PDA

View Full Version : A whole slew of Evil!



alright
2007-01-12, 10:53
Brief history; ran AdAware and removed 337 critical objects, ran TrendMicro PC-cillin and removed another 71 out of 72, the unremovable was TROJ_AGENT.IPV, could not be quarantined or deleted -- attached to svchosts.exe.

Ran Panda online:


Incident Status Location

Virus:Trj/Killav.FD Disinfected Operating system
Adware:Adware/Maxifiles Not disinfected c:\program files\common files\{bc9728c9-07c9-1033-1217-020409200001}\update.exe
Adware:Adware/Maxifiles Not disinfected C:\PROGRA~1\COMMON~1\{3C972~1\Bar888.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}\System.dll
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\ToolBar
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/comet Not disinfected Windows Registry
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t94dyssf.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.com.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.www.burstbeacon.com/]
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.targetsaver.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.stats.drivecleaner.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.go.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.atwola.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.hc2.humanclick.com/hc/79430329]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Bobbe\Cookies\bobbe@searchportal.information[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Bobbe\Cookies\bobbe@statse.webtrendslive[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Bobbe\Cookies\bobbe@targetsaver[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Bobbe\Cookies\bobbe@web.tickle[1].txt
Spyware:Cookie/Ysbweb Not disinfected C:\Documents and Settings\Bobbe\Cookies\bobbe@ysbweb[1].txt
Adware:Adware/888Bar Not disinfected C:\Documents and Settings\Bobbe\Desktop\install.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Bobbe\Local Settings\Temp\b116.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Bobbe\Local Settings\Temp\b122.exe[mc-0-0-0.exe]
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Bobbe\Local Settings\Temp\b122.exe[mc-0-0-0.exe][ipwins.exe]
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Bobbe\Local Settings\Temp\b122.exe[mc-0-0-0.exe][ipwins.dll]
Adware:Adware/Zango Not disinfected C:\Documents and Settings\Bobbe\Local Settings\Temp\ZangoToolbarInstaller.exe[ZangoInstaller.exe]
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3C9728C9-07C9-1033-1217-020409200001}\Bar888.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3C9728C9-07C9-1033-1217-020409200001}\UnInstall.exe
Adware:Adware/Maxifiles Not disinfected

alright
2007-01-12, 10:54
C:\RECYCLER\S-1-5-21-2592634548-1854280533-1869780927-1006\Dc1\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-21-2592634548-1854280533-1869780927-1006\Dc1\Update.exe
Adware:Adware/888Bar Not disinfected C:\utc.exe[install.exe]
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060908-131812.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060908-131813.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060908-131814.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060908-131815.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060908-131816.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\SYSTEM32\pe.exe


Ran Spybot in Safe Mode until 0 red objects remained. Then HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:41:54 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}\Update.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\trmsvfxt\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C972~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C972~1\Bar888.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [{BC9728C9-07C9-1033-1217-020409200001}] "C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168576784875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


How's it looking?

You guys have an amazing forum here. Thanks in advance :bigthumb:

teacup61
2007-01-14, 23:34
Hello alright,

Welcome to Safer Networking Forums :)

You still have some nasties with you there.:sick:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

alright
2007-01-16, 09:13
Note: After ComboFix had finished initially scanning, the desktop went blank and a blue ComboFix window, titled simply ComboFix.exe, remained open that only said:

"C:\Program Files\Common Files\{BC972~1"
Rebooting Windows

On top of that appeared another black ComboFix window, titled C:\sUBs\ComboFix.exe which eventually produced an error and brought up the "Please Notify Windows about this Error -- Send / Do Not Send", I hit Do Not Send and waited for windows to restart. Not sure if this is abnormal, but thought I'd include it. Anyhow, the logs:

"Bobbe" - 07-01-15 21:38:30 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\Bobbe\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\trmsvfxt\winlogon.ini
C:\Program Files\INSTALL.LOG
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{3C972~1
C:\Program Files\Common Files\{BC972~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\SCURIT~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-15 to 2007-01-15 ))))))))))))))))))))))))))))))))))


