View Full Version : Malware and loss of rights
I had the “Warning! Potential Spyware Operation” problem on my computer. I found advice to HAH34 on this problem and followed the directions. This seems to have resolved the popup, but has also ended with my administrator rights gone and the Control Panel has disappeared. When I left click on start and go to setting there is no control panel. When I have tried to do other things, I am told I don’t have permission and see the administrator. I am the only one using this compluter and always had admin. rights in the past
When I ran Belarc it indicates that I have administrative rights. I am including the HJT and Combo Fix readouts I just took. Any help you can supply wick be appreciated. Thanks.
HighJack this Computer info.:
Logfile of HijackThis v1.99.1
Scan saved at 5:44:45 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Energizer FileSaver\UPSMON.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/recreation/outdoors/tenday/04103?from=36hr_topnav_outdoors
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Energizer FileSaver\UPSMON.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [drv_st_key] C:\Documents and Settings\James A. Hilly\Application Data\hidn\hidn2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122255749863
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FileSaver_Service - Unknown owner - C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--------------------------------
ComboFix Info.:
Start Time= Sun 10/21/2007 16:56:49.63
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-10-06 07:40:04 77064 ( A.... ) "C:\Documents and
Settings\James A. Hilly\Application Data\GDIPFONTCACHEV1.DAT"
2007-10-04 16:46:30 ( .D... ) "C:\Program Files\Common
Files\Avery"
2007-10-04 16:46:20 ( .D... ) "C:\Program Files\Avery Wizard
3.1"
2007-10-01 19:49:34 12288 ( A.... ) "C:\WINDOWS\svhjdsah.exe"
2007-09-28 01:19:40 18089592 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"
2007-09-11 22:17:56 ( .D... ) "C:\Program Files\DPWIPER"
2007-08-22 08:55:44 665600 ( A.... ) "C:\WINDOWS\SYSTEM32\wininet.dll"
2007-08-22 08:55:44 617984 ( A.... ) "C:\WINDOWS\SYSTEM32\urlmon.dll"
2007-08-22 08:55:42 474112 ( A.... ) "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2007-08-22 08:55:40 1498112 ( A.... ) "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2007-08-22 08:55:38 532480 ( A.... ) "C:\WINDOWS\SYSTEM32\mstime.dll"
2007-08-22 08:55:38 449024 ( A.... )
"C:\WINDOWS\SYSTEM32\mshtmled.dll"
2007-08-22 08:55:38 146432 ( A.... )
"C:\WINDOWS\SYSTEM32\msrating.dll"
2007-08-22 08:55:38 39424 ( A.... ) "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2007-08-22 08:55:36 3064832 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtml.dll"
2007-08-22 08:55:32 251904 ( A.... ) "C:\WINDOWS\SYSTEM32\iepeers.dll"
2007-08-22 08:55:32 205824 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2007-08-22 08:55:32 96256 ( A.... ) "C:\WINDOWS\SYSTEM32\inseng.dll"
2007-08-22 08:55:32 55808 ( ..... ) "C:\WINDOWS\SYSTEM32\extmgr.dll"
2007-08-22 08:55:32 16384 ( A.... ) "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2007-08-22 08:55:30 1054208 ( A.... ) "C:\WINDOWS\SYSTEM32\danim.dll"
2007-08-22 08:55:30 357888 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2007-08-22 08:55:30 151040 ( A.... ) "C:\WINDOWS\SYSTEM32\cdfview.dll"
2007-08-22 08:55:28 1022976 ( A.... )
"C:\WINDOWS\SYSTEM32\browseui.dll"
2007-08-21 06:13:34 350720 ( A.... )
"C:\WINDOWS\SYSTEM32\xpsp3res.dll"
2007-08-21 02:15:44 683520 ( A.... )
"C:\WINDOWS\SYSTEM32\inetcomm.dll"
2007-08-16 16:37:38 11776 ( A.... ) "C:\Documents and
Settings\James A. Hilly\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini"
2007-08-10 23:55:14 2242992 ( A..H. ) "C:\Documents and
Settings\James A. Hilly\Application Data\IconCache.db"
2007-07-30 19:19:42 1712984 ( A.... ) "C:\WINDOWS\SYSTEM32\wuaueng.dll"
2007-07-30 19:19:36 549720 ( A.... ) "C:\WINDOWS\SYSTEM32\wuapi.dll"
2007-07-30 19:19:32 325976 ( A.... ) "C:\WINDOWS\SYSTEM32\wucltui.dll"
2007-07-30 19:19:28 203096 ( A.... ) "C:\WINDOWS\SYSTEM32\wuweb.dll"
2007-07-30 19:19:20 92504 ( A.... ) "C:\WINDOWS\SYSTEM32\cdm.dll"
2007-07-30 19:19:16 53080 ( A.... ) "C:\WINDOWS\SYSTEM32\wuauclt.exe"
2007-07-30 19:19:12 43352 ( A.... ) "C:\WINDOWS\SYSTEM32\wups2.dll"
2007-07-30 19:19:10 271224 ( A.... ) "C:\WINDOWS\SYSTEM32\mucltui.dll"
2007-07-30 19:19:04 207736 ( A.... ) "C:\WINDOWS\SYSTEM32\muweb.dll"
2007-07-30 19:18:40 33624 ( A.... ) "C:\WINDOWS\SYSTEM32\wups.dll"
2006-07-03 19:33:52 723 ( A.... ) "C:\Program Files\INSTALL.LOG"
2006-07-03 19:33:44 23357 ( A..H. ) "C:\Program Files\folder.htt"
2006-07-03 19:32:56 271 ( A..H. ) "C:\Program Files\desktop.ini"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points
)))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"SystemTray"="SysTray.Exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UPSMON"="C:\\Program Files\\Energizer FileSaver\\UPSMON.exe"
"LTMSG"="LTMSG.exe 7"
"MimBoot"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mimboot.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
@=""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA
Anti-Virus\\CAVRID.exe\""
"cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal
Firewall\\cafw.exe -cl"
"capfasem"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal
Firewall\\capfasem.exe"
"capfupgrade"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal
Firewall\\capfupgrade.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader
8.0\\Reader\\Reader_sl.exe\""
"QOELOADER"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA
Anti-Spam\\QSP-5.1.18.0\\QOELoader.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMA
IL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAP
I]
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSF
S]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SSDPSRV"="C:\\WINDOWS\\SYSTEM\\ssdpsrv.exe"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
"Keyboard Manager"="C:\\Program Files\\Netropa\\One-touch Multimedia
