View Full Version : Malware nightmare
sportdman1
2009-05-26, 10:29
My symptoms are that the computer is running extremely slow, my hotmail account has been "hijacked", when I run SpyBot I can't fix problems once they are detected (get the "not responding" error), and more that I am not aware of.
Thanks in advance,
Here is my HJT log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:28 AM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\CDProxyServ.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - D:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11710 bytes
Forgot to uncheck word wrap
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:38 AM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\CDProxyServ.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - D:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11315 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
D:\WINDOWS\CDProxyServ.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - D:\WINDOWS\CDProxyServ.exe
There is a good chance you have the Sony - XCP DRM Rootkit. You need to remove it. To do so, carefully read through and follow the instructions below at the following website:
http://www.bleepingcomputer.com/forums/topic34904.html
More info can be found here as well:
http://cp.sonybmg.com/xcp/english/updates.html
Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Step # 2: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
In your next post/reply, I need to see the following:
1. Uninstall List
2. A fresh HiJackThis Log
sportdman1
2009-05-27, 05:16
Thanks in advance km2357 for the help. :thanks:
***Here is the uninstall list:
Adobe Acrobat 4.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Alphabet Express
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
Bonjour
CALI CD Updater
CALI Library 2003-2004
Comcast High-Speed Internet Install Wizard
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dangerous Mines Lite
Digimax Reader
Digimax V70
Digimax Viewer 2.1
DivX Codec
DivX Converter
DivX Player
DivX Web Player
ERUNT 1.1j
Fisher-Price® Ready for Preschool
FlashPath
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hardwood Solitaire III Lite
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Driver Diagnostics
HP Imaging Device Functions 7.0
HP Photo Printing Software
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
hp psc 900 series
HP Share-to-Web
HP Software Update
HP Solution Center 7.0
HP Update
InetDctr
Intel(R) PRO Network Connections Drivers
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 13
Linksys Wireless-G PCI Adapter
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Digital Image Pro 7.0
Microsoft Fighter Ace II
Microsoft Flight Simulator 2002
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET (English)
Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205
Microsoft Visual Studio .NET Professional - English
Microsoft Windows Journal Viewer
Movie-Viewer 2.0
Mozilla Firefox (3.0.10)
MSN Gaming Zone
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero PhotoShow Elite
Nero Suite
Norton PC Checkup
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
OpenVPN 2.0.9-gui-1.0.3
Paradise Poker
Picasa 2
PL-2303 USB-to-Serial
PLI's Multistate Bar Review
PokerStars
Preschool v1.0
QuickTime
QuickTime for Windows (32-bit)
ReaConverter 5.5 Pro
RealPlayer
Retrospect 6.5
Safari
SafeSurfing
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SightSpeed (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.2
TurboTax Deluxe 2003
Ulead Movie Wizard SE VCD
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
URGE
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009
WizCom InfoScan Desktop
Writing Blaster
Yahoo! Address AutoComplete
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Toolbar
***Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:20 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\CDProxyServ.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - D:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10727 bytes
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.
Use multiple posts if you can't fit everything into one post.
sportdman1
2009-05-27, 09:17
ComboFix 09-05-26.02 - JonMarlowe 05/26/2009 22:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.298 [GMT -7:00]
Running from: d:\documents and settings\JonMarlowe\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\IE4 Error Log.txt
d:\windows\system32\Cache
d:\windows\system32\uninstall.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CD_PROXY
-------\Service_CD_Proxy
((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.
