Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: virtumonde removal

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default virtumonde removal

    I need help removing virtumonde from my computer. Any help would be appreciated. Here is my hjt log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:50:40, on 12/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
    C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0C2B72C5-73AD-45E5-B687-1026461E44A0} - (no file)
    O2 - BHO: (no name) - {1A81B345-AFCF-4D2C-A07F-7DF905DD80E7} - (no file)
    O2 - BHO: (no name) - {35E51E82-D0DC-44F2-A019-305C4D997C6B} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5D7E3A22-4654-4F8D-9AB2-2D42D51F5521} - (no file)
    O2 - BHO: (no name) - {73735C96-E6B4-40E9-AEB0-22E464E2CE0A} - (no file)
    O2 - BHO: (no name) - {8D79BBB4-DEF4-43C7-B386-18B6291EABC3} - C:\WINDOWS\system32\urqNGArr.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {CCF86F87-12FF-4199-ACDA-024A49B920F7} - (no file)
    O2 - BHO: (no name) - {D3A216EF-1531-47EB-88E5-834FF7279510} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32CD4D87-9717-43CF-B3AC-8C06526C7FAC}: NameServer = 208.67.222.222,208.67.220.220
    O20 - AppInit_DLLs: nimgnp.dll ohhbvp.dll hmisbb.dll
    O20 - Winlogon Notify: khfcccd - khfcccd.dll (file missing)
    O20 - Winlogon Notify: qoMfgDUm - qoMfgDUm.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 9237 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi sjnpt

    We will begin with ComboFix.

    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default computer locks up

    I downloaded combofix, but when I double click on the icon it just opens a box with a blue screen and locks up the computer. I tried downloading from all three links provided with the same results. Did I do something wrong? Here is a updated hjt log because I forgot to disable tea timer on the last one. thanks again.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:58:19, on 1/3/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
    C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0C2B72C5-73AD-45E5-B687-1026461E44A0} - (no file)
    O2 - BHO: (no name) - {1A81B345-AFCF-4D2C-A07F-7DF905DD80E7} - (no file)
    O2 - BHO: (no name) - {35E51E82-D0DC-44F2-A019-305C4D997C6B} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5D7E3A22-4654-4F8D-9AB2-2D42D51F5521} - (no file)
    O2 - BHO: (no name) - {73735C96-E6B4-40E9-AEB0-22E464E2CE0A} - (no file)
    O2 - BHO: (no name) - {8D79BBB4-DEF4-43C7-B386-18B6291EABC3} - C:\WINDOWS\system32\urqNGArr.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {CCF86F87-12FF-4199-ACDA-024A49B920F7} - (no file)
    O2 - BHO: (no name) - {D3A216EF-1531-47EB-88E5-834FF7279510} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32CD4D87-9717-43CF-B3AC-8C06526C7FAC}: NameServer = 208.67.222.222,208.67.220.220
    O20 - Winlogon Notify: khfcccd - khfcccd.dll (file missing)
    O20 - Winlogon Notify: qoMfgDUm - qoMfgDUm.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 8854 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please rename combofix.exe to sjnpt.exe and let me know if it works now.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default

    No, still doesn't work.

  6. #6
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default

    I just ran combofix in safe mode and it worked. Here is the log.
    ComboFix 09-01-01.02 - Compaq_Owner 2009-01-03 16:46:30.1 - NTFSx86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.972 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\sjnpt.exe.exe
    AV: EMBARQ Online Security 7.03 *On-access scanning disabled* (Updated)
    FW: EMBARQ Online Security 7.03 *disabled*
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\BraveSentry.lnk
    c:\documents and settings\All Users.\documents\settings
    c:\documents and settings\All Users.\documents\settings\BOT.0LL
    c:\documents and settings\All Users.\documents\settings\desktop.ini
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\temp\17o7
    c:\temp\17o7\tmpTF.log
    c:\windows\$NtServicePackUninstall$\ntp2.ini
    c:\windows\AppPatch\ntp2.ini
    c:\windows\Downloaded Program Files\setup.inf
    c:\windows\hosts
    c:\windows\IE4 Error Log.txt
    c:\windows\system32\bfqofquo.dll
    c:\windows\system32\bhgpjojl.ini
    c:\windows\system32\hfhwlo.dll
    c:\windows\system32\ixtdayxi.dll
    c:\windows\system32\ljojpghb.dll
    c:\windows\system32\lsemmdsd.dll
    c:\windows\system32\mkakiw.dll
    c:\windows\system32\nimgnp.dll
    c:\windows\system32\ouqfoqfb.ini
    c:\windows\system32\pbpklvhg.dll
    c:\windows\system32\pghufgoo.dll
    c:\windows\system32\pimcejvm.dll
    c:\windows\system32\qknsbg.dll
    c:\windows\system32\smpi1
    c:\windows\system32\tmp.reg