Keyboard\\MMKeybd.exe"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"drv_st_key"="C:\\Documents and Settings\\James A. Hilly\\Application
Data\\hidn\\hidn2.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00
@=hex:00,00,00,00
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00
@=hex:00,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskschedul
er]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"Hidserv"="Hidserv.exe run"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM32\\HPScanFix.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"EM_EXEC"="C:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft
Shared\\Works Shared\\WkUFind.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\INSTAN~1.EXE /h"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
"MSConfigReminder"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\MSCONFIG.EXE /reminder"
"IgfxTray"="C:\\WINDOWS\\SYSTEM32\\IGFXTRAY.EXE"
"HotKeysCmds"="C:\\WINDOWS\\SYSTEM32\\HKCMD.EXE"
"WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"hpsysdrv"="C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as James A Hilly at 9 57 PM.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: Sun 10/21/2007 17:02:53.69
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
random/random
2007-10-24, 18:02
You're using a very old version of combofix, please delete it
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
You are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:
CLICK HERE (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download the HijackThis Installer:
Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply.
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.
Here is the info ComboFix followed by HJT in a seperatr reply due to size limitations. Thanks for looking at this.
Combofix log:
ComboFix 07-10-25.4 - James A. Hilly 2007-10-25 23:08:32.1 - NTFSx86
Running from: C:\DOCUME~1\JAMESA~1.HIL\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\AZWV4HUD\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\start.exe
C:\WINDOWS\svhjdsah.exe
C:\WINDOWS\system32\system
C:\WINDOWS\system32\UmxWnp.Dll
C:\WINDOWS\system32\windows.scr
.
((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.
2007-10-04 16:46 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-10-04 16:46 <DIR> d-------- C:\Program Files\Avery Wizard 3.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-10-26 04:35 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-10-26 04:35 289,976 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-10-06 11:40 77,064 ----a-w C:\Documents and Settings\James A. Hilly\Application Data\GDIPFONTCACHEV1.DAT
2007-10-04 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 00:46 28,352 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-02 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-14 01:51 --------- d-----w C:\Documents and Settings\James A. Hilly\Application Data\Uniblue
2007-09-12 02:17 --------- d-----w C:\Program Files\DPWIPER
2007-09-11 22:45 --------- d-----w C:\Program Files\Java
2007-08-30 11:15 --------- d-----w C:\Documents and Settings\James A. Hilly\Application Data\Family Lawyer
2007-08-22 12:55 96,256 ------w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2006-07-03 23:33 723 ----a-w C:\Program Files\INSTALL.LOG
2006-07-03 23:33 23,357 ---ha-w C:\Program Files\folder.htt
2006-07-03 23:32 271 ---ha-w C:\Program Files\desktop.ini
2006-07-03 23:20 122 ----a-w C:\Documents and Settings\James A. Hilly\Application Data\fusioncache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2006-07-03 20:50 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"SystemTray"="SysTray.Exe" [2001-08-23 13:00 C:\WINDOWS\SYSTEM32\systray.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-07-17 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-07-17 08:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-12 21:48]
"UPSMON"="C:\Program Files\Energizer FileSaver\UPSMON.exe" [2003-07-19 20:21]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"MimBoot"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe" [2004-12-02 13:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 14:47]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 18:40]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-06-02 23:03]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-15 21:51]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-15 21:51]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-15 21:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-08-28 18:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"drv_st_key"="C:\Documents and Settings\James A. Hilly\Application Data\hidn\hidn2.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=00000000
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Taskbar Display Controls"=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"Hidserv"=Hidserv.exe run
"Delay"=C:\WINDOWS\delayrun.exe
"Alogserv"=C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
"HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"EM_EXEC"=C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"InstantAccess"=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"IgfxTray"=C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE
"HotKeysCmds"=C:\WINDOWS\SYSTEM32\HKCMD.EXE
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"*StateMgr"=C:\WINDOWS\System\Restore\StateMgr.exe
"Keyboard Manager"=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 FileSaver_Service;FileSaver_Service;"C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe"
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
S2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23da4ed5-d441-11db-bf46-0010b58a0009}]
AutoRun\command - E:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 05:53:45 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as James A Hilly at 9 57 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2007-10-26 06:04:40 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 00:40:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-26 6:29:42
C:\ComboFix2.txt ... 2007-10-21 17:06
.