2007-01-15 21:45 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-12 19:06 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\Application Data\HP
2007-01-12 19:01 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\WINDOWS
2007-01-12 19:01 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\Application Data\Gtek
2007-01-11 23:01 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-01-11 20:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-01-11 20:23 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-01-11 20:19 <DIR> d-------- C:\hijackthis
2007-01-11 16:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trend Micro
2007-01-11 16:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-11 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-01-11 14:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AVG7
2007-01-11 14:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sun
2007-01-11 14:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-01-11 14:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Gtek
2007-01-11 02:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-10 23:49 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-01-10 23:47 <DIR> d-------- C:\WINDOWS\Sun
2007-01-10 23:47 <DIR> d-------- C:\DOCUME~1\Bobbe\Application Data\Sun
2007-01-10 23:47 <DIR> d-------- C:\DOCUME~1\Bobbe\.housecall6.6
2007-01-10 23:45 <DIR> d-------- C:\Program Files\Java
2007-01-10 23:45 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-10 23:10 <DIR> d-------- C:\DOCUME~1\Bobbe\Application Data\HP
2007-01-10 23:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\HP
2007-01-10 23:06 <DIR> d-------- C:\bin
2007-01-10 23:03 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-01-10 23:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Sonic
2007-01-10 22:56 <DIR> d-------- C:\Program Files\Common Files\HP
2007-01-10 22:53 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-01-10 22:52 77,824 -ra------ C:\WINDOWS\SYSTEM32\HPZIDS01.dll
2007-01-10 22:52 49,664 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys
2007-01-10 22:52 16,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys
2007-01-10 22:51 38,400 --a------ C:\WINDOWS\SYSTEM32\hpz3l054.dll
2007-01-10 22:50 94,208 --a------ C:\WINDOWS\SYSTEM32\HPZipt12.dll
2007-01-10 22:50 69,632 --a------ C:\WINDOWS\SYSTEM32\HPZipm12.exe
2007-01-10 22:50 65,536 --a------ C:\WINDOWS\SYSTEM32\HPZinw12.exe
2007-01-10 22:50 57,344 --a------ C:\WINDOWS\SYSTEM32\HPZisn12.dll
2007-01-10 22:50 278,584 --a------ C:\WINDOWS\SYSTEM32\HPZidr12.dll
2007-01-10 22:50 204,800 --a------ C:\WINDOWS\SYSTEM32\HPZipr12.dll
2007-01-10 22:49 <DIR> d-------- C:\Program Files\HP
2007-01-10 22:43 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2007-01-10 22:43 25,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbprint.sys
2007-01-10 22:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-01-10 21:54 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-30 13:55 <DIR> d--hs---- C:\WINDOWS\SYSTEM32\trmsvfxt
2006-12-29 13:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\ZangoToolbar
2006-12-29 13:24 <DIR> d--hs---- C:\WINDOWS\Qm9iYmU
2006-12-29 08:39 2 --a------ C:\WINDOWS\SYSTEM32\wcpsvcc.exe
2006-12-29 08:07 <DIR> d-------- C:\WINDOWS\rizk
2006-12-29 08:07 <DIR> d-------- C:\Program Files\Common Files\rizk
2006-12-29 03:31 93,509 --a------ C:\WINDOWS\SYSTEM32\pe.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-11 21:25 -------- d-------- C:\Program Files\quicktime
2007-01-11 21:25 -------- d-------- C:\Program Files\quickenw
2007-01-11 21:25 -------- d-------- C:\Program Files\palmone
2007-01-11 21:15 -------- d-------- C:\Program Files\d-link airplus
2007-01-10 23:47 -------- d-------- C:\Documents and Settings\Bobbe\Application Data\sun
2007-01-10 23:10 -------- d-------- C:\Documents and Settings\Bobbe\Application Data\hp
2007-01-10 22:54 -------- d-------- C:\Program Files\hewlett-packard
2007-01-10 22:39 -------- d-------- C:\Documents and Settings\Bobbe\Application Data\mozilla
2007-01-10 22:36 -------- d-------- C:\Program Files\yahoo!
2007-01-10 22:35 -------- d-------- C:\Program Files\there
2007-01-10 22:35 -------- d-------- C:\Documents and Settings\Bobbe\Application Data\yahoo!
2007-01-10 22:21 -------- d--h----- C:\Program Files\installshield installation information
2007-01-10 17:50 -------- d-------- C:\Program Files\jobclock
2006-12-30 13:55 359808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2006-12-26 00:02 -------- d-------- C:\Documents and Settings\Bobbe\Application Data\zangotoolbar
2006-12-06 20:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-26 23:45 60416 --------- C:\WINDOWS\SYSTEM32\tzchange.exe
2006-11-07 20:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\SYSTEM32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-19 13:33 86728 --a------ C:\WINDOWS\SYSTEM32\msxml6r.dll
2006-10-19 04:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"winlogon"=""
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"POINTER"="point32.exe"
"QAGENT"="C:\\Program Files\\QUICKENW\\QAGENT.EXE"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"{BC9728C9-07C9-1033-1217-020409200001}"="\"C:\\Program Files\\Common Files\\{BC9728C9-07C9-1033-1217-020409200001}\\Update.exe\" te-110-12-0000282"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.worldofwarcraft.com/downloads/wallpapers/images/battlegrounds2/battlegrounds2-800x.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://www.worldofwarcraft.com/downloads/wallpapers/images/blackwing/blackwing-800x.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Completion time: 07-01-15 21:51:58

