View Full Version : Cannnot remove Smitfraud-C. and ldcore.dll
Hi,
Like many others lately, I have been hit with Smitfraud-C. I have read "before you post" and am submitting the requested files. Thanks for your help!!!!
A) HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:46 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\windows\system32\dwdsrngt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\rxbdhejo.dll",b
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 11143 bytes
B) Kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 1:19:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 473200
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
K:\
L:\
M:\
N:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 115384
Number of viruses found: 10
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 02:29:01
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{200808D8-B47D-44A9-9E1A-E1B76C992502}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{ECB4C6D2-577B-4B93-8260-27FBFC96701E}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR14.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hppusg.exe.fd0c032d.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9825.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9826.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9827.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9828.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9829.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9830.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9831.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9832.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9833.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9834.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9835.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9836.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9837.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9839.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9840.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9841.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\newtb1handler.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\proxystop-tblauncher.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Setup195.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_B5gHkGRJxGULpYn Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_Gk8hydWOYNzIpre Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\stany.exe Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001_c.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Owner\Local Settings\Temp\tblauncher.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\toolbox_healer9838.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\wr-1-77.exe Infected: Trojan-Downloader.Win32.Small.gwf skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2CE3.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFDC75.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CBV7IWT9\ActsOfHorrorforMovies_440X330[1].flv Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IR7WRVQR\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K3TAKH2N\dq[1].exe Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Planit\Cabware\Cpframe\Jobs\J07096A.JOB Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1991115530-3100966346-1740230189-1003\Dc1287.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0083111.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0083137.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0083218.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0083297.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0083356.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0083529.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1363\A0083603.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1363\A0083618.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083716.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083738.exe Object is locked skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083742.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\df87173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\hg173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\io43mvuiw4kj.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{15BCC3FE-C9D2-480F-B447-630661BB3284}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\byxwwwv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.r skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\dwdsrngt.exe-up.txt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\krdsrngk.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\ldcore.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\WINDOWS\system32\ldcore.dll_tobedeleted_old Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\WINDOWS\system32\ocbjpwjf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\WINDOWS\system32\opnljii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\rxbdhejo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\umtrfgps.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_fo8l33uivfttJMG Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3Oli85Fs4iHMMLW Object is locked skipped
C:\WINDOWS\Temp\mcmsc_42vcPA6rtE7CzDE Object is locked skipped
C:\WINDOWS\Temp\mcmsc_5fLYySVMyUl4Yuf Object is locked skipped
C:\WINDOWS\Temp\mcmsc_AuSYYEIZD03CZiC Object is locked skipped
C:\WINDOWS\Temp\sqlite_2rUKvKfO8jRIecR Object is locked skipped
C:\WINDOWS\Temp\sqlite_esIeeBWlSxUy9E4 Object is locked skipped
C:\WINDOWS\Temp\sqlite_yq7eDN7gttqChoJ Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-12-11, 14:53
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I will try to help you but I want you to know you have a very infected computer and it looks like this includes a Vundo infection.
You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
1) Stay offline when you are not troubleshooting, the junk will download more.
2) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< likely why you are infected!
3) You have this trojan also: ldcore.dll
http://www.sophos.com/security/analyses/trojdloadraqg.html
4) Do you know what these are?
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe
5) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
6) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
Hi,
First of all, thank you so very much for your help/guidance.
1) I will stay off the PC for all on-essentials. I can follow directions.
2) I removed my old Java and reinstalled the new Java per your link
3)
4) I do not know what these are either......
5) I cannot access the vundofix link you gave me. I continue to get an error page with suggested search links to try. Do you have another link so I can download and run vundofix.exe?
6) Combofix is downloaded to my desktop, but I will wait to run until after I run vundofix.