2009-05-26 07:20 . 2009-05-26 07:20 -------- d-----w d:\program files\Trend Micro
2009-05-26 06:58 . 2009-05-26 06:59 -------- d-----w d:\program files\ERUNT
2009-05-26 05:21 . 2009-05-26 05:21 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\Malwarebytes
2009-05-26 05:21 . 2009-04-06 22:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-26 05:21 . 2009-04-06 22:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 05:21 . 2009-05-26 05:21 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-26 05:21 . 2009-05-26 05:21 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-05-26 05:14 . 2009-05-26 05:14 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\WinPatrol
2009-05-26 05:14 . 2002-03-25 23:16 0 ----a-w d:\documents and settings\JonMarlowe\Application Data\WinPatrol\Config.sys
2009-05-26 05:14 . 2002-03-25 23:16 0 ----a-w d:\documents and settings\JonMarlowe\Application Data\WinPatrol\Autoexec.bat
2009-05-26 05:11 . 2009-05-26 05:11 -------- d-----w d:\program files\BillP Studios
2009-05-26 01:51 . 2009-05-26 01:51 -------- d-----w d:\windows\Sun
2009-05-26 01:48 . 2009-05-26 01:48 57344 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-7e280b2b-n\Decora-SSE.dll
2009-05-26 01:48 . 2009-05-26 01:48 24064 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-219811a4-n\Decora-D3D.dll
2009-05-26 01:48 . 2009-05-26 01:48 114688 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-56275323-n\jogl_cg.dll
2009-05-26 01:48 . 2009-05-26 01:48 348160 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6a258f43-n\msvcr71.dll
2009-05-26 01:48 . 2009-05-26 01:48 315392 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-56275323-n\jogl.dll
2009-05-26 01:48 . 2009-05-26 01:48 20480 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-56275323-n\jogl_awt.dll
2009-05-26 01:48 . 2009-05-26 01:48 20480 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-43c890f4-n\gluegen-rt.dll
2009-05-26 01:48 . 2009-05-26 01:48 499712 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6a258f43-n\msvcp71.dll
2009-05-26 01:48 . 2009-05-26 01:48 499712 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6a258f43-n\jmc.dll
2009-05-26 01:47 . 2009-05-26 01:46 410984 ----a-w d:\windows\system32\deploytk.dll
2009-05-26 01:45 . 2009-05-26 01:45 152576 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\RCP 5
2009-05-20 04:38 . 2009-05-20 04:38 -------- d-----w d:\program files\Microsoft Silverlight
2009-05-18 16:08 . 2009-05-18 16:08 -------- d-sh--w d:\documents and settings\NinaMarlowe\PrivacIE
2009-05-18 16:04 . 2009-05-18 16:04 -------- d-sh--w d:\documents and settings\NinaMarlowe\IETldCache
2009-05-18 02:55 . 2009-05-18 02:55 -------- d-sh--w d:\documents and settings\JonMarlowe\IECompatCache
2009-05-18 02:54 . 2009-05-18 02:54 -------- d-sh--w d:\documents and settings\JonMarlowe\PrivacIE
2009-05-18 02:48 . 2009-05-18 02:48 -------- d-sh--w d:\documents and settings\JonMarlowe\IETldCache
2009-05-18 02:42 . 2009-05-18 02:42 -------- d-----w d:\windows\ie8updates
2009-05-18 02:41 . 2009-04-25 05:30 102400 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-18 02:38 . 2009-05-18 02:40 -------- dc-h--w d:\windows\ie8
2009-05-16 19:31 . 2009-05-16 19:32 -------- d-----w d:\program files\OpenVPN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 01:51 . 2005-02-26 07:22 1744 ----a-w d:\windows\system32\d3d9caps.dat
2009-05-26 01:46 . 2003-05-16 05:11 -------- d-----w d:\program files\Java
2009-05-26 00:58 . 2004-09-15 18:45 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-26 00:58 . 2004-09-15 18:45 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-05-25 21:04 . 2008-07-09 08:56 -------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-05-25 21:04 . 2004-09-15 18:53 -------- d-----w d:\program files\SpywareBlaster
2009-05-16 05:41 . 2002-12-17 07:41 1632 ----a-w d:\windows\system32\d3d8caps.dat
2009-04-18 05:43 . 2009-04-18 03:59 -------- d-----w d:\documents and settings\NinaMarlowe\Application Data\RCP 5
2009-04-18 04:00 . 2009-04-18 03:59 -------- d-----w d:\program files\ReaConverter 5.5 Pro
2009-03-08 11:34 . 2004-02-07 01:05 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 11:34 . 2003-04-05 21:00 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2001-08-23 12:00 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 11:33 . 2003-04-05 21:01 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2001-08-23 12:00 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 11:32 . 2003-04-05 20:59 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2003-04-05 20:59 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2003-04-05 21:00 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2001-08-23 12:00 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-23 12:00 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-04-05 21:01 284160 ----a-w d:\windows\system32\pdh.dll
2004-07-24 05:25 . 2004-07-24 05:25 49570 ----a-w d:\program files\Common Files\Nina Card.STO
2003-08-16 03:10 . 2003-08-16 03:10 3000704 ----a-w d:\program files\PokerStarsInstall.exe
2003-08-13 03:54 . 2003-08-13 03:54 1291040 ----a-w d:\program files\WindowsXP-KB823980-x86-ENU.exe
2003-07-17 03:00 . 2003-07-17 03:00 301500 ----a-w d:\program files\PPAL.EXE
2003-07-16 04:49 . 2003-07-16 04:49 5282816 ----a-w d:\program files\ParadisePokerSetup.exe
2003-07-09 06:56 . 2003-07-09 06:56 11646328 ----a-w d:\program files\acdsee.exe