--- E O F ---
Here is the info from HJT in a seperatr reply due to size limitations. Thanks for looking at this.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:15 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Energizer FileSaver\UPSMON.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/recreation/outdoors/tenday/04103?from=36hr_topnav_outdoors
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Energizer FileSaver\UPSMON.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [drv_st_key] C:\Documents and Settings\James A. Hilly\Application Data\hidn\hidn2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122255749863
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FileSaver_Service - Unknown owner - C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 8019 bytes
random/random
2007-10-26, 13:06
Download & run this tool & post the log it produces
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
eg export of SafeBoot key after repair:
========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
========================
random/random
2007-10-26, 18:38
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drv_st_key"=-
RootKit::
C:\Documents and Settings\James A. Hilly\Application Data\hidn\hidn2.exe
Folder::
C:\Documents and Settings\James A. Hilly\Application Data\hidn
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
ComboFix 07-10-26.4 - James A. Hilly 2007-10-27 13:59:58.2 - NTFSx86
Running from: C:\Documents and Settings\James A. Hilly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James A. Hilly\Desktop\CFscript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\James A. Hilly\Application Data\hidn
C:\Documents and Settings\James A. Hilly\Application Data\hidn\hidn2.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.
2007-10-26 06:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 23:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 18:56 584,192 --------- C:\WINDOWS\SYSTEM32\dllcache\rpcrt4.dll
2007-10-04 16:46 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-10-04 16:46 <DIR> d-------- C:\Program Files\Avery Wizard 3.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 11:40 77,064 ----a-w C:\Documents and Settings\James A. Hilly\Application Data\GDIPFONTCACHEV1.DAT
2007-10-04 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 00:46 28,352 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-02 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-14 01:51 --------- d-----w C:\Documents and Settings\James A. Hilly\Application Data\Uniblue
2007-09-12 02:17 --------- d-----w C:\Program Files\DPWIPER
2007-09-11 22:45 --------- d-----w C:\Program Files\Java
2007-08-30 11:15 --------- d-----w C:\Documents and Settings\James A. Hilly\Application Data\Family Lawyer
2007-08-22 12:55 96,256 ------w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2006-07-03 23:33 723 ----a-w C:\Program Files\INSTALL.LOG
2006-07-03 23:33 23,357 ---ha-w C:\Program Files\folder.htt
2006-07-03 23:32 271 ---ha-w C:\Program Files\desktop.ini
2006-07-03 23:20 122 ----a-w C:\Documents and Settings\James A. Hilly\Application Data\fusioncache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2006-07-03 20:50 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"SystemTray"="SysTray.Exe" [2001-08-23 13:00 C:\WINDOWS\SYSTEM32\systray.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-07-17 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-07-17 08:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-12 21:48]
"UPSMON"="C:\Program Files\Energizer FileSaver\UPSMON.exe" [2003-07-19 20:21]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"MimBoot"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe" [2004-12-02 13:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 14:47]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 18:40]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-06-02 23:03]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-15 21:51]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-15 21:51]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-15 21:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-08-28 18:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Taskbar Display Controls"=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"Hidserv"=Hidserv.exe run
"Delay"=C:\WINDOWS\delayrun.exe
"Alogserv"=C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
"HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"EM_EXEC"=C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"InstantAccess"=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"IgfxTray"=C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE
"HotKeysCmds"=C:\WINDOWS\SYSTEM32\HKCMD.EXE
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"*StateMgr"=C:\WINDOWS\System\Restore\StateMgr.exe
"Keyboard Manager"=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 FileSaver_Service;FileSaver_Service;"C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe"
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
S2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
S2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
S2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23da4ed5-d441-11db-bf46-0010b58a0009}]
AutoRun\command - E:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 05:53:45 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as James A Hilly at 9 57 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2007-10-27 18:32:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 14:32:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-27 14:48:12 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 06:29
C:\ComboFix3.txt ... 2007-10-21 17:06
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:47 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Energizer FileSaver\UPSMON.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/recreation/outdoors/tenday/04103?from=36hr_topnav_outdoors
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Energizer FileSaver\UPSMON.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122255749863
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FileSaver_Service - Unknown owner - C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 7952 bytes
random/random
2007-10-27, 23:12
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
Everything appears to be working properly at this time. Thank you for your help.
random/random
2007-10-29, 20:16
You can delete combofix.exe and the C:\qoobox\ folder
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date