Thanks, John
pskelley
2007-12-11, 17:27
I have no problem with this link: http://www.atribune.org/public-beta/VundoFix.exe
Try copy/pasting it to Internet Explorer. If that does not work, you can find Vundofix here:
http://www.atribune.org/
http://www.atribune.org/content/view/24/2/
Thanks...Phil
1) Ran Vudofix V6.5.10 by Atribune. No problems found. No log created
2) New ComboFix Log
ComboFix 07-12-02.6 - Owner 2007-12-11 9:48:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ta_start.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fkirhowx.ini
C:\WINDOWS\system32\hywgxpqs.dll
C:\WINDOWS\system32\jmjpkjiw.dll
C:\WINDOWS\system32\kgwvnanw.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\rgepgqxp.dll
C:\WINDOWS\system32\umtrfgps.dll
C:\WINDOWS\system32\wtdaoank.dll
C:\WINDOWS\system32\xwohrikf.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 10:01 . 2007-12-11 10:02 <DIR> d-------- C:\Program Files\Spruce
2007-12-11 09:28 . 2007-12-11 09:28 <DIR> d-------- C:\VundoFix Backups
2007-12-11 08:48 . 2007-12-11 08:48 <DIR> d-------- C:\Program Files\Sun
2007-12-11 08:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 08:20 . 2007-12-11 08:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-10 10:37 . 2007-12-10 10:37 74,304 --a------ C:\WINDOWS\system32\pgqpjguu.exe
2007-12-10 07:34 . 2007-12-10 07:35 1,315,863 --ahs---- C:\WINDOWS\system32\amjhdcar.ini
2007-12-10 07:31 . 2007-12-10 07:31 74,304 --a------ C:\WINDOWS\system32\sjeubnpb.exe
2007-12-07 07:43 . 2007-12-09 07:44 1,315,803 --ahs---- C:\WINDOWS\system32\kosqjuqh.ini
2007-12-07 07:37 . 2007-12-07 07:37 74,304 --a------ C:\WINDOWS\system32\ctafwrgr.exe
2007-12-06 07:42 . 2007-12-06 16:14 1,315,743 --ahs---- C:\WINDOWS\system32\augyqqmw.ini
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 07:36 . 2007-12-06 07:33 1,318,705 --ahs---- C:\WINDOWS\system32\ojehdbxr.ini
2007-12-04 15:24 . 2003-10-10 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 15:24 . 2003-10-13 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 15:24 . 2003-10-10 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-04 15:24 . 2003-10-10 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-04 15:24 . 2003-10-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-04 15:20 . 2007-12-04 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:49 . 2007-12-04 13:49 63 --a------ C:\WINDOWS\mdm.ini
2007-12-04 13:17 . 2007-12-05 07:33 816,724 --ahs---- C:\WINDOWS\system32\antslmid.ini
2007-12-03 16:06 . 2007-12-03 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-03 16:02 . 2007-12-03 16:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-03 07:41 . 2007-12-04 13:11 827,724 --ahs---- C:\WINDOWS\system32\uapnffpt.ini
2007-12-03 07:41 . 2007-12-03 07:41 73,280 --a------ C:\WINDOWS\system32\ocbjpwjf.dll
2007-12-03 07:33 . 2007-12-03 07:33 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.tmp
2007-11-30 14:14 . 2007-11-30 14:14 106,527 --a------ C:\WINDOWS\system32\krdsrngk.exe
2007-11-30 12:48 . 2007-11-30 14:46 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.ini
2007-11-30 10:01 . 2007-11-30 10:01 <DIR> d-------- C:\WINDOWS\system32\daSgo06
2007-11-29 14:41 . 2007-08-20 04:04 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-29 14:41 . 2007-04-17 03:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-29 14:41 . 2007-03-07 23:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-29 14:41 . 2007-08-20 04:04 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-29 14:41 . 2007-08-20 04:04 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-29 14:41 . 2007-08-20 04:04 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-29 14:41 . 2007-08-20 04:04 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-29 14:41 . 2007-08-20 04:04 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-29 14:41 . 2007-08-17 04:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-29 14:33 . 2007-11-29 14:34 <DIR> d-------- C:\57f6375070a0c43864d847d3025c7ccd
2007-11-29 11:45 . 2007-12-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-29 11:38 . 2007-11-29 11:41 <DIR> d-------- C:\Program Files\Cool
2007-11-29 11:38 . 2007-11-29 11:38 37,376 --a------ C:\WINDOWS\system32\opnljii.dll
2007-11-29 11:37 . 2007-12-11 10:00 7,713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\WINDOWS\system32\daSgo02
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\Temp\bkR11
2007-11-29 11:36 . 2007-11-29 11:36 37,376 --a------ C:\WINDOWS\system32\byxwwwv.dll
2007-11-21 14:06 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-21 14:06 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-21 14:05 . 2007-11-21 14:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-21 14:03 . 2007-11-21 14:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\70c677fd719e930ec8
2007-11-21 14:02 . 2007-11-21 14:03 <DIR> d-------- C:\fc66d72d2b72b8ddbd81ebcfe9
2007-11-16 11:20 . 2007-11-16 11:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-13 14:52 . 2004-08-20 07:02 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-11-13 14:52 . 2003-06-16 15:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-11-13 14:52 . 2004-05-10 14:11 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-11-13 14:52 . 2003-06-20 11:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-11-13 14:52 . 2005-02-03 11:31 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-11-13 14:41 . 2007-11-13 14:40 53,628 --------- C:\WINDOWS\hppins01.dat.temp
2007-11-13 14:41 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat.temp
2007-11-13 14:40 . 2007-11-13 15:06 53,975 --a------ C:\WINDOWS\hppins01.dat
2007-11-13 14:40 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-11-13 09:00 . 2005-04-08 11:58 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-11-13 09:00 . 2005-04-08 11:58 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-11-13 09:00 . 2005-04-08 11:58 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-11-13 09:00 . 2005-04-08 11:58 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-11-13 09:00 . 2005-04-08 11:58 9,864 -ra------ C:\WINDOWS\system32\hptcpmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 3,399 -ra------ C:\WINDOWS\system32\hptcpmon.ini
2007-11-13 09:00 . 2007-11-13 14:46 291 --a------ C:\WINDOWS\system32\AddPort.ini
2007-11-13 08:59 . 2007-11-13 14:46 707 --a------ C:\WINDOWS\hpntwksetup.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 15:39 --------- d-----w C:\Program Files\McAfee
2007-12-11 14:48 --------- d-----w C:\Program Files\Java
2007-12-06 18:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-24 09:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-11-14 06:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-13 20:53 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 20:53 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:50 --------- d-----w C:\Program Files\HP
2007-10-17 21:32 --------- d-----w C:\Program Files\Interbank FX Trader 4
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2006-02-24 17:57 3,167,744 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2006-01-12 16:33 563,712 ----a-w C:\Documents and Settings\Owner\370_gotomypc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 11:36 37376 --a------ C:\WINDOWS\system32\byxwwwv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 03:56 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" []
"vf9"="C:\WINDOWS\System32\vf9485.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 07:22]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 17:37]
"LTMSG"="LTMSG.exe" [2003-07-14 18:52 C:\WINDOWS\ltmsg.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 03:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 08:23]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 20:19]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 11:20]
"{DF-FB-B9-92-ZN}"="C:\windows\system32\dwdsrngt.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3" []
"0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3" []
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cool - Auto Update.lnk - C:\Program Files\Cool\cool.exe [2007-11-29 11:38:20]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 23:24:52]
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-11 10:00:22]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2002-06-20 12:21:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 02:09:14]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 23:26:40]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\byxwwwv.dll [2007-11-29 11:36 37376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwwv]
byxwwwv.dll 2007-11-29 11:36 37376 C:\WINDOWS\system32\byxwwwv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"
S2 0243271197387638mcinstcleanup;McAfee Application Installer Cleanup (0243271197387638);C:\WINDOWS\TEMP\024327~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys
S4 AloPar;AloPar;\??\C:\WINDOWS\System32\Drivers\AloPar.sys
*Newly Created Service* - 0243271197387638MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 15:47:17 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 07:07:50 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-11-01 06:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 10:01:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 10:05:11 - machine was rebooted
.
--- E O F ---
3) New HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:03 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: McAfee Application Installer Cleanup (0243271197387638) (0243271197387638mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024327~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 11182 bytes
Thanks again, Phil.
John
Phil,
I downloaded Vundofix.exe from another webiste because I was not able to access the Atribune links you provided. I now realize that this was not the most recent version of Vundofix. It is V6.5.10. I now have access, for one reason or another, to the Atribune.org link. Should I run the scans again and resubmit the logs using Vundofix V6.7.0.0 ?
John
pskelley
2007-12-11, 19:11
I apologize, I don't know how you got that version? The version I just downloaded to my Desktop to check it, is version 6.7.0.
This version is updated for the new Vundo which you appear to have. Please delete the version you have and download it again from here.
http://www.atribune.org/public-beta/VundoFix.exe
I must see the log even if it does not find anything, it will be on the C:\ as Vundofix.txt.
Thanks
I ran the new Vundofix, re-ran Combofix, amd re-ran HJT. Scan logs are attached.
1) VundoFix:
VundoFix V6.5.10
Checking Java version...
Scan started at 9:28:43 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.10
Checking Java version...
Scan started at 9:39:35 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:18:51 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:59:56 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.0
Checking Java version...
Scan started at 12:50:31 PM 12/11/2007
Listing files found while scanning....
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
2) Combo Fix Scan Log
ComboFix 07-12-02.6 - Owner 2007-12-11 13:34:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Desktop\searchus.exe
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 12:49 . 2007-12-11 12:51 <DIR> d-------- C:\Program Files\Spruce
2007-12-11 09:28 . 2007-12-11 12:50 <DIR> d-------- C:\VundoFix Backups
2007-12-11 08:48 . 2007-12-11 08:48 <DIR> d-------- C:\Program Files\Sun
2007-12-11 08:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 08:20 . 2007-12-11 08:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-10 10:37 . 2007-12-10 10:37 74,304 --a------ C:\WINDOWS\system32\pgqpjguu.exe
2007-12-10 07:34 . 2007-12-10 07:35 1,315,863 --ahs---- C:\WINDOWS\system32\amjhdcar.ini
2007-12-10 07:31 . 2007-12-10 07:31 74,304 --a------ C:\WINDOWS\system32\sjeubnpb.exe
2007-12-07 07:43 . 2007-12-09 07:44 1,315,803 --ahs---- C:\WINDOWS\system32\kosqjuqh.ini
2007-12-07 07:37 . 2007-12-07 07:37 74,304 --a------ C:\WINDOWS\system32\ctafwrgr.exe
2007-12-06 07:42 . 2007-12-06 16:14 1,315,743 --ahs---- C:\WINDOWS\system32\augyqqmw.ini
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 07:36 . 2007-12-06 07:33 1,318,705 --ahs---- C:\WINDOWS\system32\ojehdbxr.ini
2007-12-04 15:24 . 2003-10-10 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 15:24 . 2003-10-13 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 15:24 . 2003-10-10 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-04 15:24 . 2003-10-10 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-04 15:24 . 2003-10-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-04 15:20 . 2007-12-04 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:49 . 2007-12-04 13:49 63 --a------ C:\WINDOWS\mdm.ini
2007-12-04 13:17 . 2007-12-05 07:33 816,724 --ahs---- C:\WINDOWS\system32\antslmid.ini
2007-12-03 16:06 . 2007-12-03 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-03 16:02 . 2007-12-03 16:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-03 07:41 . 2007-12-04 13:11 827,724 --ahs---- C:\WINDOWS\system32\uapnffpt.ini
2007-12-03 07:41 . 2007-12-03 07:41 73,280 --a------ C:\WINDOWS\system32\ocbjpwjf.dll
2007-12-03 07:33 . 2007-12-03 07:33 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.tmp
2007-11-30 14:14 . 2007-11-30 14:14 106,527 --a------ C:\WINDOWS\system32\krdsrngk.exe
2007-11-30 12:48 . 2007-11-30 14:46 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.ini
2007-11-30 10:01 . 2007-11-30 10:01 <DIR> d-------- C:\WINDOWS\system32\daSgo06
2007-11-29 14:41 . 2007-08-20 04:04 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-29 14:41 . 2007-04-17 03:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-29 14:41 . 2007-03-07 23:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-29 14:41 . 2007-08-20 04:04 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-29 14:41 . 2007-08-20 04:04 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-29 14:41 . 2007-08-20 04:04 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-29 14:41 . 2007-08-20 04:04 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-29 14:41 . 2007-08-20 04:04 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-29 14:41 . 2007-08-17 04:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-29 14:33 . 2007-11-29 14:34 <DIR> d-------- C:\57f6375070a0c43864d847d3025c7ccd
2007-11-29 11:45 . 2007-12-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-29 11:38 . 2007-11-29 11:41 <DIR> d-------- C:\Program Files\Cool
2007-11-29 11:38 . 2007-11-29 11:38 37,376 --a------ C:\WINDOWS\system32\opnljii.dll
2007-11-29 11:37 . 2007-12-11 13:44 7,713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\WINDOWS\system32\daSgo02
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\Temp\bkR11
2007-11-29 11:36 . 2007-11-29 11:36 37,376 --a------ C:\WINDOWS\system32\byxwwwv.dll
2007-11-21 14:06 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-21 14:06 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-21 14:05 . 2007-11-21 14:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-21 14:03 . 2007-11-21 14:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\70c677fd719e930ec8
2007-11-21 14:02 . 2007-11-21 14:03 <DIR> d-------- C:\fc66d72d2b72b8ddbd81ebcfe9
2007-11-16 11:20 . 2007-11-16 11:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-13 14:52 . 2004-08-20 07:02 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-11-13 14:52 . 2003-06-16 15:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-11-13 14:52 . 2004-05-10 14:11 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-11-13 14:52 . 2003-06-20 11:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-11-13 14:52 . 2005-02-03 11:31 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-11-13 14:41 . 2007-11-13 14:40 53,628 --------- C:\WINDOWS\hppins01.dat.temp
2007-11-13 14:41 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat.temp
2007-11-13 14:40 . 2007-11-13 15:06 53,975 --a------ C:\WINDOWS\hppins01.dat
2007-11-13 14:40 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-11-13 09:00 . 2005-04-08 11:58 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-11-13 09:00 . 2005-04-08 11:58 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-11-13 09:00 . 2005-04-08 11:58 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-11-13 09:00 . 2005-04-08 11:58 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-11-13 09:00 . 2005-04-08 11:58 9,864 -ra------ C:\WINDOWS\system32\hptcpmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 3,399 -ra------ C:\WINDOWS\system32\hptcpmon.ini
2007-11-13 09:00 . 2007-11-13 14:46 291 --a------ C:\WINDOWS\system32\AddPort.ini
2007-11-13 08:59 . 2007-11-13 14:46 707 --a------ C:\WINDOWS\hpntwksetup.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 15:39 --------- d-----w C:\Program Files\McAfee
2007-12-11 14:48 --------- d-----w C:\Program Files\Java
2007-12-06 18:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-24 09:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-11-14 06:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-13 20:53 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 20:53 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:50 --------- d-----w C:\Program Files\HP
2007-10-17 21:32 --------- d-----w C:\Program Files\Interbank FX Trader 4
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2006-02-24 17:57 3,167,744 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2006-01-12 16:33 563,712 ----a-w C:\Documents and Settings\Owner\370_gotomypc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405EA3D6-E011-4130-A568-DB56A0364B8D}]
C:\WINDOWS\system32\awtsp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 11:36 37376 --a------ C:\WINDOWS\system32\byxwwwv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 03:56 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" []
"vf9"="C:\WINDOWS\System32\vf9485.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 07:22]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 17:37]
"LTMSG"="LTMSG.exe" [2003-07-14 18:52 C:\WINDOWS\ltmsg.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 03:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 08:23]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 20:19]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 11:20]
"{DF-FB-B9-92-ZN}"="C:\windows\system32\dwdsrngt.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3" []
"0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3" []
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cool - Auto Update.lnk - C:\Program Files\Cool\cool.exe [2007-11-29 11:38:20]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 23:24:52]
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-11 12:49:29]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2002-06-20 12:21:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 02:09:14]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 23:26:40]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\byxwwwv.dll [2007-11-29 11:36 37376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwwv]
byxwwwv.dll 2007-11-29 11:36 37376 C:\WINDOWS\system32\byxwwwv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"
S2 0243271197387638mcinstcleanup;McAfee Application Installer Cleanup (0243271197387638);C:\WINDOWS\TEMP\024327~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys
S4 AloPar;AloPar;\??\C:\WINDOWS\System32\Drivers\AloPar.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 19:47:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 07:07:50 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-11-01 06:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 13:44:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 13:48:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 10:05
.
--- E O F ---
3) HJT Scan Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:55 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\byxwwwv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: byxwwwv - C:\WINDOWS\SYSTEM32\byxwwwv.dll
O23 - Service: McAfee Application Installer Cleanup (0243271197387638) (0243271197387638mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024327~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 12256 bytes
pskelley
2007-12-12, 00:49
Thanks for returning your information, read and follow the directions carefully.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove programs and uninstall Cool and Spruce if there.
4) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.
C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\opnljii.dll
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\byxwwwv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: byxwwwv - C:\WINDOWS\SYSTEM32\byxwwwv.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(some files may be gone, just do not miss any)
C:\Program Files\Cool\ <<< delete that folder
C:\Program Files\Spruce\ <<< delete that folder
C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file
C:\windows\system32\dwdsrngt.exe <<< delete that file
c:\windows\system32\ldcore.dll <<< delete that file
C:\WINDOWS\system32\krdsrngk.exe <<< delete that file
C:\WINDOWS\System32\vf9485.exe <<< delete that file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix report and a new HJT log.
Thanks
Hi Phil,
I cannot delet the file:
C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file
per your instructions.
Access is denied. Make sure disk is not write protected or full.
Thanks, John
pskelley
2007-12-12, 19:36
Hi Joh, I sent you a Private Message, my Post Reply key was unavailable at the time. Finish the directions and post the reports. Once I have a look I will have a better idea of how to proceed.
Thanks...Phil
1) Vundofix Log
VundoFix V6.5.10
Checking Java version...
Scan started at 9:28:43 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.10
Checking Java version...
Scan started at 9:39:35 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:18:51 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:59:56 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.0
Checking Java version...
Scan started at 12:50:31 PM 12/11/2007
Listing files found while scanning....
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\amjhdcar.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\augyqqmw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\ctafwrgr.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\kosqjuqh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ocbjpwjf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\ojehdbxr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnljii.dll
C:\WINDOWS\system32\opnljii.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\pgqpjguu.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\ptolrjme.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\sjeubnpb.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\uapnffpt.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.0
Checking Java version...
Scan started at 8:25:44 AM 12/12/2007
Listing files found while scanning....
No infected files were found.
2) HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:50 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 10196 bytes
pskelley
2007-12-12, 21:21
Thanks for returning your information and the feedback. First, let me assure you this is a bad trojan:
C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
Here is information about it:
http://www.prevx.com/filenames/3045286910697188418-0/IO43MVUIW4KJ.EXE.html and the Google:
http://www.google.com/search?hl=en&q=io43mvuiw4kj.exe&btnG=Google+Search
This item must be removed, this is your computer and the computer can not deny you access...right!
First, to be sure the item is not running, right click the Taskbar and choose Task Manager. Look for:
C:\WINDOWS\io43mvuiw4kj.exe under the Processes Tab and if you see it, highlite it and End Process.
Now do this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file, if you have to, boot to safe mode and delete it there:
http://spyware-free.us/tutorials/safemode/ <<< tutorial if needed
You may also try this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\io43mvuiw4kj.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
Once it is gone, post a new HJT log.
Thanks
It appears to be gone??????
New HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:13 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gbbrnkns.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\imarxswn.dll",b
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: DomainService - - C:\WINDOWS\system32\gbbrnkns.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 10349 bytes
As I was sending the last reply, I received some more misc pop-up ads. I am following the log on a second pc here at home, I only connect to the network on the infected pc to send and receive info form you on this pc.
John
pskelley
2007-12-12, 22:28
Thanks for the feedback, remember I told you this would not be easy. Until we get it all, it will morph and return. Be sure to keep this computerr offline except when you are troubleshoting with it. I may duplicate some instructions.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.
(files to add)
C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\gbbrnkns.exe
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\imarxswn.dll",b
O23 - Service: DomainService - - C:\WINDOWS\system32\gbbrnkns.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(check to be sure these files are gone)
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\gbbrnkns.exe
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report and a new HJT log.
Thanks
1) VundoFix
VundoFix V6.5.10
Checking Java version...
Scan started at 9:28:43 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.10
Checking Java version...
Scan started at 9:39:35 AM 12/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:18:51 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
VundoFix V6.7.0
Checking Java version...
Scan started at 11:59:56 AM 12/11/2007
Listing files found while scanning....
C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.0
Checking Java version...
Scan started at 12:50:31 PM 12/11/2007
Listing files found while scanning....
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
Beginning removal...
Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\amjhdcar.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\augyqqmw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\ctafwrgr.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\kosqjuqh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ocbjpwjf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\ojehdbxr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnljii.dll
C:\WINDOWS\system32\opnljii.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\pgqpjguu.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\ptolrjme.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\sjeubnpb.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\uapnffpt.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.0
Checking Java version...
Scan started at 8:25:44 AM 12/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gbbrnkns.exe
C:\WINDOWS\system32\gbbrnkns.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\imarxswn.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\imarxswn.dll Has been deleted!
Performing Repairs to the registry.
Done!
2) New HJT Scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:45 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 10168 bytes
As Always, Thank you Phil for the diligent help!!!!!
pskelley
2007-12-12, 23:25
Good job:bigthumb: I think we are getting there thanks to folks like Atribune and sUBs. They make the swords, all I do is swing them.
The HJT log appears clean of malware, let's see what Kaspersky finds. Keep in mind you still have infected System Restore files to clean so it is going to find some infected files, please use these setting when you run Kaspersky.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
Hi Phil,
I have run the online Kaspersky scan 3 times (takes about 1hour, 20 minutes each) and it does not give me the option to save the log at the end of the scan.
Any suggestions?
John
pskelley
2007-12-14, 19:34
* Now click on the Save as Text button:
* Save the file to your desktop.
That's the same instructions I post all of the time? Even if it finds nothing it should tell you that. If you have no issues, don't be concerned. Just enjoy your computer and have Happy Holidays:santa:
Thanks...Phil
Should I, and how do I create a new system restore point?
Thanks, John
pskelley
2007-12-14, 19:43
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
http://bertk.mvps.org/html/createrp.html
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
Thank you so very much. We will be traveling to the Clearwater/St Pete area over Christmas to enjoy the warm weather. We've kind of made it our annual winter getaway destination. Its -5 outside this am so anything will be warmer.
Again, thank you so very much!!!!!!!
HAPPY HOLIDAYS
MERRY CHRISTMAS
John
Phil,
I am still getting pop-up ads. I am running a full Kaspersky scan and will post the log and HJT when it is finished.
John
Kaspersky will only scan to about 63%, then it crashes... twice now..
Below is the most recent HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:28 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\fmgqagqn.dll",b
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Application Installer Cleanup (0101491197654224) (0101491197654224mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\010149~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
--
End of file - 10554 bytes
pskelley
2007-12-14, 23:00
OK, thanks for the feedback, it appears we did not get all of the infection, this is an outware sign:
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\fmgqagqn.dll",b
Because the tools do not update, please make sure you have deleted Vundofix and combofix from the computer completely. The tools are constantly updated and we need the very newest versions.
1) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
Hi Phil,
I was out of town for the weekend so here is the requested files.
1) VundoFix.txt
VundoFix V6.7.7
Checking Java version...
Scan started at 7:40:51 AM 12/17/2007
Listing files found while scanning....
C:\WINDOWS\system32\anruoyxw.dll
C:\WINDOWS\system32\fmgqagqn.dll
C:\WINDOWS\system32\gcophcbc.exe
C:\WINDOWS\system32\hjvwtbow.dll
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\ixvjosoe.dll
C:\WINDOWS\system32\jolauolf.dll
C:\WINDOWS\system32\jwefqagl.exe
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\nqgaqgmf.ini
C:\WINDOWS\system32\ultwinio.exe
C:\WINDOWS\system32\wxyourna.ini
C:\WINDOWS\system32\yrrrsqlf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\anruoyxw.dll
C:\WINDOWS\system32\anruoyxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fmgqagqn.dll
C:\WINDOWS\system32\fmgqagqn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gcophcbc.exe
C:\WINDOWS\system32\gcophcbc.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjvwtbow.dll
C:\WINDOWS\system32\hjvwtbow.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\ijjlm.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ixvjosoe.dll
C:\WINDOWS\system32\ixvjosoe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jolauolf.dll
C:\WINDOWS\system32\jolauolf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwefqagl.exe
C:\WINDOWS\system32\jwefqagl.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqgaqgmf.ini
C:\WINDOWS\system32\nqgaqgmf.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ultwinio.exe
C:\WINDOWS\system32\ultwinio.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxyourna.ini
C:\WINDOWS\system32\wxyourna.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\yrrrsqlf.dll
C:\WINDOWS\system32\yrrrsqlf.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.7.7
Checking Java version...
Scan started at 8:26:19 AM 12/17/2007
Listing files found while scanning....
C:\WINDOWS\system32\flqsrrry.ini
C:\WINDOWS\system32\yrrrsqlf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\flqsrrry.ini
C:\WINDOWS\system32\flqsrrry.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\yrrrsqlf.dll
C:\WINDOWS\system32\yrrrsqlf.dll Has been deleted!
Performing Repairs to the registry.
Done!
2) HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:53 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {e18328d1-05e9-3d9b-c904-a926e7939e9d} - {d9e9397e-629a-409c-b9d3-9e501d82381e} - C:\WINDOWS\system32\jolauolf.dll (file missing)
O2 - BHO: (no name) - {EC26F05B-DF64-42C4-99EA-7EC44516F4A2} - C:\WINDOWS\system32\mljji.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\yrrrsqlf.dll",b
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 11128 bytes
3) ComboFix.exe (Scan Log is too big , must post on 3 pages)
Page 1 of ComboFix
ComboFix 07-12-17.1 - Owner 2007-12-17 9:18:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\bkR11
C:\WINDOWS\cookies.ini
C:\WINDOWS\hg173.exe
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.
2007-12-12 14:03 . 2007-12-12 14:09 916,902 ---hs---- C:\WINDOWS\system32\nwsxrami.ini
2007-12-12 12:32 . 2007-12-13 09:33 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-11 09:28 . 2007-12-17 08:26 <DIR> d-------- C:\VundoFix Backups
2007-12-11 08:48 . 2007-12-11 08:48 <DIR> d-------- C:\Program Files\Sun
2007-12-11 08:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 08:20 . 2007-12-11 08:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 15:24 . 2003-10-10 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 15:24 . 2003-10-13 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 15:24 . 2003-10-10 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-04 15:24 . 2003-10-10 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-04 15:24 . 2003-10-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-04 15:20 . 2007-12-04 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:49 . 2007-12-04 13:49 63 --a------ C:\WINDOWS\mdm.ini
2007-12-04 13:17 . 2007-12-05 07:33 816,724 --ahs---- C:\WINDOWS\system32\antslmid.ini
2007-12-03 16:06 . 2007-12-03 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-03 16:02 . 2007-12-03 16:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-03 07:33 . 2007-12-03 07:33 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.tmp
2007-11-30 10:01 . 2007-11-30 10:01 <DIR> d-------- C:\WINDOWS\system32\daSgo06
2007-11-29 14:41 . 2007-10-10 17:55 6,065,664 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-29 14:41 . 2007-04-17 03:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-29 14:41 . 2007-03-07 23:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-29 14:41 . 2007-10-10 17:55 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-29 14:41 . 2007-10-10 17:55 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-29 14:41 . 2007-10-10 17:55 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-29 14:41 . 2007-10-10 17:55 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-29 14:41 . 2007-10-10 17:55 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-29 14:41 . 2007-10-10 04:59 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-29 14:33 . 2007-11-29 14:34 <DIR> d-------- C:\57f6375070a0c43864d847d3025c7ccd
2007-11-29 11:45 . 2007-12-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-21 14:06 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-21 14:06 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-21 14:05 . 2007-11-21 14:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-21 14:03 . 2007-11-21 14:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\70c677fd719e930ec8
2007-11-21 14:02 . 2007-11-21 14:03 <DIR> d-------- C:\fc66d72d2b72b8ddbd81ebcfe9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 15:10 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 14:25 --------- d-----w C:\Program Files\McAfee
2007-12-14 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 20:31 --------- d-----w C:\Program Files\Zone.com Deluxe Games
2007-12-14 20:30 --------- d-----w C:\Program Files\interMute
2007-12-14 20:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2007-12-13 14:26 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-12 20:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-11 14:48 --------- d-----w C:\Program Files\Java
2007-12-06 18:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-24 09:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-11-13 20:53 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 20:53 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:50 --------- d-----w C:\Program Files\HP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-17 21:32 --------- d-----w C:\Program Files\Interbank FX Trader 4
2006-02-24 17:57 3,167,744 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2006-01-12 16:33 563,712 ----a-w C:\Documents and Settings\Owner\370_gotomypc.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-11_10.03.59.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-10 23:47:27 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:47:27 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:47:27 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:47:27 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:47:27 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:47:27 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:47:27 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:47:27 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:47:27 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:47:27 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:47:27 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:47:28 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:47:28 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:47:28 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:48:49 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:47:28 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:47:28 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:47:28 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:47:28 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:47:28 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:47:29 1,162,240 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:47:29 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:47:29 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 21:34:42 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
Page 2 of ComboFix Log
+ 2006-08-08 23:33:50 350,448 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\801AEE179C9018D4F82A4DC807862124\17.0.4001\awApi4.dll
- 2007-07-16 14:02:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:04 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:15 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_1.exe
+ 2007-12-13 14:32:00 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_1.exe
- 2007-07-16 14:02:17 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_2.exe
+ 2007-12-13 14:32:05 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_2.exe
- 2007-07-16 14:02:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:05 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:06 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:06 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:06 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:23 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:07 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:23 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:19 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:07 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:23 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:19 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:18 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:08 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:23 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:19 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:19 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:08 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:20 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:20 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:08 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:20 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:13 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:20 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:13 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:02 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:20 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:13 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:03 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2007-12-13 14:32:14 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2007-12-13 14:32:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-07-16 14:02:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2007-12-13 14:32:14 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-07-16 14:02:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2007-12-13 14:32:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-07-16 14:02:26 45,056 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut29_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:26 45,056 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut29_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:15 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:26 45,056 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:25 45,056 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:23 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:15 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut32_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:01 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut32_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:16 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut33_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:01 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut33_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut34_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:03 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut34_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:15 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut37_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:31:59 65,536 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut37_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:15 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut39_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:01 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut39_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:21 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut40_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2007-12-13 14:32:05 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut40_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2007-07-16 14:02:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:24 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:26 40,960 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
+ 2007-12-13 14:32:24 40,960 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:16 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:26 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:26 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:22 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:17 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-07-16 14:02:26 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
+ 2007-12-13 14:32:25 450,560 ----a-r C:\WINDOWS\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
Page 3 Of ComboFix scan Log
- 2007-12-11 15:37:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-14 22:35:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-11 15:37:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-14 22:35:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-14 22:35:58 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-20 10:04:34 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-17 10:20:54 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:38 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-17 10:21:21 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-20 21:34:42 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-19 03:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-27 23:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 21:34:42 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-07-23 00:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-07-18 12:42:22 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2006-10-19 03:47:18 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 23:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405EA3D6-E011-4130-A568-DB56A0364B8D}]
C:\WINDOWS\system32\awtsp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9e9397e-629a-409c-b9d3-9e501d82381e}]
C:\WINDOWS\system32\jolauolf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC26F05B-DF64-42C4-99EA-7EC44516F4A2}]
C:\WINDOWS\system32\mljji.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 03:56 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 07:22]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 17:37]
"LTMSG"="LTMSG.exe" [2003-07-14 18:52 C:\WINDOWS\ltmsg.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 03:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 08:23]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 20:19]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"20ddfb3d"="C:\WINDOWS\system32\yrrrsqlf.dll" []
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3" []
"0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2002-06-20 12:21:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 16:13:18]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 23:26:40]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 03:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 03:15]
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys [2005-02-02 17:29]
S4 AloPar;AloPar;C:\WINDOWS\System32\Drivers\AloPar.sys [2003-08-01 08:00]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 14:47:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 07:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-11-01 06:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 09:23:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 9:27:27 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 13:48
C:\ComboFix3.txt ... 2007-12-11 10:05
.
2007-12-17 09:00:31 --- E O F ---
pskelley
2007-12-17, 18:07
edit to rework instructions
Am I supposed to perform anything per your last post?
John
pskelley
2007-12-17, 18:23
Make sure the computer is staying offine except when troubleshooting. If you compare the first scans by the tools and the most recent one, you can easily see the computer is getting infected as we work. If anyone else has access to this computer, take that access away.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.
(files to add)
C:\WINDOWS\system32\yrrrsqlf.dll
C:\WINDOWS\system32\nwsxrami.ini
C:\WINDOWS\system32\mcrh.tmp
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: {e18328d1-05e9-3d9b-c904-a926e7939e9d} - {d9e9397e-629a-409c-b9d3-9e501d82381e} - C:\WINDOWS\system32\jolauolf.dll (file missing)
O2 - BHO: (no name) - {EC26F05B-DF64-42C4-99EA-7EC44516F4A2} - C:\WINDOWS\system32\mljji.dll (file missing)
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\yrrrsqlf.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\yrrrsqlf.dll <<< make sure that file is gone
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log and some feedback.
Thanks
OK,
Other than downloading your instructions and uploading results of the scans, I am physically unplugging this pc from my network router. I am following this thread on another pc when waiting for further instructions.
1) Files and Folders were made visible...done
2) The 3 Vundofix files werre added and removed....done
3) The 4 files under the HJT scan were checked and removed....done
4) This file: C:\WINDOWS\system32\yrrrsqlf.dll was not found. a search of the drive came up empty.
5) Ran ATF-Cleaner....done
6) New HJT Log is below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:34 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/Redirector/Games/LeaderboardLookup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 10690 bytes
6) There are snowflakes falling on my [B]POST REPLY page. ???????
John
pskelley
2007-12-17, 19:34
There are snowflakes falling on my POST REPLY page. ???????
That's tashi, our ever so nice administrator working hard to get us in the Christmas spirit:santa:
Not sure about these, not malware?
o4 items in the HJT log:
HP DeskJet 840C Series v2.3"
HP DeskJet 930C Series v2.3"
HP Internet Connection Center"
If you don't know why they are in the HJT log, I would be asking HP about them.
This is optional: O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
http://www.castlecops.com/startuplist-180.html
Remove it with HJT and delete the file in red...be sure to get the correct file, other RealTek files look like that.
The balance of the HJT log is clean and there is no sign of any malware, how is the computer running.
Thanks
Hi Phil,
The pc seams to be running great. It seams to boot faster, and programs are starting-up quicker than before.
I will monitor over the next few days. Any problems I will let you know.
All the best to you and the Spybot Team.
Merry Christmas :santa:
and a Happy New Year:wav:
With Gratitude,
John
pskelley
2007-12-17, 20:49
In case I missed this information:santa:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.