2001-08-23 12:00 . 2001-08-23 12:00 94784 --sh--w d:\windows\twain.dll
2008-04-14 00:12 . 2001-08-23 12:00 50688 --sh--w d:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-23 12:00 1028096 --sha-w d:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2001-08-23 12:00 57344 --sha-w d:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2003-04-05 21:00 413696 --sha-w d:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2003-04-05 21:00 343040 --sha-w d:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2001-08-23 12:00 551936 --sh--w d:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2001-08-23 12:00 84992 --sha-w d:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2001-08-23 12:00 11776 --sha-w d:\windows\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]
"PhotoShow Deluxe Media Manager"="d:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"UpdateMedia"="d:\program files\MediaUpdate\UpdateMedia.exe" [2003-04-17 24576]
"ShStatEXE"="d:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="d:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"tgcmd"="d:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"openvpn-gui"="d:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"WinPatrol"="d:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"WD Button Manager"="WDBtnMgr.exe" - d:\windows\system32\WDBtnMgr.exe [2006-01-02 335872]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
FlashPath Monitor.lnk - d:\program files\SmartDisk\FlashPath\sdstat.exe [2002-12-23 184320]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - d:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HPAiODevice(hp psc 900 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-3-5 487484]
ymetray.lnk - d:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"d:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"d:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"d:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"d:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 $sys$cor;$sys$cor;d:\windows\system32\drivers\$sys$cor.sys [10/6/2004 7:11 AM 18432]
R1 $sys$crater;$sys$crater;d:\windows\system32\$sys$filesystem\crater.sys [10/7/2004 12:57 AM 11904]
R2 FlashNT;FlashNT;d:\windows\system32\drivers\flashnt.sys [12/23/2002 11:17 PM 72784]
R2 Sdselect;Sdselect;d:\windows\system32\drivers\sdselect.sys [12/23/2002 11:17 PM 73296]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [10/1/2006 2:37 PM 26624]
--- Other Services/Drivers In Memory ---
*Deregistered* - NaiAvFilter101
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NVSvc
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RetroLauncher
*Deregistered* - RetroWDSvc
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UleadBurningHelper
*Deregistered* - W32Time
*Deregistered* - W3SVC
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-23 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SQInstaller - SQInstaller.exe
SafeBoot-procexp90.Sys
MSConfigStartUp-CTFMON - (no file)
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Microsoft Internet Explorer presented by Comcast
mStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - d:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
FF - ProfilePath - d:\documents and settings\JonMarlowe\Application Data\Mozilla\Firefox\Profiles\r03wfihw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "d:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2536)
d:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
d:\windows\system32\ieframe.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\system32\inetsrv\inetinfo.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Network Associates\Common Framework\FrameworkService.exe
d:\program files\Network Associates\VirusScan\vstskmgr.exe
d:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
d:\windows\system32\nvsvc32.exe
d:\progra~1\Dantz\RETROS~1\retrorun.exe
d:\progra~1\Dantz\RETROS~1\wdsvc.exe
d:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
d:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
d:\program files\iPod\bin\iPodService.exe
d:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
d:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
d:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
d:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
d:\program files\HP\Digital Imaging\bin\hpqimzone.exe
d:\program files\Network Associates\VirusScan\mcshield.exe
.
**************************************************************************
.
Completion time: 2009-05-27 23:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 06:11
Pre-Run: 5,752,328,192 bytes free
Post-Run: 6,457,987,072 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Workstation Version 4.00"
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Workstation Version 4.00 [VGA mode]" /basevideo /sos
285 --- E O F --- 2009-05-18 02:52
***HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:09 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10784 bytes
Step # 1: Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.
I would advise you to go to Add/Remove programs and uninstall the following poker program(s):
Paradise Poker
Here are links to some poker sites regarded as safe for your reference.
1. http://www.pokerstars.net/ - This is a free to use/play site with play money.
2. http://www.pokerstars.com/ - This is a free to use/play site with play money and real money.