    ----- BITS: Possible infected sites -----

    hxxp://childhe.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ASC3550U
    -------\Legacy_FCI
    -------\Legacy_RUNTIME
    -------\Service_FCI


    ((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
    .

    2009-01-03 12:37 . 2009-01-03 15:57 <DIR> d-------- C:\ComboFix
    2008-12-29 16:47 . 2008-12-29 16:47 131,584 --a------ c:\windows\system32\jukpcfxu.dll
    2008-12-27 02:20 . 2008-12-27 02:20 <DIR> d-------- c:\program files\Trend Micro
    2008-12-26 14:48 . 2008-12-26 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
    2008-12-25 23:52 . 2008-12-25 23:52 0 --a------ c:\windows\PTWebCam.INI
    2008-12-25 19:12 . 2008-12-25 19:12 <DIR> d-------- c:\program files\MyDSC2
    2008-12-25 19:12 . 2008-12-25 19:12 <DIR> d-------- c:\program files\JL2005C
    2008-12-25 19:12 . 2005-12-15 17:34 135,168 --a------ c:\windows\system32\jl_jdct.drv
    2008-12-25 19:12 . 2007-11-17 15:46 68,954 --a------ c:\windows\system32\drivers\jl2005c.sys
    2008-12-25 19:12 . 2005-08-10 10:44 15,360 --a------ c:\windows\system32\jl2005c.ax
    2008-12-25 19:05 . 2006-04-11 03:49 118,784 --a------ c:\windows\system32\PTTreeIcons.dll
    2008-12-25 19:04 . 2008-12-29 21:22 <DIR> d-------- c:\program files\Speed Racer Image Lab
    2008-12-24 09:31 . 2008-12-24 09:31 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Media Player Classic
    2008-12-23 12:42 . 2008-12-23 12:42 130,048 --a------ c:\windows\system32\msmifm.0ll
    2008-12-23 12:42 . 2008-12-23 12:42 130,048 --a------ c:\windows\system32\jtfbyopu.0ll
    2008-12-22 12:29 . 2008-12-22 12:29 293,376 --a------ c:\windows\system32\urqNGArr.0ll
    2008-12-22 12:23 . 2008-12-22 12:23 58,880 --a------ c:\windows\system32\qoMfgDUm.0ll
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d-------- c:\program files\Transparent
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Transparent
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
    2008-12-05 22:50 . 2008-12-17 16:48 <DIR> d-------- C:\DVDVideoSoft
    2008-12-05 22:49 . 2008-12-05 22:49 <DIR> d-------- c:\program files\DVDVideoSoft
    2008-12-05 22:49 . 2008-12-05 22:50 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
    2008-12-05 22:42 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
    2008-12-05 22:41 . 2008-12-05 22:41 <DIR> d-------- c:\program files\SanDisk
    2008-12-05 22:41 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-30 00:47 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
    2008-12-30 00:15 17,502 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
    2008-12-24 05:54 --------- d-----w c:\program files\Google
    2008-12-06 03:41 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-12-04 23:52 4,620,086 ----a-w c:\program files\Brain Tease II.exe
    2008-12-02 23:23 --------- d-----w c:\program files\Windows Media Connect 2
    2008-11-22 03:50 --------- d-----w c:\program files\Walmart MP3 Music Downloads
    2008-11-20 15:10 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-10-04 05:00 61,952 ----a-w c:\windows\SSEUninstaller.exe
    2007-12-10 04:13 5,914,648 ----a-w c:\program files\SUPERAntiSpyware.exe
    2007-12-03 00:17 1,494,650 ----a-w c:\program files\mvpcrb22.exe
    2005-04-09 01:05 590,792 ----a-w c:\program files\kazaa_setup.exe
    2005-04-06 02:42 186,440 ----a-w c:\program files\spysubupd.exe
    2005-04-09 04:50 22 --sha-w c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Bart Station"="c:\program files\ISP50\hta\station.sbrt" [X]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-05 185896]
    "F-Secure Manager"="c:\program files\EMBARQ Online Security\Common\FSM32.EXE" [2007-11-01 182936]
    "F-Secure TNB"="c:\program files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 739936]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
    "SiSPower"="SiSPower.dll" [2005-04-12 c:\windows\system32\SiSPower.dll]

