:49 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2007-12-19 16:13 . 2005-06-21 16:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
    2007-12-19 16:07 . 2007-12-19 16:07 <DIR> d-------- C:\Program Files\Realtek AC97
    2007-12-19 13:41 . 2001-08-17 12:11 35,328 --a------ C:\WINDOWS\system32\drivers\pcntpci5.sys
    2007-12-19 13:41 . 2001-08-17 12:11 35,328 --a--c--- C:\WINDOWS\system32\dllcache\pcntpci5.sys
    2007-12-18 16:21 . 2003-02-13 14:13 59,392 --------- C:\WINDOWS\system32\ltremove.exe
    2007-12-18 15:15 . 2007-12-18 15:15 <DIR> d-------- C:\Program Files\MSXML 6.0
    2007-12-18 11:31 . 2007-12-21 11:45 4,310 --a------ C:\WINDOWS\system32\Config.MPF
    2007-12-18 11:26 . 2007-12-18 11:26 <DIR> d-------- C:\Program Files\SiteAdvisor
    2007-12-18 11:26 . 2007-12-18 11:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
    2007-12-18 11:26 . 2007-12-18 11:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2007-12-18 11:26 . 2007-12-18 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2007-12-18 11:23 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2007-12-18 11:23 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2007-12-18 11:23 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2007-12-18 11:23 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2007-12-18 11:23 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2007-12-18 11:23 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2007-12-18 11:21 . 2007-12-18 11:22 <DIR> d-------- C:\Program Files\McAfee.com
    2007-12-18 11:21 . 2007-12-18 14:22 <DIR> d-------- C:\Program Files\McAfee
    2007-12-18 11:21 . 2007-12-18 11:23 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2007-12-17 21:57 . 2007-12-18 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2007-12-17 19:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2007-12-17 19:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2007-12-17 19:55 . 2007-12-17 19:55 <DIR> d-------- C:\Program Files\MSBuild
    2007-12-17 19:45 . 2007-12-18 17:14 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
    2007-12-17 19:44 . 2007-12-17 19:44 <DIR> d-------- C:\Program Files\Reference Assemblies
    2007-12-17 19:42 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
    2007-12-17 19:41 . 2007-12-17 19:42 <DIR> d-------- C:\dca63250b0e90eeb620cf1e367
    2007-12-17 19:41 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
    2007-12-17 19:41 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
    2007-12-17 19:41 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
    2007-12-17 19:40 . 2007-12-17 19:40 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-12-17 19:37 . 2007-12-17 19:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-12-17 19:37 . 2007-12-17 19:38 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-12-17 15:21 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
    2007-12-17 15:21 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
    2007-12-17 15:21 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
    2007-12-17 15:21 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
    2007-12-17 15:21 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
    2007-12-17 15:21 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
    2007-12-17 15:21 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
    2007-12-17 14:48 . 2007-12-17 14:48 <DIR> d-------- C:\Program Files\Realtek
    2007-12-17 14:47 . 2007-12-17 14:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
    2007-12-17 00:35 . 2007-12-17 00:35 <DIR> d-------- C:\Program Files\iPod
    2007-12-17 00:35 . 2007-12-17 00:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
    2007-12-17 00:35 . 2007-12-21 11:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-17 00:35 . 2007-12-17 00:36 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-17 00:34 . 2007-12-17 00:35 <DIR> d-------- C:\Program Files\iTunes
    2007-12-17 00:33 . 2007-12-17 00:34 <DIR> d-------- C:\Program Files\QuickTime
    2007-12-17 00:33 . 2007-12-17 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-12-17 00:32 . 2007-12-17 00:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-12-17 00:32 . 2007-12-17 00:32 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-12-17 00:31 . 2007-12-17 00:31 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-12-17 00:31 . 2007-12-17 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-12-17 00:10 . 2007-12-17 00:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2007-12-16 15:17 . 2007-12-16 15:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
    2007-12-16 11:58 . 2007-12-18 14:42 199,404 --a------ C:\WINDOWS\system32\pghash.dat
    2007-12-16 11:58 . 2007-12-17 00:06 85,800 --a------ C:\WINDOWS\system32\pguard.dat
    2007-12-16 11:54 . 2007-12-18 14:43 <DIR> d-------- C:\Program Files\ProcessGuard
    2007-12-16 11:54 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
    2007-12-16 09:21 . 2007-12-16 09:21 <DIR> d-------- C:\Program Files\Alwil Software
    2007-12-16 09:21 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
    2007-12-15 20:48 . 2007-12-15 21:03 <DIR> d-------- C:\Program Files\1 Click PC Fix 2007
    2007-12-15 15:17 . 2007-12-15 15:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
    2007-12-15 13:37 . 2007-12-15 13:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
    2007-12-15 13:29 . 2007-12-18 09:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2007-12-15 13:28 . 2003-04-10 02:00 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS
    2007-12-15 13:28 . 2003-04-10 06:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
    2007-12-15 13:28 . 2003-04-10 01:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sonic
    2007-12-15 13:28 . 2003-04-10 01:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Share-to-Web Upload Folder
    2007-12-15 13:28 . 2003-04-10 02:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SampleView
    2007-12-15 13:28 . 2003-04-10 01:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InterTrust
    2007-12-15 13:28 . 2007-12-15 13:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\interMute
    2007-12-15 05:08 . 2007-12-15 05:08 <DIR> d-------- C:\Program Files\Microsoft Silverlight
    2007-12-15 01:13 . 2007-12-15 01:13 <DIR> d-------- C:\Program Files\Lavasoft
    2007-12-15 01:13 . 2007-12-15 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-15 01:11 . 2007-12-15 01:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-14 09:49 . 2007-12-14 09:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
    2007-12-14 08:59 . 2007-12-15 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
    2007-12-13 15:11 . 2007-08-13 21:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
    2007-12-13 14:58 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
    2007-12-13 14:58 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
    2007-12-13 14:58 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
    2007-12-13 12:35 . 2007-12-13 12:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-12-13 12:35 . 2007-12-18 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-12-13 12:15 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-12-12 19:50 . 2007-12-12 19:50 <DIR> d-------- C:\Intel

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-19 21:07 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-12-18 21:23 --------- d-----w C:\Program Files\PC-Doctor for Windows
    2007-12-18 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-17 05:10 --------- d-----w C:\Program Files\Real
    2007-12-17 05:10 --------- d-----w C:\Program Files\Common Files\Real
    2007-12-15 19:01 --------- d-----w C:\Program Files\Yahoo!
    2007-12-15 19:00 --------- d-----w C:\Program Files\Common Files\Scanner
    2007-12-15 18:58 --------- d-----w C:\Program Files\Softex
    2007-12-15 18:57 --------- d-----w C:\Program Files\Spyware Cleaner
    2007-12-15 18:53 --------- d-----w C:\Program Files\MSN Messenger
    2007-12-15 18:30 --------- d-----w C:\Program Files\Easy Internet signup
    2007-11-21 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-26 16:20 4,124,352 ----a-r C:\WINDOWS\system32\drivers\alcxwdm.sys
    1758-04-10 21:37 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW"="nview.dll" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44]
    "KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2003-02-21 23:30]
    "Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
    "wcmdmgr"="C:\WINDOWS\wt\updater\wcmdmgrl.exe" [2002-09-27 16:47]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 06:48]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 22:20]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48]
    "CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
    "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-17 00:08]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 01:49]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 19:38]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 02:04:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
    C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Plus V7.1]
    C:\WINDOWS\igfxunit32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Explorer V5.3]
    C:\WINDOWS\msdtcsw32.exe
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-17 05:32:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-12-15 18:30:26 C:\WINDOWS\Tasks\easy Internet sign-up.job"
    - C:\PROGRA~1\EASYIN~1\HPSdpApp.exe
    "2007-12-18 16:22:34 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2007-12-18 16:22:32 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2007-12-21 16:35:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-21 11:46:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Softex\OmniPass\opxpgina.dll
    .
    Completion time: 2007-12-21 11:49:48 - machine was rebooted
    .
    2007-12-18 20:58:26 --- E O F ---
    ______________________________________________________________________



    and...


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:53:00 AM, on 12/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\SiteAdvisor\6172\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\USB Storage RW\udsi.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    c:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\PROGRA~1\mcafee\msc\mcshell.exe
    C:\WINDOWS\system32\wscntfy.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc/gjogtlpahZ2E_C3l1yYg.chm::/on.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0034.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197503068078
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

    --
    End of file - 10135 bytes
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,607
    Please disable Windows Defender's real-time protection as it will interfere with the fix. you can re-enable it when we're finished the cleanup.

    • Open Windows Defender
    • Click on "Tools"
    • Click on "General Settings"
    • Scroll down to "Real-time protection options"
    • Uncheck "Turn on Real-time protection (recommended)"
    • Click "Save"



    Go to Control Panel - Add/Remove programs and remove:

    WildTangent


    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


    Also, please do this:

    Go to Start - Search - All Files and Folders and under More advanced search options.
    Make sure there is a check by Search System Folders and Search hidden files and folders and Search system subfolders.

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply then OK.


    Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

    http://virusscan.jotti.org/

    C:\WINDOWS\windllreg1c.sys
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/663332