Step # 2 Remove old versions of Java
Older Java versions have vulnerabilities and need to be removed.
Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
Java 2 Runtime Environment, SE v1.4.1_02
Reboot your Computer.
Step # 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 4 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh HiJackThis Log
sportdman1
2009-05-28, 09:16
Removed Paradise Poker app
Removed old version of Java
Ran ATF Cleaner.exe for IE and Firefox (don't have Opera)
I performed a complete scan on accident. Do you want me to do the limited scan as well?
System is still sluggish. Takes about 2 minutes to load IE or Firefox. I have seen improvement back to original condition when opening Moffice apps.
Thanks again for helping me out.
***Here is the Malwarebytes log file***
Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 3
5/27/2009 11:03:49 PM
mbam-log-2009-05-27 (23-03-49).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 287812
Time elapsed: 2 hour(s), 42 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
***Here is the HJT log***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:58 PM, on 5/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11009 bytes
Since you ran a Full Scan, no need to run a Quick Scan with MalwareBytes'.
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.1.1 is a large program and if you prefer a smaller program you can get Foxit 3.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
If you decide to install Foxit 3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
sportdman1
2009-05-29, 10:39
Here are the items you requested. Scan turned up some items. Thanks again for the assistance.
***Here is the online virus scan log***
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 29, 2009 06:22:29
Records in database: 2269419
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 158159
Threat name: 6
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:48:33
File name / Threat name / Threats count
C:\WINDOWS\system\postcards.gif\mirc.ini Infected: Backdoor.IRC.Zapchast 1
D:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
D:\WINDOWS\CouponBarIE.dll Infected: not-a-virus:AdWare.Win32.Mostofate.cg 1
D:\WINDOWS\CouponPrinter.ocx Infected: not-a-virus:AdWare.Win32.BHO.gkp 1
D:\WINDOWS\system32\commcoss.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.c 1
D:\WINDOWS\system32\inetdctr.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.a 1
The selected area was scanned.
***Here is the HJT Log***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:44 AM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\Documents and Settings\JonMarlowe\Local Settings\Temp\jkos-JonMarlowe\binaries\ScanningProcess.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\WINDOWS\msagent\AgentSvr.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10885 bytes
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
D:\WINDOWS\CouponBarIE.dll
D:\WINDOWS\CouponPrinter.ocx
D:\WINDOWS\system32\commcoss.dll
D:\WINDOWS\system32\inetdctr.dll
Folder::
C:\WINDOWS\system\postcards.gif
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on sportdman1's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh HiJackThis Log taken after Step 1 has been completed.
sportdman1
2009-05-30, 10:46
Here are the logs you requested.
When I ran Combofix the app restarted my machine. It hung up during the windows shutdown for about 1 hour without any drive activity. I performed a hard restart in order to get the machine to turn over.
***Combofix log***
ComboFix 09-05-29.01 - JonMarlowe 05/29/2009 22:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.396 [GMT -7:00]
Running from: d:\documents and settings\JonMarlowe\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\JonMarlowe\Desktop\CFScript.txt
FILE ::
"d:\windows\CouponBarIE.dll"
"d:\windows\CouponPrinter.ocx"
"d:\windows\system32\commcoss.dll"
"d:\windows\system32\inetdctr.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\postcards.gif
c:\windows\system\postcards.gif\aliases.ini
c:\windows\system\postcards.gif\control.ini
c:\windows\system\postcards.gif\fullname.txt
c:\windows\system\postcards.gif\ident.txt
c:\windows\system\postcards.gif\mirc.ico
c:\windows\system\postcards.gif\mirc.ini
c:\windows\system\postcards.gif\nicks.txt
c:\windows\system\postcards.gif\remote.ini
c:\windows\system\postcards.gif\servers.ini
c:\windows\system\postcards.gif\Thumbs.db
c:\windows\system\postcards.gif\users.ini
d:\windows\CouponBarIE.dll
d:\windows\CouponPrinter.ocx
d:\windows\system32\commcoss.dll
d:\windows\system32\inetdctr.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.
2009-05-29 03:49 . 2009-05-29 03:49 -------- d-----w d:\program files\Common Files\Adobe AIR
2009-05-28 03:18 . 2009-05-28 03:18 3371383 ----a-w d:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 07:20 . 2009-05-26 07:20 -------- d-----w d:\program files\Trend Micro
2009-05-26 06:58 . 2009-05-26 06:59 -------- d-----w d:\program files\ERUNT
2009-05-26 05:21 . 2009-05-26 05:21 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\Malwarebytes
2009-05-26 05:21 . 2009-05-26 20:19 19096 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-26 05:21 . 2009-05-26 20:20 40160 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 05:21 . 2009-05-26 05:21 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-26 05:21 . 2009-05-28 03:19 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-05-26 05:14 . 2009-05-26 05:14 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\WinPatrol
2009-05-26 05:14 . 2002-03-25 23:16 0 ----a-w d:\documents and settings\JonMarlowe\Application Data\WinPatrol\Config.sys
2009-05-26 05:14 . 2002-03-25 23:16 0 ----a-w d:\documents and settings\JonMarlowe\Application Data\WinPatrol\Autoexec.bat
2009-05-26 05:11 . 2009-05-26 05:11 -------- d-----w d:\program files\BillP Studios
2009-05-26 01:51 . 2009-05-26 01:51 -------- d-----w d:\windows\Sun
2009-05-26 01:47 . 2009-05-26 01:46 410984 ----a-w d:\windows\system32\deploytk.dll
2009-05-26 01:45 . 2009-05-26 01:45 152576 ----a-w d:\documents and settings\JonMarlowe\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w d:\documents and settings\JonMarlowe\Application Data\RCP 5
2009-05-20 04:38 . 2009-05-20 04:38 -------- d-----w d:\program files\Microsoft Silverlight
2009-05-18 16:08 . 2009-05-18 16:08 -------- d-sh--w d:\documents and settings\NinaMarlowe\PrivacIE
2009-05-18 16:04 . 2009-05-18 16:04 -------- d-sh--w d:\documents and settings\NinaMarlowe\IETldCache
2009-05-18 02:55 . 2009-05-18 02:55 -------- d-sh--w d:\documents and settings\JonMarlowe\IECompatCache
2009-05-18 02:54 . 2009-05-18 02:54 -------- d-sh--w d:\documents and settings\JonMarlowe\PrivacIE
2009-05-18 02:48 . 2009-05-18 02:48 -------- d-sh--w d:\documents and settings\JonMarlowe\IETldCache
2009-05-18 02:42 . 2009-05-18 02:42 -------- d-----w d:\windows\ie8updates
2009-05-18 02:41 . 2009-04-25 05:30 102400 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-18 02:38 . 2009-05-18 02:40 -------- dc-h--w d:\windows\ie8
2009-05-16 19:31 . 2009-05-16 19:32 -------- d-----w d:\program files\OpenVPN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 04:40 . 2005-02-26 07:22 1744 ----a-w d:\windows\system32\d3d9caps.dat
2009-05-29 03:47 . 2002-12-18 06:27 -------- d-----w d:\program files\Common Files\Adobe
2009-05-26 01:46 . 2003-05-16 05:11 -------- d-----w d:\program files\Java
2009-05-26 00:58 . 2004-09-15 18:45 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-26 00:58 . 2004-09-15 18:45 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-05-25 21:04 . 2008-07-09 08:56 -------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-05-25 21:04 . 2004-09-15 18:53 -------- d-----w d:\program files\SpywareBlaster
2009-05-16 05:41 . 2002-12-17 07:41 1632 ----a-w d:\windows\system32\d3d8caps.dat
2009-04-18 05:43 . 2009-04-18 03:59 -------- d-----w d:\documents and settings\NinaMarlowe\Application Data\RCP 5
2009-04-18 04:00 . 2009-04-18 03:59 -------- d-----w d:\program files\ReaConverter 5.5 Pro
2009-03-08 11:34 . 2004-02-07 01:05 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 11:34 . 2003-04-05 21:00 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2001-08-23 12:00 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 11:33 . 2003-04-05 21:01 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2001-08-23 12:00 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 11:32 . 2003-04-05 20:59 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2003-04-05 20:59 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2003-04-05 21:00 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2001-08-23 12:00 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-23 12:00 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-04-05 21:01 284160 ----a-w d:\windows\system32\pdh.dll
2004-07-24 05:25 . 2004-07-24 05:25 49570 ----a-w d:\program files\Common Files\Nina Card.STO
2003-08-16 03:10 . 2003-08-16 03:10 3000704 ----a-w d:\program files\PokerStarsInstall.exe
2003-08-13 03:54 . 2003-08-13 03:54 1291040 ----a-w d:\program files\WindowsXP-KB823980-x86-ENU.exe
2003-07-17 03:00 . 2003-07-17 03:00 301500 ----a-w d:\program files\PPAL.EXE
2003-07-16 04:49 . 2003-07-16 04:49 5282816 ----a-w d:\program files\ParadisePokerSetup.exe
2003-07-09 06:56 . 2003-07-09 06:56 11646328 ----a-w d:\program files\acdsee.exe
2001-08-23 12:00 . 2001-08-23 12:00 94784 --sh--w d:\windows\twain.dll
2008-04-14 00:12 . 2001-08-23 12:00 50688 --sh--w d:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-23 12:00 1028096 --sha-w d:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2001-08-23 12:00 57344 --sha-w d:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2003-04-05 21:00 413696 --sha-w d:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2003-04-05 21:00 343040 --sha-w d:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2001-08-23 12:00 551936 --sh--w d:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2001-08-23 12:00 84992 --sha-w d:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2001-08-23 12:00 11776 --sha-w d:\windows\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-27_05.54.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 07:07 . 2009-05-30 07:07 16384 d:\windows\temp\Perflib_Perfdata_f0.dat
+ 2009-05-29 04:30 . 2009-05-29 04:30 84661 d:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-05-29 15:49 . 2009-05-29 15:49 89102 d:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-02-03 02:15 . 2009-02-03 02:15 240544 d:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2003-10-12 23:51 . 2009-05-30 07:08 222315 d:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-03 02:15 . 2009-02-03 02:15 3771296 d:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 01:07 . 2009-02-03 01:07 1914440 d:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]
"PhotoShow Deluxe Media Manager"="d:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-05 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"UpdateMedia"="d:\program files\MediaUpdate\UpdateMedia.exe" [2003-04-17 24576]
"ShStatEXE"="d:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="d:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"tgcmd"="d:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"openvpn-gui"="d:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"WinPatrol"="d:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"WD Button Manager"="WDBtnMgr.exe" - d:\windows\system32\WDBtnMgr.exe [2006-01-02 335872]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - d:\program files\SmartDisk\FlashPath\sdstat.exe [2002-12-23 184320]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - d:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HPAiODevice(hp psc 900 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-3-5 487484]
ymetray.lnk - d:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"d:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"d:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"d:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"d:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 $sys$cor;$sys$cor;d:\windows\system32\drivers\$sys$cor.sys [10/6/2004 7:11 AM 18432]
R1 $sys$crater;$sys$crater;d:\windows\system32\$sys$filesystem\crater.sys [10/7/2004 12:57 AM 11904]
R2 FlashNT;FlashNT;d:\windows\system32\drivers\flashnt.sys [12/23/2002 11:17 PM 72784]
R2 Sdselect;Sdselect;d:\windows\system32\drivers\sdselect.sys [12/23/2002 11:17 PM 73296]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [10/1/2006 2:37 PM 26624]
--- Other Services/Drivers In Memory ---
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - IISADMIN
*Deregistered* - ImapiService
*Deregistered* - InCDsrv
*Deregistered* - InCDsrvR
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - MDM
*Deregistered* - NaiAvFilter101
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NVSvc
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RetroLauncher
*Deregistered* - RetroWDSvc
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UleadBurningHelper
*Deregistered* - W32Time
*Deregistered* - W3SVC
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-23 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Microsoft Internet Explorer presented by Comcast
mStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - d:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
FF - ProfilePath - d:\documents and settings\JonMarlowe\Application Data\Mozilla\Firefox\Profiles\r03wfihw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 00:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "d:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3504)
d:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
d:\windows\system32\ieframe.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\system32\inetsrv\inetinfo.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Network Associates\Common Framework\FrameworkService.exe
d:\program files\Network Associates\VirusScan\vstskmgr.exe
d:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
d:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\windows\system32\nvsvc32.exe
d:\progra~1\Dantz\RETROS~1\retrorun.exe
d:\progra~1\Dantz\RETROS~1\wdsvc.exe
d:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
d:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
d:\program files\iPod\bin\iPodService.exe
d:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
d:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
d:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
d:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
d:\program files\HP\Digital Imaging\bin\hpqimzone.exe
d:\program files\Network Associates\VirusScan\mcshield.exe
d:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-05-30 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 07:30
ComboFix2.txt 2009-05-27 06:12
Pre-Run: 6,176,215,040 bytes free
Post-Run: 6,294,474,752 bytes free
312 --- E O F --- 2009-05-18 02:52
***HJT Log***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:18 AM, on 5/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\support.com\bin\tgcmd.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\OpenVPN\bin\openvpn-gui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\SmartDisk\FlashPath\sdstat.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateMedia] D:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [openvpn-gui] D:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: FlashPath Monitor.lnk = D:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: ymetray.lnk = D:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - D:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10967 bytes
How is your computer now? Is it still sluggish? If so, when is it sluggish? When booting up? When opening/closing programs? When loading/surfing web pages?
sportdman1
2009-05-31, 05:25
km2357,
Overall my machine is a little better.
Booting up the machine is now normal.
Opening apps speed is normal
Launching IE or Firefox still take 2-3 minutes.
Webpage download seem to have improved but is still somewhat slower than it was a few weeks ago.
Any suggestions?
Sport
Try the tips listed at the website below and let me know if they help the situation any:
http://www.malwareremoval.com/tutorials/runningslowly.php
sportdman1
2009-05-31, 22:49
I went to the site you referred me to. I did the disk cleanup with nothing to remove. Removed my restore points to all but the last one. I defragged the computer and removed some unnecessary apps from the startup. Rebooted my machine and still have issues with IE and Firefox loading.
Both browsers take about 3-4 minutes to load. My machine is cranking hard to get the browsers to load.
Viewing pages is also taking some time. Looks like I have a dialup connection.
Loading not browser apps is now back to normal.
There was a trojan found in the last virus scan you had me performed. Do you think it was removed or is it still hanging around?
Should I run another virus scan? or any other scans?
sportdman1
2009-06-01, 06:19
I was curious so I ran another virus scan. Looks like there are still three items at large on my machine.
Here's the scan log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 01, 2009 00:46:16
Records in database: 2287834
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 158629
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:27:26
File name / Threat name / Threats count
D:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
D:\Qoobox\Quarantine\[4]-Submit_2009-05-29_22.38.32.zip Infected: not-a-virus:AdWare.Win32.SafeSurfing.c 1
D:\Qoobox\Quarantine\[4]-Submit_2009-05-29_22.38.32.zip Infected: not-a-virus:AdWare.Win32.SafeSurfing.a 1
The selected area was scanned.
The Qoobox folders that Kaspersky found is the folder where ComboFix keeps its quarantined files. They are harmless and I'll show how to remove them once we finish with your computer. :)
The other thing that Kaspersky found:
D:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
is related to RealPlayer. If you don't use RealPlayer, then I would go ahead and uninstall it.
As for your slowdown problems with IE and Firefox, let's try this:
1. Do you have any add-ons with either browser? You can try disabling some/all of them to see if that helps any.
2. Another thing you can try is uninstalling and reinstalling both browsers to see if that speeds things up with them.
Let me know if either/both choices shows improvement with the browsers.
sportdman1
2009-06-01, 11:26
Removed some addons for Firefox and the startup speed is back to normal.
As for IE the speed is still slow following removal of addons.
In IE I still have the following enabled:
Shockwave flash object
Microsoft Silverlight
Spybot-SD IE protection
Java Plug-in 2 SSV Helper
JQSIEStartDetectorImpl Class
ComcastHSI (internet provider)
Support (affiliated with comcast)
Help (affiliated with comcast)
Spybot-Search & Destroy Configuration
I am not sure if I should remove any of these and if removing them would help with IE.
Thanks in advance,
Jon
Good to hear that Firefox has speed back up. :)
I'm going to ask my fellow malware fighters to see if they have any other ideas to help speed up IE.
I'll be back ASAP.
Let's try this and see if it helps with IE's slowdown:
Disable all the IE add-ons that you listed in your previous post. Then try running IE. If IE's speed is back to normal, try enabling one add-on at a time, until you notice that IE is slowed down again.
That way you can pinpoint the add-on that is causing the slowdown and disable it, while enabling all the others.
Let me know how it goes.
sportdman1
2009-06-06, 07:20
Disabled all of the add ons and still slow as mud. Any other ideas?
It seems that IE 8 doesn't like your computer or vice versa.
You can try uninstalling and then reinstalling IE 8. If that doesn't work, you may need to remove IE 8 and rollback to IE 7 or whatever previous version of IE you had on the computer before you upgraded to 8.
sportdman1? How are things coming along?
This topic has been archived due to inactivity.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start a new topic.