    c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
    Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-10-23 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.JPEG"= JpegCode.dll
    "VIDC.MJPG"= pvmjpg21.dll
    "VIDC.JDCT"= jl_jdct.drv

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
    backup=c:\windows\pss\Event Reminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    c:\windows\system32\dumprep 0 -u [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2004-10-14 02:04 278528 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    --a------ 2004-10-14 23:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    --------- 2005-07-14 20:35 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-03-05 07:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    --a------ 2004-09-07 22:47 57344 c:\windows\ALCXMNTR.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\svchost.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-06-15 51072]
    R1 F-Secure HIPS;F-Secure HIPS;\??\c:\program files\EMBARQ Online Security\HIPS\fshs.sys [2008-06-15 41184]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\EMBARQ Online Security\Anti-Virus\minifilter\fsgk.sys [2008-06-15 59488]
    S2 CoachCap;Concord Eye-Q Duo 2000 USB Video Capture V1.01;c:\windows\system32\drivers\CoachCap.sys [2005-10-13 93068]
    S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []
    S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys [2008-06-15 39776]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys [2008-06-15 25184]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
    \Shell\AutoRun\command - D:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b7c048-2d3a-11da-87f9-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\Pareto UNS.job
    - c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

    2009-01-03 c:\windows\Tasks\Scheduled scanning task.job
    - c:\progra~1\EMBARQ~1\ANTI-V~1\fsav.exe [2007-11-01 06:42]

    2009-01-03 c:\windows\Tasks\wcqorsvb.job
    - c:\windows\system32\rundll32.exe [2004-08-04 13:00]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0C2B72C5-73AD-45E5-B687-1026461E44A0} - (no file)
    BHO-{1A81B345-AFCF-4D2C-A07F-7DF905DD80E7} - (no file)
    BHO-{35E51E82-D0DC-44F2-A019-305C4D997C6B} - (no file)
    BHO-{5D7E3A22-4654-4F8D-9AB2-2D42D51F5521} - (no file)
    BHO-{73735C96-E6B4-40E9-AEB0-22E464E2CE0A} - (no file)
    BHO-{8D79BBB4-DEF4-43C7-B386-18B6291EABC3} - c:\windows\system32\urqNGArr.dll
    BHO-{CCF86F87-12FF-4199-ACDA-024A49B920F7} - (no file)
    BHO-{D3A216EF-1531-47EB-88E5-834FF7279510} - (no file)
    HKLM-Run-NWEReboot - (no file)
    Notify-khfcccd - khfcccd.dll
    Notify-qoMfgDUm - qoMfgDUm.dll
    MSConfigStartUp-Blubster - c:\program files\Blubster\Blubster.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\EMBARQ Online Security\FSPS\program\fslsp.dll
    TCP: {32CD4D87-9717-43CF-B3AC-8C06526C7FAC} = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\w1fujymm.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/
    FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\w1fujymm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000054.dll
    FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-03 16:54:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll

    - - - - - - - > 'lsass.exe'(612)
    c:\program files\EMBARQ Online Security\FSPS\program\fslsp.dll
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll

    - - - - - - - > 'csrss.exe'(532)
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    c:\program files\EMBARQ Online Security\Common\FSMA32.EXE
    c:\program files\EMBARQ Online Security\Anti-Virus\fsgk32.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\EMBARQ Online Security\Common\FSMB32.EXE
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\program files\EMBARQ Online Security\Common\FCH32.EXE
    c:\program files\EMBARQ Online Security\Common\FAMEH32.EXE
    c:\program files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    c:\program files\EMBARQ Online Security\FSPC\fspc.exe
    c:\program files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    c:\program files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    c:\program files\EMBARQ Online Security\FWES\program\fsdfwd.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\EMBARQ Online Security\FSAUA\program\fsus.exe
    c:\progra~1\EMBARQ~1\ANTI-V~1\fsav32.exe
    c:\progra~1\EMBARQ~1\Common\FSM32.EXE
    c:\progra~1\EMBARQ~1\FSGUI\fsguidll.exe
    c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-03 17:02:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-03 22:02:27

    Pre-Run: 53,605,208,064 bytes free
    Post-Run: 52,304,248,832 bytes free

    265 --- E O F --- 2008-08-13 04:59:28

    and a new hjt log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:05:54, on 1/3/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
    C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32CD4D87-9717-43CF-B3AC-8C06526C7FAC}: NameServer = 208.67.222.222,208.67.220.220
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 8479 bytes

  7. #7
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:



    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  8. #8
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default

    here it is

    Sansa Media Converter
    7-Zip 4.57
    Adobe Flash Player ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 7.0
    Adobe Shockwave Player
    Agere Systems PCI Soft Modem
    Anvil Studio
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft MediaConverter
    Belarc Advisor 7.0
    Blasterball 2 from Compaq (remove only)
    Blasterball 2 Remix from Compaq (remove only)
    Bonjour
    Bounce Symphony
    Bounce Symphony from Compaq (remove only)
    Byki
    Byki Express
    Camera Driver
    Cartes du Ciel
    Compaq Connections
    Compaq Organize
    DrawPlus 3.0
    DrumTrack
    Easy Internet Sign-up
    EMBARQ Online Security
    Family Tree Maker 6.0
    FlightGear v1.0.0
    Free YouTube to iPod Converter version 3.1
    Global ProBiz Business Card Maker
    Google Earth
    Google Toolbar for Internet Explorer
    Google Toolbar for Internet Explorer
    Guitar Chord Wizard Version 1.01
    Guitar Concept Version 3.01
    Harvest Mania To Go
    Help and Support Additions
    HijackThis 2.0.2
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Extended Capabilities 4.7
    HP Image Zone 4.7
    HP Photosmart Essential
    HP PSC & OfficeJet 4.7
    HP PSC 1400 series
    HP Software Update
    ImageMixer VCD/DVD2 for OLYMPUS
    InterVideo WinDVD Player
    iTunes
    JS World 2nd Grade
    JSWorld2GMain
    JSWPFCom
    JSWPFGrade2
    JumpStart Explorers
    KBD
    Learn2 Player (Uninstall Only)
    Lernout & Hauspie TruVoice American English TTS Engine
    Marine Aquarium 2, Sharks & Carousel Bundle
    Metronome 4.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2005
    Microsoft National Language Support Downlevel APIs
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Web Publishing Wizard 1.52
    Microsoft Works
    mmCARD Recovery
    Mozilla Firefox (3.0.5)
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    Nero Suite
    NetZero For Riverdeep
    Notefinder 1.02
    OLYMPUS Master
    Overball from Compaq (remove only)
    PC-Doctor for Windows
    Pdf995 (installed by TaxCut)
    PhotoNet CD (Remove Only)
    PMP DV
    Power Tab Editor 1.7
    PrintMaster
    PS2
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    QuickTime
    Rainlendar (remove only)
    RealPlayer
    Renegade Minds Guitar and Drums Trainer
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Scrapbook Factory
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    SiS VGA Utilities
    Sonic Express Labeler
    Sonic RecordNow!
    Speed Racer Image Lab
    SpiralFrog Download Manager 0.8.24
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    Staff Master 1.01
    Stellarium 0.9.1
    TabTrax Demo 1.9
    Uninstall 1.0.0.1
    Uninstall Dual Mode Camera
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Viewpoint Media Player
    Virtual Magnifying Glass
    Vodafone 804SS USB driver Software
    Walmart MP3 Music Downloads
    WAV to MP3 Encoder
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885295
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Yahoo! Toolbar
    Zoom ADSL Modem
    Zoom ADSL Modem