alright
2007-01-16, 09:14
Logfile of HijackThis v1.99.1
Scan saved at 10:09:46 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\trmsvfxt\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [{BC9728C9-07C9-1033-1217-020409200001}] "C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168576784875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

teacup61
2007-01-16, 16:37
Hello,

Could you please tell me if you know this folder, located in Program Files? C:\Program Files\there Thanks. :)

Please download, install, and update AVG Anti-Spyware (formerly Ewido) (http://www.ewido.net/en/download/)


Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close AVG. Do not run it yet.


Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: load=C:\WINDOWS\system32\trmsvfxt\winlogon.exe
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [{BC9728C9-07C9-1033-1217-020409200001}] "C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}\Update.exe" te-110-12-0000282
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Navigate to and delete the following folders/files (if they exist):

C:\WINDOWS\SYSTEM32\pe.exe<---this file
C:\WINDOWS\system32\trmsvfxt<---this folder
C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}<---this folder
C:\WINDOWS\system32\svchosts.exe<---this file. Be SURE of the exact spelling. Do not delete svchost by mistake. The one you want has an "s" on the end.


In Safe Mode, load AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.


In your reply, please post the report from AVG and a new HijackThis log. Please also let me know how your computer is running. :)

Thanks,
tea

teacup61
2007-01-16, 18:16
Addition please:

After you complete the above instructions, please run ComboFix again and post the report. :)

Thank you!

alright
2007-01-16, 23:41
Posting a small update on a separate computer while I wait for the AVG Scan to complete:

All of the HijackThis! items were found and removed; however:

C:\Program Files\Common Files\{BC9728C9-07C9-1033-1217-020409200001}<---this folder
C:\WINDOWS\system32\svchosts.exe<---this file. Be SURE of the exact spelling. Do not delete svchost by mistake. The one you want has an "s" on the end.

Did not exist afterwards so no action was taken. I did enable "Show Hidden Files / Folders" as well as unchecking "Hide System Files" to ensure they were not present.


Could you please tell me if you know this folder, located in Program Files? C:\Program Files\there Thanks.

This folder is not familiar and will not be missed. Also, a folder \QooBox\ has appeared (I do not recall seeing it a few days ago) in, if I remember correctly off the top of my head, the \System32\ folder.

Will post again upon completion of the remaining steps.

teacup61
2007-01-17, 02:54
Hello,

Qoo Box is part of ComboFix, so not to worry. :) I'll be waiting for the rest....thanks.

tea

alright
2007-01-17, 06:40
Ok, went well as far as I can tell. AVG Reported several objects, including Trojan.small, but recommended Ignore Once as the appropriate action for all of them -- Trojan.small seemed a little strange to simply ignore so I took it upon myself to Quarantine it, as will be shown in the logs. And here they are:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:05:42 PM 1/16/2007

+ Scan result:



C:\RECYCLER\S-1-5-21-2592634548-1854280533-1869780927-1006\Dc1.exe -> Adware.MaxSearch : Ignored.
HKU\S-1-5-21-2592634548-1854280533-1869780927-1006\Software\ToolBar -> Adware.WebSearch : Ignored.
HKU\S-1-5-21-2592634548-1854280533-1869780927-1006\Software\ToolBar\all -> Adware.WebSearch : Ignored.
HKU\S-1-5-21-2592634548-1854280533-1869780927-1006\Software\ToolBar\all\History -> Adware.WebSearch : Ignored.
:mozilla.93:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.22:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.23:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.24:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.25:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.26:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.406:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Burstbeacon : Ignored.
:mozilla.480:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.79:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.80:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.94:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.100:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Cpvfeed : Ignored.
:mozilla.101:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Cpvfeed : Ignored.
:mozilla.98:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Cpvfeed : Ignored.
:mozilla.99:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Cpvfeed : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Ignored.
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt -> TrackingCookie.Enhance : Ignored.
:mozilla.422:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.423:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.321:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Information : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@searchportal.information[2].txt -> TrackingCookie.Information : Ignored.
:mozilla.313:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.314:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.315:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.323:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.324:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.326:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.327:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.328:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@sec1.liveperson[2].txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.32:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.33:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.34:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.354:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.355:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.356:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.357:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.42:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\Bobbe\Cookies\bobbe@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Ignored.
:mozilla.364:C:\Documents and Settings\Bobbe\Application Data\Mozilla\Firefox\Profiles\zfnf69qu.default\cookies.txt -> TrackingCookie.Trafic : Ignored.
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t94dyssf.default\cookies.txt -> TrackingCookie.Webtrendslive : Ignored.
C:\WINDOWS\SYSTEM32\wcpsvcc.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:50 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168576784875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

alright
2007-01-17, 06:42
"Bobbe" - 07-01-16 19:28:34 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\Bobbe\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\SCURIT~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))


2007-01-16 12:09 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-16 12:08 <DIR> d-------- C:\Program Files\Grisoft
2007-01-15 21:45 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-12 19:06 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\Application Data\HP
2007-01-12 19:01 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\WINDOWS
2007-01-12 19:01 <DIR> d-------- C:\DOCUME~1\PUBLIC~1\Application Data\Gtek
2007-01-11 23:01 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-01-11 20:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-01-11 20:23 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-01-11 20:19 <DIR> d-------- C:\hijackthis
2007-01-11 16:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trend Micro
2007-01-11 16:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-11 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-01-11 14:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AVG7
2007-01-11 14:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sun
2007-01-11 14:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-01-11 14:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Gtek
2007-01-11 02:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-10 23:49 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-01-10 23:47 <DIR> d-------- C:\WINDOWS\Sun
2007-01-10 23:47 <DIR> d-------- C:\DOCUME~1\Bobbe\Application Data\Sun
2007-01-10 23:47 <DIR> d-------- C:\DOCUME~1\Bobbe\.housecall6.6
2007-01-10 23:45 <DIR> d-------- C:\Program Files\Java
2007-01-10 23:45 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-10 23:10 <DIR> d-------- C:\DOCUME~1\Bobbe\Application Data\HP
2007-01-10 23:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\HP
2007-01-10 23:06 <DIR> d-------- C:\bin
2007-01-10 23:03 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-01-10 23:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Sonic
2007-01-10 22:56 <DIR> d-------- C:\Program Files\Common Files\HP
2007-01-10 22:53 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-01-10 22:52 77,824 -ra------ C:\WINDOWS\SYSTEM32\HPZIDS01.dll
2007-01-10 22:52 49,664 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys
2007-01-10 22:52 16,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys
2007-01-10 22:51 38,400 --a------ C:\WINDOWS\SYSTEM32\hpz3l054.dll
2007-01-10 22:50 94,208 --a------ C:\WINDOWS\SYSTEM32\HPZipt12.dll
2007-01-10 22:50 69,632 --a------ C:\WINDOWS\SYSTEM32\HPZipm12.exe
2007-01-10 22:50 65,536 --a------ C:\WINDOWS\SYSTEM32\HPZinw12.exe
2007-01-10 22:50 57,344 --a------ C:\WINDOWS\SYSTEM32\HPZisn12.dll
2007-01-10 22:50 278,584 --a------ C:\WINDOWS\SYSTEM32\HPZidr12.dll
2007-01-10 22:50 204,800 --a------ C:\WINDOWS\SYSTEM32\HPZipr12.dll
2007-01-10 22:49 <DIR> d-------- C:\Program Files\HP
2007-01-10 22:43 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2007-01-10 22:43 25,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbprint.sys
2007-01-10 22:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-01-10 21:54 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-29 13:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\ZangoToolbar
2006-12-29 13:24 <DIR> d--hs---- C:\WINDOWS\Qm9iYmU
2006-12-29 08:07 <DIR> d-------- C:\WINDOWS\rizk
2006-12-29 08:07 <DIR> d-------- C:\Program Files\Common Files\rizk


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-11 21:25 -------- d-------- C:\Program Files\quicktime
2007-01-11 21:25 -------- d-------- C:\Program Files\quickenw
2007-01-11 21:25 -------- d-------- C:\Program Files\palmone
2007-01-11 21:15 -------- d-------- C:\Program Files\d-link airplus
2007-01-10 22:54 -------- d-------- C:\Program Files\hewlett-packard
2007-01-10 22:39 -------- d-------- C:\DOCUME~1\Bobbe\Application Data\mozilla
2007-01-10 22:36 -------- d-------- C:\Program Files\yahoo!
2007-01-10 22:35 -------- d-------- C:\Program Files\there
2007-01-10 22:35 -------- d-------- C:\DOCUME~1\Bobbe\Application Data\yahoo!
2007-01-10 22:21 -------- d--h----- C:\Program Files\installshield installation information
2007-01-10 17:50 -------- d-------- C:\Program Files\jobclock
2006-12-30 13:55 359808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2006-12-26 00:02 -------- d-------- C:\DOCUME~1\Bobbe\Application Data\zangotoolbar
2006-12-06 20:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-26 23:45 60416 --------- C:\WINDOWS\SYSTEM32\tzchange.exe
2006-11-07 20:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\SYSTEM32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-19 13:33 86728 --a------ C:\WINDOWS\SYSTEM32\msxml6r.dll
2006-10-19 04:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"POINTER"="point32.exe"
"QAGENT"="C:\\Program Files\\QUICKENW\\QAGENT.EXE"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.worldofwarcraft.com/downloads/wallpapers/images/battlegrounds2/battlegrounds2-800x.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://www.worldofwarcraft.com/downloads/wallpapers/images/blackwing/blackwing-800x.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Completion time: 07-01-16 19:37:30
C:\ComboFix2.txt ... 07-01-15 21:51



The computer seems to be running slightly smoother, but it still takes a dreadfully long time to start up after logging into the Windows account. Ideally, I would type in the password and just leave it for 5+ minutes while everything loads. I believe, however, that a Disk Defrag is long overdue and may help with this quite a bit.

Additionally, you've been extremely helpful and I thank you. Let me know how it's looking :)

teacup61
2007-01-17, 07:58
Hi,

I see you're here, so I wanted you to be doing this while I look at the rest. ;)

Go ahead and have AVG quarantine everything and see if that helps. I read your comments and will address them in my next post. :)

tea

alright
2007-01-17, 08:07
Ah, wasn't expecting you to be awake so I went ahead and began the Disk Defrag on that computer. It's currently at 45% and will take a while longer yet, but once it is completed I'll go ahead quarantine all of those objects.

teacup61
2007-01-17, 08:26
Okie dokie. :) I'm a night owl.

When you're done with the defrag and AVG you can do a couple more things. Find that folder called "there", right click on it, properties, and tell me what's in it please. I want to make sure before we do away with it.

Then, look in Add/Remove Programs for Zango Toolbar. If it's there, remove it. Delete the folder at C:\DOCUME~1\LOCALS~1\Application Data\ZangoToolbar

reboot.

You have a lot of unnecessary programs running at startup, so when we're sure your system is clean we'll get that boot time to be faster. ;)

I'll be around for a bit longer, but if you don't get done tonight, no biggie. Go ahead and post it all and I'll check it after my first pot of coffee.:eek:

alright
2007-01-17, 11:31
Find that folder called "there", right click on it, properties, and tell me what's in it please. I want to make sure before we do away with it.

Then, look in Add/Remove Programs for Zango Toolbar. If it's there, remove it. Delete the folder at C:\DOCUME~1\LOCALS~1\Application Data\ZangoToolbar

reboot.

You have a lot of unnecessary programs running at startup, so when we're sure your system is clean we'll get that boot time to be faster. ;)

I'll be around for a bit longer, but if you don't get done tonight, no biggie. Go ahead and post it all and I'll check it after my first pot of coffee.:eek:

C:\Program Files\There\ contains install.log, a 3,898 KB txt file
C:\Program Files\There\ThereRepository\ contains 3 folders:
{8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2}
{619AFAEF-551C-46B6-B9Ef-F6D674D14E5A}
{AAF421E6-7914-430a-9981-72B31AFF3BF4}

..\{8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2}\ThereVoiceTrainer.dll 64.0 KB
..\{619AFAEF-551C-46B6-B9Ef-F6D674D14E5A}\ThereInstallHelper.dll 248 KB
..\{AAF421E6-7914-430a-9981-72B31AFF3BF4}\ThereLauncher.dll 92.0 KB

Zango wasn't in the Add\Remove, but I did remove several ZangoToolbar folders from the various \Application Data\ folders.


Going to begin the AVG Safe Mode scan again now and quarantine all of those remaining items. See you soon :)

teacup61
2007-01-17, 19:01
Hello,

It seems that "there" is a voice chat client. http://info.there.com/idx/18/856/article/Voice_Chat.html
If you don't use it you can uninstall it. Thank you so much for the info, otherwise I would not have known.

alright
2007-01-18, 02:21
Hello,

It seems that "there" is a voice chat client. http://info.there.com/idx/18/856/article/Voice_Chat.html
If you don't use it you can uninstall it. Thank you so much for the info, otherwise I would not have known.

My pleasure :)

So all of those remaining items were deleted/quarantined without problem and the defrag helped out a lot, but there is still room for improvement. Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:16:36 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168576784875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

teacup61
2007-01-18, 03:20
Hello there,

Everything seems to be in good order then.:bigthumb:

The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you. :)

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Reboot your computer.

Let me know how it comes out. :)

thanks,
tea

alright
2007-01-18, 16:19
Hey,

Everything is working great. It's much smoother now and disabling those start-up programs helped a great deal.

Thanks so much for all of your help, you've been tremendously helpful and patient :) I'll know where to stop next time some nasties come along (hopefully never!).

teacup61
2007-01-18, 23:25
Great to know, and it was my pleasure. :)

Some good reading here for future reference :


http://mvps.org/winhelp2002/unwanted.htm

Please take care!
tea http://i135.photobucket.com/albums/q150/teacup61/hello.gif