  9. #9
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    c:\windows\system32\jukpcfxu.dll
    c:\windows\system32\msmifm.0ll
    c:\windows\system32\jtfbyopu.0ll
    c:\windows\system32\urqNGArr.0ll
    c:\windows\system32\qoMfgDUm.0ll
    c:\windows\Tasks\wcqorsvb.job
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b7c048-2d3a-11da-87f9-806d6172696f}]
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #10
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default

    here is the new combofix

    ComboFix 09-01-01.02 - Compaq_Owner 2009-01-04 11:25:16.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.850 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\Combofix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
    AV: EMBARQ Online Security 7.03 *On-access scanning disabled* (Updated)
    FW: EMBARQ Online Security 7.03 *disabled*
    * Created a new restore point

    FILE ::
    c:\windows\system32\jtfbyopu.0ll
    c:\windows\system32\jukpcfxu.dll
    c:\windows\system32\msmifm.0ll
    c:\windows\system32\qoMfgDUm.0ll
    c:\windows\system32\urqNGArr.0ll
    c:\windows\Tasks\wcqorsvb.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\jtfbyopu.0ll
    c:\windows\system32\jukpcfxu.dll
    c:\windows\system32\msmifm.0ll
    c:\windows\system32\qoMfgDUm.0ll
    c:\windows\system32\urqNGArr.0ll
    c:\windows\Tasks\wcqorsvb.job

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
    .

    2009-01-04 10:31 . 2009-01-04 10:31 <DIR> d-------- C:\sjnpt.exe
    2008-12-27 02:20 . 2008-12-27 02:20 <DIR> d-------- c:\program files\Trend Micro
    2008-12-26 14:48 . 2008-12-26 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
    2008-12-25 23:52 . 2008-12-25 23:52 0 --a------ c:\windows\PTWebCam.INI
    2008-12-25 19:12 . 2008-12-25 19:12 <DIR> d-------- c:\program files\MyDSC2
    2008-12-25 19:12 . 2008-12-25 19:12 <DIR> d-------- c:\program files\JL2005C
    2008-12-25 19:12 . 2005-12-15 17:34 135,168 --a------ c:\windows\system32\jl_jdct.drv
    2008-12-25 19:12 . 2007-11-17 15:46 68,954 --a------ c:\windows\system32\drivers\jl2005c.sys
    2008-12-25 19:12 . 2005-08-10 10:44 15,360 --a------ c:\windows\system32\jl2005c.ax
    2008-12-25 19:05 . 2006-04-11 03:49 118,784 --a------ c:\windows\system32\PTTreeIcons.dll
    2008-12-25 19:04 . 2008-12-29 21:22 <DIR> d-------- c:\program files\Speed Racer Image Lab
    2008-12-24 09:31 . 2008-12-24 09:31 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Media Player Classic
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d-------- c:\program files\Transparent
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Transparent
    2008-12-15 00:01 . 2008-12-15 00:01 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
    2008-12-05 22:50 . 2008-12-17 16:48 <DIR> d-------- C:\DVDVideoSoft
    2008-12-05 22:49 . 2008-12-05 22:49 <DIR> d-------- c:\program files\DVDVideoSoft
    2008-12-05 22:49 . 2008-12-05 22:50 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
    2008-12-05 22:42 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
    2008-12-05 22:41 . 2008-12-05 22:41 <DIR> d-------- c:\program files\SanDisk
    2008-12-05 22:41 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-30 00:47 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
    2008-12-30 00:15 17,502 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
    2008-12-24 05:54 --------- d-----w c:\program files\Google
    2008-12-06 03:41 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-12-04 23:52 4,620,086 ----a-w c:\program files\Brain Tease II.exe
    2008-12-02 23:23 --------- d-----w c:\program files\Windows Media Connect 2
    2008-11-22 03:50 --------- d-----w c:\program files\Walmart MP3 Music Downloads
    2008-11-20 15:10 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
    2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
    2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
    2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
    2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
    2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
    2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
    2008-10-15 16:57 332,800 ----a-w c:\windows\system32\netapi32(5).dll
    2008-10-15 16:57 332,800 ----a-w c:\windows\system32\netapi32(4).dll
    2008-10-04 05:00 61,952 ----a-w c:\windows\SSEUninstaller.exe
    2007-12-10 04:13 5,914,648 ----a-w c:\program files\SUPERAntiSpyware.exe
    2007-12-03 00:17 1,494,650 ----a-w c:\program files\mvpcrb22.exe
    2005-04-09 01:05 590,792 ----a-w c:\program files\kazaa_setup.exe
    2005-04-06 02:42 186,440 ----a-w c:\program files\spysubupd.exe
    2005-04-09 04:50 22 --sha-w c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2009-01-03_17.01.31.54 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-11-11 12:25:40 68,514 ----a-w c:\windows\system32\perfc009.dat
    + 2009-01-03 21:58:21 68,514 ----a-w c:\windows\system32\perfc009.dat
    - 2008-11-11 12:25:41 417,284 ----a-w c:\windows\system32\perfh009.dat
    + 2009-01-03 21:58:21 417,284 ----a-w c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Bart Station"="c:\program files\ISP50\hta\station.sbrt" [X]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-05 185896]
    "F-Secure Manager"="c:\program files\EMBARQ Online Security\Common\FSM32.EXE" [2007-11-01 182936]
    "F-Secure TNB"="c:\program files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 739936]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
    "SiSPower"="SiSPower.dll" [2005-04-12 c:\windows\system32\SiSPower.dll]

    c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
    Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-10-23 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.JPEG"= JpegCode.dll
    "VIDC.MJPG"= pvmjpg21.dll
    "VIDC.JDCT"= jl_jdct.drv

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
    backup=c:\windows\pss\Event Reminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    c:\windows\system32\dumprep 0 -u [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2004-10-14 02:04 278528 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    --a------ 2004-10-14 23:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    --------- 2005-07-14 20:35 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-03-05 07:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    --a------ 2004-09-07 22:47 57344 c:\windows\ALCXMNTR.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\svchost.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-06-15 51072]
    R1 F-Secure HIPS;F-Secure HIPS;\??\c:\program files\EMBARQ Online Security\HIPS\fshs.sys [2008-06-15 41184]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\EMBARQ Online Security\Anti-Virus\minifilter\fsgk.sys [2008-06-15 59488]
    S2 CoachCap;Concord Eye-Q Duo 2000 USB Video Capture V1.01;c:\windows\system32\drivers\CoachCap.sys [2005-10-13 93068]
    S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []
    S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys [2008-06-15 39776]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys [2008-06-15 25184]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
    \Shell\AutoRun\command - D:\setup.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\Pareto UNS.job
    - c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

    2009-01-04 c:\windows\Tasks\Scheduled scanning task.job
    - c:\progra~1\EMBARQ~1\ANTI-V~1\fsav.exe [2007-11-01 06:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\EMBARQ Online Security\FSPS\program\fslsp.dll
    TCP: {32CD4D87-9717-43CF-B3AC-8C06526C7FAC} = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\w1fujymm.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/
    FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\w1fujymm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000054.dll
    FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-04 11:29:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(548)
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll

    - - - - - - - > 'lsass.exe'(604)
    c:\program files\EMBARQ Online Security\FSPS\program\fslsp.dll
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll

    - - - - - - - > 'csrss.exe'(524)
    c:\program files\EMBARQ Online Security\FWES\Program\fsdc.dll
    .
    Completion time: 2009-01-04 11:31:26
    ComboFix-quarantined-files.txt 2009-01-04 16:30:09
    ComboFix2.txt 2009-01-03 22:02:55

    Pre-Run: 52,225,622,016 bytes free
    Post-Run: 52,203,057,152 bytes free

    215 --- E O F --- 2008-08-13 04:59:28



    and the hjt


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:39:22, on 1/4/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
    C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32CD4D87-9717-43CF-B3AC-8C06526C7FAC}: NameServer = 208.67.222.222,208.67.220.220
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 8546 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •